Recommendations
Recommendations offer a quick shortcut for helping tune your policy configurations in an environment, by providing suggested reputation overrides which you may add to improve your policy. They can speed up the process of tuning your policy to an environment, rather than having to manually investigate endpoint activity and reconfigure the policy in response to those investigations.
The Carbon Black Cloud SDK for Python offers assistance for dealing with Recommendations.
Getting the List of Recommendations
By querying the Recommendation
object, you can see which recommendations have already been generated for you by
the Carbon Black Cloud.
>>> from cbc_sdk import CBCloudAPI
>>> api = CBCloudAPI(profile='sample')
>>> from cbc_sdk.endpoint_standard import Recommendation
>>> query = api.select(Recommendation).set_statuses(['NEW', 'ACCEPTED', 'REJECTED']).sort_by('impact_score', 'DESC')
>>> recslist = list(query)
>>> for rec in recslist:
... print(rec)
...
Recommendation object, bound to https://example.org.
-------------------------------------------------------------------------------
impact: [RecommendationImpact object]:
event_count: 2
impact_score: 1.1710311
impacted_devices: 44
org_adoption: HIGH
update_time: 2021-05-18T16:37:07.000Z
new_rule: [RecommendationNewRule object]:
filename: zoom.exe
override_list: WHITE_LIST
override_type: SHA256
sha256_hash: 56f560d8254ebb453daeaf9abe5c3c6de2e18eafaa5a9e4...
policy_id: 0
recommendation_id: 5e6926d4-0c55-4757-a94d-e05883d5ee4c
rule_type: reputation_override
workflow: [RecommendationWorkflow object]:
changed_by: estark@example.com
comment: test_recommendation_review_dismissed
create_time: 2021-05-18T16:37:07.000Z
ref_id: 6d90188a0d4f11ecb02e15835b040340
status: ACCEPTED
update_time: 2021-09-04T07:12:13.000Z
Recommendation object, bound to https://example.org.
-------------------------------------------------------------------------------
impact: [RecommendationImpact object]:
event_count: 9
impact_score: 0.2678737
impacted_devices: 5
org_adoption: HIGH
update_time: 2021-05-18T16:37:07.000Z
new_rule: [RecommendationNewRule object]:
filename: cxuiuexe.exe
override_list: WHITE_LIST
override_type: SHA256
sha256_hash: 90b196987fe62657bfce2627ab0a08a7096737363e13806...
policy_id: 0
recommendation_id: 100503cd-1897-425f-93b5-1ccba320438d
rule_type: reputation_override
workflow: [RecommendationWorkflow object]:
changed_by: jbaratheon@example.com
comment:
create_time: 2021-05-18T16:37:07.000Z
status: NEW
update_time: 2021-09-14T07:12:13.000Z
Recommendation object, bound to https://example.org.
-------------------------------------------------------------------------------
impact: [RecommendationImpact object]:
event_count: 12
impact_score: 0.11177378
impacted_devices: 315
org_adoption: MEDIUM
update_time: 2021-05-18T16:37:07.000Z
new_rule: [RecommendationNewRule object]:
filename: mbcloudea.exe
override_list: WHITE_LIST
override_type: SHA256
sha256_hash: 0a2190c4ccfde82ef950836d014f31b2b188423bb67b51a...
policy_id: 0
recommendation_id: 3f89a837-034c-4b81-9f4c-f673a36ccb5c
rule_type: reputation_override
workflow: [RecommendationWorkflow object]:
changed_by: tlannister@example.com
comment: test_recommendation_review_dismissed
create_time: 2021-05-18T16:37:07.000Z
ref_id: 16e842eb152b11eca8407fb13248831f
status: ACCEPTED
update_time: 2021-09-14T07:12:15.000Z
Recommendation object, bound to https://example.org.
-------------------------------------------------------------------------------
impact: [RecommendationImpact object]:
event_count: 20
impact_score: 0.05499694
impacted_devices: 44
org_adoption: MEDIUM
update_time: 2021-05-18T16:37:07.000Z
new_rule: [RecommendationNewRule object]:
filename: svctcom.exe
override_list: WHITE_LIST
override_type: SHA256
sha256_hash: d49a2beb44a603faf8aab2f5dfae3a292497c63f0b30d0e...
policy_id: 0
recommendation_id: 26ddb565-aff6-4b68-895c-fc286aa5f101
rule_type: reputation_override
workflow: [RecommendationWorkflow object]:
changed_by: mtyrell@example.com
comment: test_recommendation_review_dismissed
create_time: 2021-05-18T16:37:07.000Z
status: REJECTED
update_time: 2021-09-11T07:12:14.000Z
N.B.: If you do not set status values on the recommendation query with set_statuses()
, the search defaults to
looking for NEW
recommendations only.
Recommendations Workflow
Individual recommendations in the NEW
state may be accepted or rejected by calling their accept()
or
reject()
methods, respectively.
>>> from cbc_sdk import CBCloudAPI
>>> api = CBCloudAPI(profile='sample')
>>> from cbc_sdk.endpoint_standard import Recommendation
>>> query = api.select(Recommendation).set_statuses(['NEW'])
>>> recommendation = query[0]
>>> recommendation.accept('Comment for acceptance')
>>> print(recommendation.workflow_.status)
ACCEPTED
>>> recommendation = query[1]
>>> recommendation.reject('Comment for rejection')
>>> print(recommendation.workflow_.status)
REJECTED
Individual recommendations in the ACCEPTED
or REJECTED
states may be reverted to the NEW
state by calling
their reset()
method.
>>> from cbc_sdk import CBCloudAPI
>>> api = CBCloudAPI(profile='sample')
>>> from cbc_sdk.endpoint_standard import Recommendation
>>> query = api.select(Recommendation).set_statuses(['REJECTED'])
>>> recommendation = query.first()
>>> recommendation.reset()
>>> print(recommendation.workflow_.status)
NEW
Recommendations and Reputation Overrides
A recommendation in the ACCEPTED
state will have a reputation override created for it. You can retrieve that
object with the reputation_override()
method.
>>> from cbc_sdk import CBCloudAPI
>>> api = CBCloudAPI(profile='sample')
>>> from cbc_sdk.endpoint_standard import Recommendation
>>> query = api.select(Recommendation).set_statuses(['ACCEPTED'])
>>> reputation_override = query.first().reputation_override()
>>> print(reputation_override)
ReputationOverride object, bound to https://example.org.
Last refreshed at Wed Oct 6 08:51:49 2021
-------------------------------------------------------------------------------
create_time: 2021-09-15T07:12:12.594Z
created_by: estark@example.com
description: test_recommendation_review
filename: pangphip.exe
id: 3fa9f84515f411ecb2525dd14785e643
override_list: WHITE_LIST
override_type: SHA256
sha256_hash: 6a2cac7f36af5cebe0debbdb161d4f66b694b75192f1af4...
source: RECOMMENDATION
source_ref: 7b4e20d9-db28-408b-b7e9-af4008fa65cc
More information about reputation overrides may be found in Reputation Override.