Skip to main content
Policies define automated response rules that are broadcast to all agents. When a policy is created, it is immediately pushed to online agents via the SSE event stream.

POST /api/policy

Creates a new policy and broadcasts it to all connected agents.
name
string
required
Human-readable policy name.
description
string
Optional description of the policy purpose.
rules
object[]
required
Array of policy rules to enforce.
rules[].type
string
required
Rule type: block_ip, alert_threshold, auto_respond, or custom.
rules[].config
object
required
Rule-specific configuration (varies by type).
rules[].enabled
boolean
default:"true"
Whether the rule is active.
org_id
string
Scope the policy to a specific organization.
curl -X POST https://localhost:8443/api/policy \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Block Brute Force Sources",
    "description": "Automatically block IPs after repeated SSH failures",
    "rules": [
      {
        "type": "block_ip",
        "config": {
          "trigger": "brute_force",
          "threshold": 50,
          "duration": "24h",
          "scope": "host"
        },
        "enabled": true
      },
      {
        "type": "alert_threshold",
        "config": {
          "severity": "critical",
          "countPerHour": 5,
          "notifyChannels": ["telegram", "email"]
        },
        "enabled": true
      }
    ]
  }'

{
  "ok": true,
  "data": {
    "id": "pol_abc123",
    "name": "Block Brute Force Sources",
    "version": "v3",
    "rules": [
      {
        "type": "block_ip",
        "config": {
          "trigger": "brute_force",
          "threshold": 50,
          "duration": "24h",
          "scope": "host"
        },
        "enabled": true
      },
      {
        "type": "alert_threshold",
        "config": {
          "severity": "critical",
          "countPerHour": 5,
          "notifyChannels": ["telegram", "email"]
        },
        "enabled": true
      }
    ],
    "broadcastedTo": 8,
    "createdAt": "2026-03-07T12:00:00.000Z"
  }
}

Rule Types

Automatically blocks source IPs that trigger specific threat types.
Config FieldTypeDescription
triggerstringThreat type that activates the block
thresholdnumberNumber of events before blocking
durationstringBlock duration (e.g., 1h, 24h, 7d, permanent)
scopestringhost (local firewall) or fleet (all agents)
Sends notifications when threat counts exceed a threshold.
Config FieldTypeDescription
severitystringMinimum severity to count
countPerHournumberThreshold per hour
notifyChannelsstring[]Notification channels to alert
Triggers automatic response actions when threats are detected.
Config FieldTypeDescription
triggerstringThreat type that activates response
actionstringResponse action: kill_process, quarantine_file, block_ip, isolate_host
minConfidencenumberMinimum AI confidence score (0.0—1.0)
requireApprovalbooleanIf true, sends approval request instead of auto-executing
User-defined rule with arbitrary configuration. Evaluated by the agent’s rule engine.
Config FieldTypeDescription
conditionstringCustom condition expression
actionstringAction to execute
paramsobjectAdditional parameters

GET /api/policy/active

Returns the currently active policy with all its rules. 
curl -X GET https://localhost:8443/api/policy/active \
  -H "Authorization: Bearer YOUR_TOKEN"

{
  "ok": true,
  "data": {
    "id": "pol_abc123",
    "name": "Block Brute Force Sources",
    "version": "v3",
    "rules": [...],
    "createdAt": "2026-03-07T12:00:00.000Z"
  }
}

GET /api/policy/agent/:id

Returns the policy rules assigned to a specific agent, including any agent-specific overrides.
id
string
required
The agent ID.
curl -X GET https://localhost:8443/api/policy/agent/agent-a1b2c3d4 \
  -H "Authorization: Bearer YOUR_TOKEN"

{
  "ok": true,
  "data": {
    "agentId": "agent-a1b2c3d4",
    "policyVersion": "v3",
    "rules": [
      {
        "type": "block_ip",
        "config": {
          "trigger": "brute_force",
          "threshold": 50,
          "duration": "24h",
          "scope": "host"
        },
        "enabled": true
      }
    ],
    "appliedAt": "2026-03-07T12:01:00.000Z"
  }
}
Policies are versioned incrementally. Each new policy creation increments the version (v1, v2, v3, etc.). Agents report their current policy version in heartbeat responses, making it easy to identify agents running outdated policies.