Recommendations offer a quick shortcut for helping tune your policy configurations in an environment, by providing suggested reputation overrides which you may add to improve your policy. They can speed up the process of tuning your policy to an environment, rather than having to manually investigate endpoint activity and reconfigure the policy in response to those investigations.
The Carbon Black Cloud SDK for Python offers assistance for dealing with Recommendations.
By querying the Recommendation
object, you can see which recommendations have already been generated for you by
the Carbon Black Cloud.
>>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['NEW', 'ACCEPTED', 'REJECTED']).sort_by('impact_score', 'DESC') >>> recslist = list(query) >>> for rec in recslist: ... print(rec) ... Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 2 impact_score: 1.1710311 impacted_devices: 44 org_adoption: HIGH update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: zoom.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: 56f560d8254ebb453daeaf9abe5c3c6de2e18eafaa5a9e4... policy_id: 0 recommendation_id: 5e6926d4-0c55-4757-a94d-e05883d5ee4c rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: estark@example.com comment: test_recommendation_review_dismissed create_time: 2021-05-18T16:37:07.000Z ref_id: 6d90188a0d4f11ecb02e15835b040340 status: ACCEPTED update_time: 2021-09-04T07:12:13.000Z Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 9 impact_score: 0.2678737 impacted_devices: 5 org_adoption: HIGH update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: cxuiuexe.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: 90b196987fe62657bfce2627ab0a08a7096737363e13806... policy_id: 0 recommendation_id: 100503cd-1897-425f-93b5-1ccba320438d rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: jbaratheon@example.com comment: create_time: 2021-05-18T16:37:07.000Z status: NEW update_time: 2021-09-14T07:12:13.000Z Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 12 impact_score: 0.11177378 impacted_devices: 315 org_adoption: MEDIUM update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: mbcloudea.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: 0a2190c4ccfde82ef950836d014f31b2b188423bb67b51a... policy_id: 0 recommendation_id: 3f89a837-034c-4b81-9f4c-f673a36ccb5c rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: tlannister@example.com comment: test_recommendation_review_dismissed create_time: 2021-05-18T16:37:07.000Z ref_id: 16e842eb152b11eca8407fb13248831f status: ACCEPTED update_time: 2021-09-14T07:12:15.000Z Recommendation object, bound to https://example.org. ------------------------------------------------------------------------------- impact: [RecommendationImpact object]: event_count: 20 impact_score: 0.05499694 impacted_devices: 44 org_adoption: MEDIUM update_time: 2021-05-18T16:37:07.000Z new_rule: [RecommendationNewRule object]: filename: svctcom.exe override_list: WHITE_LIST override_type: SHA256 sha256_hash: d49a2beb44a603faf8aab2f5dfae3a292497c63f0b30d0e... policy_id: 0 recommendation_id: 26ddb565-aff6-4b68-895c-fc286aa5f101 rule_type: reputation_override workflow: [RecommendationWorkflow object]: changed_by: mtyrell@example.com comment: test_recommendation_review_dismissed create_time: 2021-05-18T16:37:07.000Z status: REJECTED update_time: 2021-09-11T07:12:14.000Z
N.B.: If you do not set status values on the recommendation query with set_statuses()
, the search defaults to
looking for NEW
recommendations only.
Individual recommendations in the NEW
state may be accepted or rejected by calling their accept()
or
reject()
methods, respectively.
>>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['NEW']) >>> recommendation = query[0] >>> recommendation.accept('Comment for acceptance') >>> print(recommendation.workflow_.status) ACCEPTED >>> recommendation = query[1] >>> recommendation.reject('Comment for rejection') >>> print(recommendation.workflow_.status) REJECTED
Individual recommendations in the ACCEPTED
or REJECTED
states may be reverted to the NEW
state by calling
their reset()
method.
>>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['REJECTED']) >>> recommendation = query.first() >>> recommendation.reset() >>> print(recommendation.workflow_.status) NEW
A recommendation in the ACCEPTED
state will have a reputation override created for it. You can retrieve that
object with the reputation_override()
method.
>>> from cbc_sdk import CBCloudAPI >>> api = CBCloudAPI(profile='sample') >>> from cbc_sdk.endpoint_standard import Recommendation >>> query = api.select(Recommendation).set_statuses(['ACCEPTED']) >>> reputation_override = query.first().reputation_override() >>> print(reputation_override) ReputationOverride object, bound to https://example.org. Last refreshed at Wed Oct 6 08:51:49 2021 ------------------------------------------------------------------------------- create_time: 2021-09-15T07:12:12.594Z created_by: estark@example.com description: test_recommendation_review filename: pangphip.exe id: 3fa9f84515f411ecb2525dd14785e643 override_list: WHITE_LIST override_type: SHA256 sha256_hash: 6a2cac7f36af5cebe0debbdb161d4f66b694b75192f1af4... source: RECOMMENDATION source_ref: 7b4e20d9-db28-408b-b7e9-af4008fa65cc
More information about reputation overrides may be found in :doc:`reputation-override`.