cbapi-examples/move_policy_from_mbus.conf.example at master · cbcommunity/cbapi-examples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[settings]

#
# Warning: Please check permissions of this file prior to saving usernames/passwords
#

#
# RabbitMQ Password; see /etc/cb/cb.conf
#
rabbitmqpassword = deworjvkdsers

#
# RabbitMQ Username; see /etc/cb/cb.conf
#
rabbitmqusername = cb

#
# Carbon Black Server IP
#
#cbserverip = localhost
cbserverip = 192.168.30.40

#
# Carbon Black Server API token
#
cbtoken = 22d9e14d1a23465f10b962fc94d85f4ef9a16bf1

#
# Enterprise Protection Server API Token
#
eptoken = 19AB261B-74EB-4C56-9434-BCE2FA55BFF6

#
# Enterprise Protection Server IP
#
epserverip = 192.168.30.34

#
# Trigger patterns
# Each section represents a set of regular expression tests that will
# be AND'ed together.  If all tests match the host will be moved into
# the policy specified by the target policy directive.
#
# Each regex should be named regex_<criteria> where <criteria> is a valid
# variable found in CbER's message bus data.
#
# Example 1: Matches notepad.exe on the command line and moves the system
#   to a policy called end users.
#
# [Notepad test]
# name = 'Notepad test'
# targetpolicy = 'End Users'
# regex_command_line = notepad.exe
#
# Example 2: Matches suspicious Powershell usage and moves system to
#   a policy called Penalty Box
# [Powershell IEX]
# name = 'powershell IEX+Download'
# targetPolicy = 'Penalty Box'
# regex_path = powershell.exe$
# regex_command_line = iex.+?downloadstring\('http