Hosted EDR: How to Create Ingress Filters from Windows using Powershell
search cancel

Hosted EDR: How to Create Ingress Filters from Windows using Powershell

book

Article ID: 287749

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

To create an ingress filter from Windows using Powershell

Environment

  • Hosted Cloud: All Versions
  • Microsoft Windows: All Supported Versions
  • Microsoft Powershell: Version 3

Resolution

  1. Collect the Global API Token.
  2. Review the fields that are available for use.
  3. Configure Powershell for TLS v1.2:
    • Run within Powershell for each session: 
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
  4. Create a new filter and replace <GlobalApiTokenHere>, <ServerHostnameHere>, and set any additional filter fields:
    1. Use Invoke-RestMethod. 
      $JSON = @'

[
{
"descendant_filtering_level": -1,
"id":"test2",
"global": false,
"group_ids": [1, 2],
"os_mask":1,
"path_filters":["*\\unimportant.exe"]
}
]

'@

$response = Invoke-RestMethod -Headers @{"X-Auth-Token" = "<GlobalApiTokenHere>"} -ContentType "application/json" -Method POST -Uri https://<ServerHostnameHere>/api/v1/ingress_whitelist -Body $JSON
    2. If option A does not work then use Invoke-WebRequest. 
      $JSON = @'

[
{
"descendant_filtering_level": -1,
"id":"test2",
"global": false,
"group_ids": [1, 2],
"os_mask":1,
"path_filters":["*\\unimportant.exe"]
}
]

'@

$response = Invoke-WebRequest -Headers @{"X-Auth-Token" = "<GlobalApiTokenHere>"} -ContentType "application/json" -Method POST -Uri https://<ServerHostnameHere>/api/v1/ingress_whitelist -Body $JSON | Select-Object -Expand Content
  5. Press Enter.  If no response is received then the ingress filter has been added successfully.
  6. Confirm the filter has been added - https://community.carbonblack.com/t5/Knowledge-Base/CB-Response-Cloud-How-to-Check-Current-Ingress-Filters-from/ta-p/69742

Additional Information

If an error occurs after step 5, validate that the JSON is correct and that the current ID is not in use. Only the JSON format is validated and not the fields used.
Powered by Wolken Software