.. # ******************************************************* # Copyright (c) Broadcom, Inc. 2020-2026. All Rights Reserved. Carbon Black. # SPDX-License-Identifier: MIT # ******************************************************* # * # * DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT # * WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, # * EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED # * WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, # * NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. Recommendations =============== Recommendations offer a quick shortcut for helping tune your policy configurations in an environment, by providing suggested reputation overrides which you may add to improve your policy. They can speed up the process of tuning your policy to an environment, rather than having to manually investigate endpoint activity and reconfigure the policy in response to those investigations. The Carbon Black Cloud SDK for Python offers assistance for dealing with Recommendations. Getting the List of Recommendations ----------------------------------- By querying the ``Recommendation`` object, you can see which recommendations have already been generated for you by the Carbon Black Cloud. :: >>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['NEW', 'ACCEPTED', 'REJECTED']).sort_by('impact_score', 'DESC') >>> recslist = list(query) >>> for rec in recslist: ... print(rec) ... Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 2 impact_score: 1.1710311 impacted_devices: 44 org_adoption: HIGH update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: zoom.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: 56f560d8254ebb453daeaf9abe5c3c6de2e18eafaa5a9e4... policy_id: 0 recommendation_id: 5e6926d4-0c55-4757-a94d-e05883d5ee4c rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: estark@example.com comment: test_recommendation_review_dismissed create_time: 2021-05-18T16:37:07.000Z ref_id: 6d90188a0d4f11ecb02e15835b040340 status: ACCEPTED update_time: 2021-09-04T07:12:13.000Z Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 9 impact_score: 0.2678737 impacted_devices: 5 org_adoption: HIGH update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: cxuiuexe.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: 90b196987fe62657bfce2627ab0a08a7096737363e13806... policy_id: 0 recommendation_id: 100503cd-1897-425f-93b5-1ccba320438d rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: jbaratheon@example.com comment: create_time: 2021-05-18T16:37:07.000Z status: NEW update_time: 2021-09-14T07:12:13.000Z Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 12 impact_score: 0.11177378 impacted_devices: 315 org_adoption: MEDIUM update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: mbcloudea.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: 0a2190c4ccfde82ef950836d014f31b2b188423bb67b51a... policy_id: 0 recommendation_id: 3f89a837-034c-4b81-9f4c-f673a36ccb5c rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: tlannister@example.com comment: test_recommendation_review_dismissed create_time: 2021-05-18T16:37:07.000Z ref_id: 16e842eb152b11eca8407fb13248831f status: ACCEPTED update_time: 2021-09-14T07:12:15.000Z Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 20 impact_score: 0.05499694 impacted_devices: 44 org_adoption: MEDIUM update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: svctcom.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: d49a2beb44a603faf8aab2f5dfae3a292497c63f0b30d0e... policy_id: 0 recommendation_id: 26ddb565-aff6-4b68-895c-fc286aa5f101 rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: mtyrell@example.com comment: test_recommendation_review_dismissed create_time: 2021-05-18T16:37:07.000Z status: REJECTED update_time: 2021-09-11T07:12:14.000Z **N.B.:** If you do not set status values on the recommendation query with ``set_statuses()``, the search defaults to looking for ``NEW`` recommendations *only.* Recommendations Workflow ------------------------ Individual recommendations in the ``NEW`` state may be accepted or rejected by calling their ``accept()`` or ``reject()`` methods, respectively. :: >>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['NEW']) >>> recommendation = query[0] >>> recommendation.accept('Comment for acceptance') >>> print(recommendation.workflow_.status) ACCEPTED >>> recommendation = query[1] >>> recommendation.reject('Comment for rejection') >>> print(recommendation.workflow_.status) REJECTED Individual recommendations in the ``ACCEPTED`` or ``REJECTED`` states may be reverted to the ``NEW`` state by calling their ``reset()`` method. :: >>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['REJECTED']) >>> recommendation = query.first() >>> recommendation.reset() >>> print(recommendation.workflow_.status) NEW Recommendations and Reputation Overrides ---------------------------------------- A recommendation in the ``ACCEPTED`` state will have a reputation override created for it. You can retrieve that object with the ``reputation_override()`` method. :: >>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['ACCEPTED']) >>> reputation_override = query.first().reputation_override() >>> print(reputation_override) ReputationOverride object, bound to https://example.org. Last refreshed at Wed Oct 6 08:51:49 2021 ------------------------------------------------------------------------------- create_time: 2021-09-15T07:12:12.594Z created_by: estark@example.com description: test_recommendation_review filename: pangphip.exe id: 3fa9f84515f411ecb2525dd14785e643 override_list: WHITE_LIST override_type: SHA256 sha256_hash: 6a2cac7f36af5cebe0debbdb161d4f66b694b75192f1af4... source: RECOMMENDATION source_ref: 7b4e20d9-db28-408b-b7e9-af4008fa65cc More information about reputation overrides may be found in :doc:`reputation-override`.