Update Policy

PUT {{cb_url}}/policyservice/v1/orgs/{{cb_org_key}}/policies/{{cb_policy_id}}

Modify an existing policy

RBAC PERMISSIONS REQUIRED

Permission (.notation name)Operation(s)
org.policiesUPDATE

See Documentation

Request Body

{"id"=>4920125, "name"=>"Standard", "org_key"=>"ABCD1234", "priority_level"=>"MEDIUM", "position"=>-1, "is_system"=>true, "description"=>"Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.", "auto_deregister_inactive_vdi_interval_ms"=>0, "auto_delete_known_bad_hashes_delay"=>nil, "av_settings"=>{"avira_protection_cloud"=>{"enabled"=>false, "max_exe_delay"=>45, "max_file_size"=>4, "risk_level"=>4}, "on_access_scan"=>{"enabled"=>true, "mode"=>"NORMAL"}, "on_demand_scan"=>{"enabled"=>true, "profile"=>"NORMAL", "schedule"=>{"days"=>nil, "start_hour"=>0, "range_hours"=>0, "recovery_scan_if_missed"=>true}, "scan_usb"=>"AUTOSCAN", "scan_cd_dvd"=>"AUTOSCAN"}, "signature_update"=>{"enabled"=>true, "schedule"=>{"full_interval_hours"=>0, "initial_random_delay_hours"=>4, "interval_hours"=>4}}, "update_servers"=>{"servers_override"=>[], "servers_for_onsite_devices"=>[{"server"=>"http://updates2.cdc.carbonblack.io/update2", "preferred"=>false}], "servers_for_offsite_devices"=>["http://updates2.cdc.carbonblack.io/update2"]}}, "rules"=>[{"id"=>1, "required"=>false, "action"=>"TERMINATE", "application"=>{"type"=>"REPUTATION", "value"=>"KNOWN_MALWARE"}, "operation"=>"RUN"}, {"id"=>2, "required"=>false, "action"=>"TERMINATE", "application"=>{"type"=>"REPUTATION", "value"=>"COMPANY_BLACK_LIST"}, "operation"=>"RUN"}], "directory_action_rules"=>[], "sensor_settings"=>[{"name"=>"ALLOW_UNINSTALL", "value"=>"true"}], "managed_detection_response_permissions"=>{"policy_modification"=>true, "quarantine"=>true}, "version"=>nil, "message"=>nil, "rapid_configs"=>[]}

HEADERS

KeyDatatypeRequiredDescription
X-Auth-Tokenstring

RESPONSES

status: OK

{"id":12345677,"name":"Hostbased Firewall Demo","org_key":"ABCD1234","priority_level":"LOW","position":1,"is_system":false,"description":"","auto_deregister_inactive_vdi_interval_ms":0,"auto_deregister_inactive_vm_workloads_interval_ms":0,"update_time":1702868790170,"av_settings":{"avira_protection_cloud":{"enabled":true,"max_exe_delay":45,"max_file_size":4,"risk_level":4},"on_access_scan":{"enabled":false,"mode":"NORMAL"},"on_demand_scan":{"enabled":false,"profile":"NORMAL","schedule":{"start_hour":0,"range_hours":0,"recovery_scan_if_missed":true},"scan_usb":"AUTOSCAN","scan_cd_dvd":"AUTOSCAN"},"signature_update":{"enabled":false,"schedule":{"full_interval_hours":0,"initial_random_delay_hours":4,"interval_hours":4}},"update_servers":{"servers_override":[],"servers_for_onsite_devices":[{"server":"http://updates2.cdc.carbonblack.io/update2","preferred":false}],"servers_for_offsite_devices":["http://updates2.cdc.carbonblack.io/update2"]}},"rules":[{"id":1,"required":false,"action":"DENY","application":{"type":"REPUTATION","value":"KNOWN_MALWARE"},"operation":"RUN"}],"directory_action_rules":[],"sensor_settings":[{"name":"ALLOW_UNINSTALL","value":"true"},{"name":"SHOW_UI","value":"false"},{"name":"ENABLE_THREAT_SHARING","value":"true"},{"name":"QUARANTINE_DEVICE","value":"false"},{"name":"LOGGING_LEVEL","value":"false"},{"name":"QUARANTINE_DEVICE_MESSAGE","value":"Your device has been quarantined. Please contact your administrator."},{"name":"SET_SENSOR_MODE","value":"0"},{"name":"SENSOR_RESET","value":"0"},{"name":"BACKGROUND_SCAN","value":"true"},{"name":"POLICY_ACTION_OVERRIDE","value":"true"},{"name":"HELP_MESSAGE","value":""},{"name":"PRESERVE_SYSTEM_MEMORY_SCAN","value":"false"},{"name":"HASH_MD5","value":"false"},{"name":"SCAN_LARGE_FILE_READ","value":"false"},{"name":"SCAN_EXECUTE_ON_NETWORK_DRIVE","value":"true"},{"name":"DELAY_EXECUTE","value":"false"},{"name":"SCAN_NETWORK_DRIVE","value":"false"},{"name":"BYPASS_AFTER_LOGIN_MINS","value":"0"},{"name":"BYPASS_AFTER_RESTART_MINS","value":"0"},{"name":"SHOW_FULL_UI","value":"false"},{"name":"SECURITY_CENTER_OPT","value":"true"},{"name":"CB_LIVE_RESPONSE","value":"false"},{"name":"ALLOW_INLINE_BLOCKING","value":"true"},{"name":"UNINSTALL_CODE","value":"false"},{"name":"DEFENSE_OPT_OUT","value":"false"},{"name":"UBS_OPT_IN","value":"false"}],"rapid_configs":[{"id":"1c03d653-eca4-4adc-81a1-04b17b6cbffc","name":"Event Reporting and Sensor Operation Exclusions","description":"Allows customers to exclude specific processes and process events from reporting to CBC","inherited_from":"psc:region","parameters":{}},{"id":"df181779-f623-415d-879e-91c40246535d","name":"Host Based Firewall","description":"These are the Host based Firewall Rules which will be executed by the sensor. The Definition will be part of Main Policies.","inherited_from":"","parameters":{"rule_groups":[{"description":"Description of Demo Rule Group","name":"Demo Rule Group","rules":[{"action":"ALLOW","application_path":"C:\\sdk\\example\\allow\\rule\\path","direction":"IN","enabled":false,"local_ip_address":"11.12.13.14","local_port_ranges":"1313","name":"SDK Example Rule","network_profile":["DOMAIN"],"protocol":"TCP","remote_ip_address":"15.16.17.18","remote_port_ranges":"2121","rule_access_check_guid":"2087536a-ed1e-41d7-814e-31d45111005d","rule_inbound_event_check_guid":"edee18f0-b003-47d1-a844-04835ab75d41","rule_outbound_event_check_guid":"6a647fd4-2502-494f-a911-087efac8714f","test_mode":false}],"ruleset_id":"7235fcbd-1c3a-4ace-b350-6b079a1e7d2a"},{"description":"another example","name":"rule_group_202306230_01","rules":[{"action":"ALLOW","application_path":"C:\\sdk\\example\\allow\\rule\\path","direction":"IN","enabled":false,"local_ip_address":"11.12.13.14","local_port_ranges":"1313","name":"test01 rule","network_profile":["PUBLIC"],"protocol":"TCP","remote_ip_address":"15.16.17.18","remote_port_ranges":"2121","rule_access_check_guid":"570df6bf-a755-438b-8206-d082595e9ab3","rule_inbound_event_check_guid":"68d43538-48b2-43d6-9916-2ebfad421b86","rule_outbound_event_check_guid":"ddef2bca-3c32-4298-ad2d-5452606f1c41","test_mode":false}],"ruleset_id":"87ddb873-124f-4e9d-93d9-d0fea0d2c967"}],"default_rule":{"action":"ALLOW","default_rule_access_check_guid":"0f4d11c5-cfb2-405d-9482-24ddf813dd02","default_rule_inbound_event_check_guid":"76d0d19f-b499-4c23-a9cb-79583fad154b","default_rule_outbound_event_check_guid":"d7b42c09-7819-4f6b-a5ab-2a99e0a5c26b"},"enable_host_based_firewall":false}},{"id":"1f8a5e4b-34f2-4d31-9f8f-87c56facaec8","name":"Advanced Scripting Prevention","description":"Addresses malicious fileless and file-backed scripts that leverage native programs and common scripting languages.","inherited_from":"psc:region","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"c4ed61b3-d5aa-41a9-814f-0f277451532b","name":"Carbon Black Threat Intel","description":"Addresses common and pervasive TTPs used for malicious activity as well as living off the land TTPs/behaviors detected by Carbon Blackโ€™s Threat Analysis Unit.","inherited_from":"psc:region","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"8a16234c-9848-473a-a803-f0f0ffaf5f29","name":"Persistence","description":"Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that could cut off their access.","inherited_from":"psc:region","parameters":{"WindowsAssignmentMode":"BLOCK"}},{"id":"91c919da-fb90-4e63-9eac-506255b0a0d0","name":"Authentication Events","description":"Authentication Events","inherited_from":"","parameters":{"enable_auth_events":false}},{"id":"1664f2e6-645f-4d6e-98ec-0c80485cbe0f","name":"Event Reporting Exclusions","description":"Allows customers to exclude specific processes from reporting events to CBC","inherited_from":"psc:region","parameters":{}},{"id":"491dd777-5a76-4f58-88bf-d29926d12778","name":"Prevalent Module Exclusions","description":"Tune collection of events from prevalent modules","inherited_from":"psc:region","parameters":{"enable_prevalent_module_event_collection":false}},{"id":"ac67fa14-f6be-4df9-93f2-6de0dbd96061","name":"Credential Theft","description":"Addresses threat actors obtaining credentials and relies on detecting the malicious use of TTPs/behaviors that indicate such activity.","inherited_from":"psc:region","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"88b19232-7ebb-48ef-a198-2a75a282de5d","name":"Privilege Escalation","description":"Addresses behaviors that indicate a threat actor has gained elevated access via a bug or misconfiguration within an operating system, and leverages the detection of TTPs/behaviors to prevent such activity.","inherited_from":"psc:region","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"97a03cc2-5796-4864-b16d-790d06bea20d","name":"Defense Evasion","description":"Addresses common TTPs/behaviors that threat actors use to avoid detection such as uninstalling or disabling security software, obfuscating or encrypting data/scripts and abusing trusted processes to hide and disguise their malicious activity.","inherited_from":"psc:region","parameters":{"WindowsAssignmentMode":"REPORT"}}],"rule_configs":[{"id":"1c03d653-eca4-4adc-81a1-04b17b6cbffc","name":"Event Reporting and Sensor Operation Exclusions","description":"Allows customers to exclude specific processes and process events from reporting to CBC","inherited_from":"psc:region","category":"bypass","parameters":{}},{"id":"df181779-f623-415d-879e-91c40246535d","name":"Host Based Firewall","description":"These are the Host based Firewall Rules which will be executed by the sensor. The Definition will be part of Main Policies.","inherited_from":"","category":"host_based_firewall","parameters":{"rule_groups":[{"description":"Description of Demo Rule Group","name":"Demo Rule Group","rules":[{"action":"ALLOW","application_path":"C:\\sdk\\example\\allow\\rule\\path","direction":"IN","enabled":false,"local_ip_address":"11.12.13.14","local_port_ranges":"1313","name":"SDK Example Rule","network_profile":["DOMAIN"],"protocol":"TCP","remote_ip_address":"15.16.17.18","remote_port_ranges":"2121","rule_access_check_guid":"2087536a-ed1e-41d7-814e-31d45111005d","rule_inbound_event_check_guid":"edee18f0-b003-47d1-a844-04835ab75d41","rule_outbound_event_check_guid":"6a647fd4-2502-494f-a911-087efac8714f","test_mode":false}],"ruleset_id":"7235fcbd-1c3a-4ace-b350-6b079a1e7d2a"},{"description":"testing bug with saving is fixed","name":"rule_group_202306230_01","rules":[{"action":"ALLOW","application_path":"C:\\sdk\\example\\allow\\rule\\path","direction":"IN","enabled":false,"local_ip_address":"11.12.13.14","local_port_ranges":"1313","name":"test01 rule","network_profile":["PUBLIC"],"protocol":"TCP","remote_ip_address":"15.16.17.18","remote_port_ranges":"2121","rule_access_check_guid":"570df6bf-a755-438b-8206-d082595e9ab3","rule_inbound_event_check_guid":"68d43538-48b2-43d6-9916-2ebfad421b86","rule_outbound_event_check_guid":"ddef2bca-3c32-4298-ad2d-5452606f1c41","test_mode":false}],"ruleset_id":"87ddb873-124f-4e9d-93d9-d0fea0d2c967"}],"default_rule":{"action":"ALLOW","default_rule_access_check_guid":"0f4d11c5-cfb2-405d-9482-24ddf813dd02","default_rule_inbound_event_check_guid":"76d0d19f-b499-4c23-a9cb-79583fad154b","default_rule_outbound_event_check_guid":"d7b42c09-7819-4f6b-a5ab-2a99e0a5c26b"},"enable_host_based_firewall":false}},{"id":"1f8a5e4b-34f2-4d31-9f8f-87c56facaec8","name":"Advanced Scripting Prevention","description":"Addresses malicious fileless and file-backed scripts that leverage native programs and common scripting languages.","inherited_from":"psc:region","category":"core_prevention","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"c4ed61b3-d5aa-41a9-814f-0f277451532b","name":"Carbon Black Threat Intel","description":"Addresses common and pervasive TTPs used for malicious activity as well as living off the land TTPs/behaviors detected by Carbon Blackโ€™s Threat Analysis Unit.","inherited_from":"psc:region","category":"core_prevention","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"8a16234c-9848-473a-a803-f0f0ffaf5f29","name":"Persistence","description":"Addresses common TTPs/behaviors that threat actors use to retain access to systems across restarts, changed credentials, and other interruptions that could cut off their access.","inherited_from":"psc:region","category":"core_prevention","parameters":{"WindowsAssignmentMode":"BLOCK"}},{"id":"91c919da-fb90-4e63-9eac-506255b0a0d0","name":"Authentication Events","description":"Authentication Events","inherited_from":"","category":"data_collection","parameters":{"enable_auth_events":false}},{"id":"1664f2e6-645f-4d6e-98ec-0c80485cbe0f","name":"Event Reporting Exclusions","description":"Allows customers to exclude specific processes from reporting events to CBC","inherited_from":"psc:region","category":"bypass","parameters":{}},{"id":"491dd777-5a76-4f58-88bf-d29926d12778","name":"Prevalent Module Exclusions","description":"Tune collection of events from prevalent modules","inherited_from":"psc:region","category":"data_collection","parameters":{"enable_prevalent_module_event_collection":false}},{"id":"ac67fa14-f6be-4df9-93f2-6de0dbd96061","name":"Credential Theft","description":"Addresses threat actors obtaining credentials and relies on detecting the malicious use of TTPs/behaviors that indicate such activity.","inherited_from":"psc:region","category":"core_prevention","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"88b19232-7ebb-48ef-a198-2a75a282de5d","name":"Privilege Escalation","description":"Addresses behaviors that indicate a threat actor has gained elevated access via a bug or misconfiguration within an operating system, and leverages the detection of TTPs/behaviors to prevent such activity.","inherited_from":"psc:region","category":"core_prevention","parameters":{"WindowsAssignmentMode":"REPORT"}},{"id":"97a03cc2-5796-4864-b16d-790d06bea20d","name":"Defense Evasion","description":"Addresses common TTPs/behaviors that threat actors use to avoid detection such as uninstalling or disabling security software, obfuscating or encrypting data/scripts and abusing trusted processes to hide and disguise their malicious activity.","inherited_from":"psc:region","category":"core_prevention","parameters":{"WindowsAssignmentMode":"REPORT"}}],"sensor_configs":[]}