Option to copy policies or exclusions from one customer to the next?

Hi all,

is there an option to copy settings, policies+exclusions, global exclusions from one customer (central) to another?

There are a lot of settings we have to configure at every Customer for Server-/EndpointProtection / MDR.

Thanks,



Added TAGs
[edited by: Gladys at 2:34 PM (GMT -8) on 16 Jan 2023]
Parents
  • Hi dirkkotte,

    Thanks for reaching out to the Sophos Community Forum. 

    One way to do this would be to use Global Templates from Sophos Central Partner. Applying your template policy to a customer's site will allow you to push those settings to the Base Policy. You can also clone the policy from within the customer's site once this is done if they wish to make further changes. 

    Let me know if this helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • But what if I don't want that policies to apply to all users? I have policies in a sub-estate that I want to copy to another sub-estate, but i can't do it with a global template because i only want them to apply to a group of users or devices...

    If I have to copy manually that policies to 6 or more sub-estates I am going to waste a lot of time (and maybe making mistakes).

    Thank you,

    Quico

  • I'd suggest using the API to accomplish this task. 

    You can use the /policies GET function to retrieve the details from the desired policy. Once you have this data, you can then use the /policies POST function to create the desired policy. 

    Most of the fields returned when running the GET function will be applicable to the POST function. Using something like Postman will help greatly in analyzing the responses. Using the request parameters on the right side of the API documentation can also help. 

    Note that you will need to go to each tenant to create a set of API credentials to get started and have access to each site to send and receive these requests. 

    I'll include below an API request I used to create a policy, in case this helps. (with sensitive information commented out).

    curl --location 'https://api-<DATA REGION>.central.sophos.com/endpoint/v1/policies' \
    --header 'X-Tenant-ID: <TENANT ID>' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer <AUTH TOKEN>' \
    --data '{
      "name": "TestAPI",
      "type": "threat-protection",
      "settings": {
        "endpoint.threat-protection.block-active-adversary-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.event-logging.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exclusions.intrusion-prevention": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.isolation": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.scanning": {
          "value": []
        },
        "endpoint.threat-protection.exploit-mitigation.all-mitigations.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.amsi-registration-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.java-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.media-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.office-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browser-plugins.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browsers.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.browser-cookie-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.c2-interceptor.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cpu-branch-tracing.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.action-on-ransomeware-detection": {
          "recommendedValue": "terminate",
          "value": "terminate"
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.efs-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.smb-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ctf-protocol-caller-validation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.dynamic-shellcode-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.hardware-breakpoint-guard.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.mbr-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.apc-violation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.code-cave-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.dll-hijacking-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.privilege-escalation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.process-hollowing-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.registry-credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.safe-browsing.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.side-loading-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ultra-exclude.enabled": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.heartbeat-protection.enabled": {
          "value": true
        },
        "endpoint.threat-protection.journal-hashing.exclude-remote-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.amsi-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.behavioral-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.cleanup.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.deep-learning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.desktop-messaging.enabled": {
          "value": true
        },
        "endpoint.threat-protection.malware-protection.exclude-remote-files": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.file-reputation.action": {
          "recommendedValue": "prompt",
          "value": "prompt"
        },
        "endpoint.threat-protection.malware-protection.file-reputation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.file-reputation.reputation-level": {
          "value": "recommended"
        },
        "endpoint.threat-protection.malware-protection.hips-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.on-demand": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.on-access.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.days": {
          "unit": "day",
          "value": [
            3
          ]
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.deep-scanning.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.scan-all-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.time": {
          "format": "hourMinute",
          "value": "21:00"
        },
        "endpoint.threat-protection.malware-protection.skip-trusted-installers": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.web-filtering.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.web-scanning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.c2-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.connection-tracking.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.ips.enabled": {
          "value": false
        },
        "endpoint.threat-protection.network-protection.self-isolation.enabled": {
          "value": false
        },
        "endpoint.threat-protection.process-memory-background-scan.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.threat-analysis.threat-case-creation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.web-control.tls-decryption.enabled": {
          "value": false
        },
        "endpoint.threat-protection.web-control.tls-decryption.quic.enabled": {
          "value": false
        }
      },
      "appliesTo": {
        "users": [],
        "userGroups": [
          "<USER GROUP ID>"
        ]
      }
    }'

    A couple of additional functions which will help in using this process are:
    /endpoint-groups GET
    /endpoints GET

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • I'd suggest using the API to accomplish this task. 

    You can use the /policies GET function to retrieve the details from the desired policy. Once you have this data, you can then use the /policies POST function to create the desired policy. 

    Most of the fields returned when running the GET function will be applicable to the POST function. Using something like Postman will help greatly in analyzing the responses. Using the request parameters on the right side of the API documentation can also help. 

    Note that you will need to go to each tenant to create a set of API credentials to get started and have access to each site to send and receive these requests. 

    I'll include below an API request I used to create a policy, in case this helps. (with sensitive information commented out).

    curl --location 'https://api-<DATA REGION>.central.sophos.com/endpoint/v1/policies' \
    --header 'X-Tenant-ID: <TENANT ID>' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer <AUTH TOKEN>' \
    --data '{
      "name": "TestAPI",
      "type": "threat-protection",
      "settings": {
        "endpoint.threat-protection.block-active-adversary-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.event-logging.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exclusions.intrusion-prevention": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.isolation": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.scanning": {
          "value": []
        },
        "endpoint.threat-protection.exploit-mitigation.all-mitigations.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.amsi-registration-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.java-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.media-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.office-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browser-plugins.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browsers.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.browser-cookie-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.c2-interceptor.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cpu-branch-tracing.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.action-on-ransomeware-detection": {
          "recommendedValue": "terminate",
          "value": "terminate"
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.efs-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.smb-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ctf-protocol-caller-validation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.dynamic-shellcode-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.hardware-breakpoint-guard.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.mbr-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.apc-violation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.code-cave-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.dll-hijacking-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.privilege-escalation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.process-hollowing-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.registry-credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.safe-browsing.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.side-loading-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ultra-exclude.enabled": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.heartbeat-protection.enabled": {
          "value": true
        },
        "endpoint.threat-protection.journal-hashing.exclude-remote-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.amsi-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.behavioral-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.cleanup.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.deep-learning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.desktop-messaging.enabled": {
          "value": true
        },
        "endpoint.threat-protection.malware-protection.exclude-remote-files": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.file-reputation.action": {
          "recommendedValue": "prompt",
          "value": "prompt"
        },
        "endpoint.threat-protection.malware-protection.file-reputation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.file-reputation.reputation-level": {
          "value": "recommended"
        },
        "endpoint.threat-protection.malware-protection.hips-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.on-demand": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.on-access.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.days": {
          "unit": "day",
          "value": [
            3
          ]
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.deep-scanning.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.scan-all-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.time": {
          "format": "hourMinute",
          "value": "21:00"
        },
        "endpoint.threat-protection.malware-protection.skip-trusted-installers": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.web-filtering.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.web-scanning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.c2-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.connection-tracking.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.ips.enabled": {
          "value": false
        },
        "endpoint.threat-protection.network-protection.self-isolation.enabled": {
          "value": false
        },
        "endpoint.threat-protection.process-memory-background-scan.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.threat-analysis.threat-case-creation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.web-control.tls-decryption.enabled": {
          "value": false
        },
        "endpoint.threat-protection.web-control.tls-decryption.quic.enabled": {
          "value": false
        }
      },
      "appliesTo": {
        "users": [],
        "userGroups": [
          "<USER GROUP ID>"
        ]
      }
    }'

    A couple of additional functions which will help in using this process are:
    /endpoint-groups GET
    /endpoints GET

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data