Docs Home Pulumi IaC Pulumi ESC Pulumi Insights Pulumi Cloud Packages Tutorials
  1. Packages
  2. CrowdStrike
  3. API Docs
  4. PreventionPolicyWindows
CrowdStrike v0.0.12 published on Thursday, Apr 3, 2025 by CrowdStrike
crowdstrike/pulumi-crowdstrike

crowdstrike.PreventionPolicyWindows

Explore with Pulumi AI

CrowdStrike v0.0.12 published on Thursday, Apr 3, 2025 by CrowdStrike
crowdstrike/pulumi-crowdstrike

This resource allows you to manage prevention policies for Windows hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.

API Scopes

The following API scopes are required:

  • Prevention policies | Read & Write

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as crowdstrike from "@crowdstrike/pulumi";

const example = new crowdstrike.PreventionPolicyWindows("example", {
    enabled: true,
    description: "Made with Pulumi",
    hostGroups: [],
    ioaRuleGroups: [],
    adwareAndPup: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    cloudAntiMalwareMicrosoftOfficeFiles: {
        detection: "MODERATE",
        prevention: "DISABLED",
    },
    cloudAntiMalware: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    cloudAntiMalwareUserInitiated: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    sensorAntiMalware: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    sensorAntiMalwareUserInitiated: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    extendedUserModeData: {
        detection: "MODERATE",
    },
    usbInsertionTriggeredScan: true,
    applicationExploitationActivity: true,
    additionalUserModeData: true,
    notifyEndUsers: true,
    advancedRemediation: true,
    backupDeletion: true,
    biosDeepVisibility: true,
    chopperWebshell: true,
    codeInjection: true,
    credentialDumping: true,
    cryptowall: true,
    customBlocking: true,
    detectOnWrite: true,
    driveByDownload: true,
    driverLoadPrevention: true,
    interpreterOnly: true,
    engineFullVisibility: true,
    enhancedExploitationVisibility: true,
    enhancedDllLoadVisibility: true,
    enhancedMlForLargerFiles: true,
    fileEncryption: true,
    fileSystemAccess: true,
    forceAslr: true,
    forceDep: true,
    heapSprayPreallocation: true,
    nullPageAllocation: true,
    sehOverwriteProtection: true,
    hardwareEnhancedExploitDetection: true,
    httpDetections: true,
    redactHttpDetectionDetails: true,
    intelligenceSourcedThreats: true,
    javascriptViaRundll32: true,
    locky: true,
    memoryScanning: true,
    memoryScanningScanWithCpu: true,
    microsoftOfficeFileSuspiciousMacroRemoval: true,
    onWriteScriptFileVisibility: true,
    preventSuspiciousProcesses: true,
    quarantineAndSecurityCenterRegistration: true,
    quarantineOnRemovableMedia: true,
    quarantineOnWrite: true,
    scriptBasedExecutionMonitoring: true,
    sensorTamperingProtection: true,
    suspiciousRegistryOperations: true,
    suspiciousScriptsAndCommands: true,
    uploadUnknownExecutables: true,
    uploadUnknownDetectionRelatedExecutables: true,
    volumeShadowCopyAudit: true,
    volumeShadowCopyProtect: true,
    vulnerableDriverProtection: true,
    windowsLogonBypassStickyKeys: true,
    fileSystemContainment: true,
});
export const preventionPolicyWindows = example;
Copy
import pulumi
import crowdstrike_pulumi as crowdstrike

example = crowdstrike.PreventionPolicyWindows("example",
    enabled=True,
    description="Made with Pulumi",
    host_groups=[],
    ioa_rule_groups=[],
    adware_and_pup={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    cloud_anti_malware_microsoft_office_files={
        "detection": "MODERATE",
        "prevention": "DISABLED",
    },
    cloud_anti_malware={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    cloud_anti_malware_user_initiated={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    sensor_anti_malware={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    sensor_anti_malware_user_initiated={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    extended_user_mode_data={
        "detection": "MODERATE",
    },
    usb_insertion_triggered_scan=True,
    application_exploitation_activity=True,
    additional_user_mode_data=True,
    notify_end_users=True,
    advanced_remediation=True,
    backup_deletion=True,
    bios_deep_visibility=True,
    chopper_webshell=True,
    code_injection=True,
    credential_dumping=True,
    cryptowall=True,
    custom_blocking=True,
    detect_on_write=True,
    drive_by_download=True,
    driver_load_prevention=True,
    interpreter_only=True,
    engine_full_visibility=True,
    enhanced_exploitation_visibility=True,
    enhanced_dll_load_visibility=True,
    enhanced_ml_for_larger_files=True,
    file_encryption=True,
    file_system_access=True,
    force_aslr=True,
    force_dep=True,
    heap_spray_preallocation=True,
    null_page_allocation=True,
    seh_overwrite_protection=True,
    hardware_enhanced_exploit_detection=True,
    http_detections=True,
    redact_http_detection_details=True,
    intelligence_sourced_threats=True,
    javascript_via_rundll32=True,
    locky=True,
    memory_scanning=True,
    memory_scanning_scan_with_cpu=True,
    microsoft_office_file_suspicious_macro_removal=True,
    on_write_script_file_visibility=True,
    prevent_suspicious_processes=True,
    quarantine_and_security_center_registration=True,
    quarantine_on_removable_media=True,
    quarantine_on_write=True,
    script_based_execution_monitoring=True,
    sensor_tampering_protection=True,
    suspicious_registry_operations=True,
    suspicious_scripts_and_commands=True,
    upload_unknown_executables=True,
    upload_unknown_detection_related_executables=True,
    volume_shadow_copy_audit=True,
    volume_shadow_copy_protect=True,
    vulnerable_driver_protection=True,
    windows_logon_bypass_sticky_keys=True,
    file_system_containment=True)
pulumi.export("preventionPolicyWindows", example)
Copy
package main

import (
	"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := crowdstrike.NewPreventionPolicyWindows(ctx, "example", &crowdstrike.PreventionPolicyWindowsArgs{
			Enabled:       pulumi.Bool(true),
			Description:   pulumi.String("Made with Pulumi"),
			HostGroups:    pulumi.StringArray{},
			IoaRuleGroups: pulumi.StringArray{},
			AdwareAndPup: &crowdstrike.PreventionPolicyWindowsAdwareAndPupArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			CloudAntiMalwareMicrosoftOfficeFiles: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("DISABLED"),
			},
			CloudAntiMalware: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			CloudAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			SensorAntiMalware: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			SensorAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			ExtendedUserModeData: &crowdstrike.PreventionPolicyWindowsExtendedUserModeDataArgs{
				Detection: pulumi.String("MODERATE"),
			},
			UsbInsertionTriggeredScan:                 pulumi.Bool(true),
			ApplicationExploitationActivity:           pulumi.Bool(true),
			AdditionalUserModeData:                    pulumi.Bool(true),
			NotifyEndUsers:                            pulumi.Bool(true),
			AdvancedRemediation:                       pulumi.Bool(true),
			BackupDeletion:                            pulumi.Bool(true),
			BiosDeepVisibility:                        pulumi.Bool(true),
			ChopperWebshell:                           pulumi.Bool(true),
			CodeInjection:                             pulumi.Bool(true),
			CredentialDumping:                         pulumi.Bool(true),
			Cryptowall:                                pulumi.Bool(true),
			CustomBlocking:                            pulumi.Bool(true),
			DetectOnWrite:                             pulumi.Bool(true),
			DriveByDownload:                           pulumi.Bool(true),
			DriverLoadPrevention:                      pulumi.Bool(true),
			InterpreterOnly:                           pulumi.Bool(true),
			EngineFullVisibility:                      pulumi.Bool(true),
			EnhancedExploitationVisibility:            pulumi.Bool(true),
			EnhancedDllLoadVisibility:                 pulumi.Bool(true),
			EnhancedMlForLargerFiles:                  pulumi.Bool(true),
			FileEncryption:                            pulumi.Bool(true),
			FileSystemAccess:                          pulumi.Bool(true),
			ForceAslr:                                 pulumi.Bool(true),
			ForceDep:                                  pulumi.Bool(true),
			HeapSprayPreallocation:                    pulumi.Bool(true),
			NullPageAllocation:                        pulumi.Bool(true),
			SehOverwriteProtection:                    pulumi.Bool(true),
			HardwareEnhancedExploitDetection:          pulumi.Bool(true),
			HttpDetections:                            pulumi.Bool(true),
			RedactHttpDetectionDetails:                pulumi.Bool(true),
			IntelligenceSourcedThreats:                pulumi.Bool(true),
			JavascriptViaRundll32:                     pulumi.Bool(true),
			Locky:                                     pulumi.Bool(true),
			MemoryScanning:                            pulumi.Bool(true),
			MemoryScanningScanWithCpu:                 pulumi.Bool(true),
			MicrosoftOfficeFileSuspiciousMacroRemoval: pulumi.Bool(true),
			OnWriteScriptFileVisibility:               pulumi.Bool(true),
			PreventSuspiciousProcesses:                pulumi.Bool(true),
			QuarantineAndSecurityCenterRegistration:   pulumi.Bool(true),
			QuarantineOnRemovableMedia:                pulumi.Bool(true),
			QuarantineOnWrite:                         pulumi.Bool(true),
			ScriptBasedExecutionMonitoring:            pulumi.Bool(true),
			SensorTamperingProtection:                 pulumi.Bool(true),
			SuspiciousRegistryOperations:              pulumi.Bool(true),
			SuspiciousScriptsAndCommands:              pulumi.Bool(true),
			UploadUnknownExecutables:                  pulumi.Bool(true),
			UploadUnknownDetectionRelatedExecutables:  pulumi.Bool(true),
			VolumeShadowCopyAudit:                     pulumi.Bool(true),
			VolumeShadowCopyProtect:                   pulumi.Bool(true),
			VulnerableDriverProtection:                pulumi.Bool(true),
			WindowsLogonBypassStickyKeys:              pulumi.Bool(true),
			FileSystemContainment:                     pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		ctx.Export("preventionPolicyWindows", example)
		return nil
	})
}
Copy
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Crowdstrike = CrowdStrike.Crowdstrike;

return await Deployment.RunAsync(() => 
{
    var example = new Crowdstrike.PreventionPolicyWindows("example", new()
    {
        Enabled = true,
        Description = "Made with Pulumi",
        HostGroups = new[] {},
        IoaRuleGroups = new[] {},
        AdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPupArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        CloudAntiMalwareMicrosoftOfficeFiles = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
        {
            Detection = "MODERATE",
            Prevention = "DISABLED",
        },
        CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        CloudAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        SensorAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        ExtendedUserModeData = new Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeDataArgs
        {
            Detection = "MODERATE",
        },
        UsbInsertionTriggeredScan = true,
        ApplicationExploitationActivity = true,
        AdditionalUserModeData = true,
        NotifyEndUsers = true,
        AdvancedRemediation = true,
        BackupDeletion = true,
        BiosDeepVisibility = true,
        ChopperWebshell = true,
        CodeInjection = true,
        CredentialDumping = true,
        Cryptowall = true,
        CustomBlocking = true,
        DetectOnWrite = true,
        DriveByDownload = true,
        DriverLoadPrevention = true,
        InterpreterOnly = true,
        EngineFullVisibility = true,
        EnhancedExploitationVisibility = true,
        EnhancedDllLoadVisibility = true,
        EnhancedMlForLargerFiles = true,
        FileEncryption = true,
        FileSystemAccess = true,
        ForceAslr = true,
        ForceDep = true,
        HeapSprayPreallocation = true,
        NullPageAllocation = true,
        SehOverwriteProtection = true,
        HardwareEnhancedExploitDetection = true,
        HttpDetections = true,
        RedactHttpDetectionDetails = true,
        IntelligenceSourcedThreats = true,
        JavascriptViaRundll32 = true,
        Locky = true,
        MemoryScanning = true,
        MemoryScanningScanWithCpu = true,
        MicrosoftOfficeFileSuspiciousMacroRemoval = true,
        OnWriteScriptFileVisibility = true,
        PreventSuspiciousProcesses = true,
        QuarantineAndSecurityCenterRegistration = true,
        QuarantineOnRemovableMedia = true,
        QuarantineOnWrite = true,
        ScriptBasedExecutionMonitoring = true,
        SensorTamperingProtection = true,
        SuspiciousRegistryOperations = true,
        SuspiciousScriptsAndCommands = true,
        UploadUnknownExecutables = true,
        UploadUnknownDetectionRelatedExecutables = true,
        VolumeShadowCopyAudit = true,
        VolumeShadowCopyProtect = true,
        VulnerableDriverProtection = true,
        WindowsLogonBypassStickyKeys = true,
        FileSystemContainment = true,
    });

    return new Dictionary<string, object?>
    {
        ["preventionPolicyWindows"] = example,
    };
});
Copy
package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.crowdstrike.PreventionPolicyWindows;
import com.pulumi.crowdstrike.PreventionPolicyWindowsArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsAdwareAndPupArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsSensorAntiMalwareArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsExtendedUserModeDataArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new PreventionPolicyWindows("example", PreventionPolicyWindowsArgs.builder()
            .enabled(true)
            .description("Made with Pulumi")
            .hostGroups()
            .ioaRuleGroups()
            .adwareAndPup(PreventionPolicyWindowsAdwareAndPupArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                .cloudAntiMalwareMicrosoftOfficeFiles(PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs.builder()
                    .detection("MODERATE")
                    .prevention("DISABLED")
                    .build())
                .cloudAntiMalware(PreventionPolicyWindowsCloudAntiMalwareArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                    .cloudAntiMalwareUserInitiated(PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                        .sensorAntiMalware(PreventionPolicyWindowsSensorAntiMalwareArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                            .sensorAntiMalwareUserInitiated(PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                                .extendedUserModeData(PreventionPolicyWindowsExtendedUserModeDataArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                                    .usbInsertionTriggeredScan(true)
                                    .applicationExploitationActivity(true)
                                    .additionalUserModeData(true)
                                    .notifyEndUsers(true)
                                    .advancedRemediation(true)
                                    .backupDeletion(true)
                                    .biosDeepVisibility(true)
                                    .chopperWebshell(true)
                                    .codeInjection(true)
                                    .credentialDumping(true)
                                    .cryptowall(true)
                                    .customBlocking(true)
                                    .detectOnWrite(true)
                                    .driveByDownload(true)
                                    .driverLoadPrevention(true)
                                    .interpreterOnly(true)
                                    .engineFullVisibility(true)
                                    .enhancedExploitationVisibility(true)
                                    .enhancedDllLoadVisibility(true)
                                    .enhancedMlForLargerFiles(true)
                                    .fileEncryption(true)
                                    .fileSystemAccess(true)
                                    .forceAslr(true)
                                    .forceDep(true)
                                    .heapSprayPreallocation(true)
                                    .nullPageAllocation(true)
                                    .sehOverwriteProtection(true)
                                    .hardwareEnhancedExploitDetection(true)
                                    .httpDetections(true)
                                    .redactHttpDetectionDetails(true)
                                    .intelligenceSourcedThreats(true)
                                    .javascriptViaRundll32(true)
                                    .locky(true)
                                    .memoryScanning(true)
                                    .memoryScanningScanWithCpu(true)
                                    .microsoftOfficeFileSuspiciousMacroRemoval(true)
                                    .onWriteScriptFileVisibility(true)
                                    .preventSuspiciousProcesses(true)
                                    .quarantineAndSecurityCenterRegistration(true)
                                    .quarantineOnRemovableMedia(true)
                                    .quarantineOnWrite(true)
                                    .scriptBasedExecutionMonitoring(true)
                                    .sensorTamperingProtection(true)
                                    .suspiciousRegistryOperations(true)
                                    .suspiciousScriptsAndCommands(true)
                                    .uploadUnknownExecutables(true)
                                    .uploadUnknownDetectionRelatedExecutables(true)
                                    .volumeShadowCopyAudit(true)
                                    .volumeShadowCopyProtect(true)
                                    .vulnerableDriverProtection(true)
                                    .windowsLogonBypassStickyKeys(true)
                                    .fileSystemContainment(true)
                                    .build());

                                ctx.export("preventionPolicyWindows", example);
                            }
}
Copy
resources:
  example:
    type: crowdstrike:PreventionPolicyWindows
    properties:
      enabled: true
      description: Made with Pulumi
      hostGroups: []
      ioaRuleGroups: []
      adwareAndPup:
        detection: MODERATE
        prevention: CAUTIOUS
      cloudAntiMalwareMicrosoftOfficeFiles:
        detection: MODERATE
        prevention: DISABLED
      cloudAntiMalware:
        detection: MODERATE
        prevention: CAUTIOUS
      cloudAntiMalwareUserInitiated:
        detection: MODERATE
        prevention: CAUTIOUS
      sensorAntiMalware:
        detection: MODERATE
        prevention: CAUTIOUS
      sensorAntiMalwareUserInitiated:
        detection: MODERATE
        prevention: CAUTIOUS
      extendedUserModeData:
        detection: MODERATE
      usbInsertionTriggeredScan: true
      applicationExploitationActivity: true
      additionalUserModeData: true
      notifyEndUsers: true
      advancedRemediation: true
      backupDeletion: true
      biosDeepVisibility: true
      chopperWebshell: true
      codeInjection: true
      credentialDumping: true
      cryptowall: true
      customBlocking: true
      detectOnWrite: true
      driveByDownload: true
      driverLoadPrevention: true
      interpreterOnly: true
      engineFullVisibility: true
      enhancedExploitationVisibility: true
      enhancedDllLoadVisibility: true
      enhancedMlForLargerFiles: true
      fileEncryption: true
      fileSystemAccess: true
      forceAslr: true
      forceDep: true
      heapSprayPreallocation: true
      nullPageAllocation: true
      sehOverwriteProtection: true
      hardwareEnhancedExploitDetection: true
      httpDetections: true
      redactHttpDetectionDetails: true
      intelligenceSourcedThreats: true
      javascriptViaRundll32: true
      locky: true
      memoryScanning: true
      memoryScanningScanWithCpu: true
      microsoftOfficeFileSuspiciousMacroRemoval: true
      onWriteScriptFileVisibility: true
      preventSuspiciousProcesses: true
      quarantineAndSecurityCenterRegistration: true
      quarantineOnRemovableMedia: true
      quarantineOnWrite: true
      scriptBasedExecutionMonitoring: true
      sensorTamperingProtection: true
      suspiciousRegistryOperations: true
      suspiciousScriptsAndCommands: true
      uploadUnknownExecutables: true
      uploadUnknownDetectionRelatedExecutables: true
      volumeShadowCopyAudit: true
      volumeShadowCopyProtect: true
      vulnerableDriverProtection: true
      windowsLogonBypassStickyKeys: true
      fileSystemContainment: true
outputs:
  preventionPolicyWindows: ${example}
Copy

Create PreventionPolicyWindows Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new PreventionPolicyWindows(name: string, args: PreventionPolicyWindowsArgs, opts?: CustomResourceOptions);
@overload
def PreventionPolicyWindows(resource_name: str,
                            args: PreventionPolicyWindowsArgs,
                            opts: Optional[ResourceOptions] = None)

@overload
def PreventionPolicyWindows(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            host_groups: Optional[Sequence[str]] = None,
                            ioa_rule_groups: Optional[Sequence[str]] = None,
                            additional_user_mode_data: Optional[bool] = None,
                            advanced_remediation: Optional[bool] = None,
                            adware_and_pup: Optional[PreventionPolicyWindowsAdwareAndPupArgs] = None,
                            application_exploitation_activity: Optional[bool] = None,
                            backup_deletion: Optional[bool] = None,
                            bios_deep_visibility: Optional[bool] = None,
                            chopper_webshell: Optional[bool] = None,
                            cloud_anti_malware: Optional[PreventionPolicyWindowsCloudAntiMalwareArgs] = None,
                            cloud_anti_malware_microsoft_office_files: Optional[PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs] = None,
                            cloud_anti_malware_user_initiated: Optional[PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs] = None,
                            code_injection: Optional[bool] = None,
                            credential_dumping: Optional[bool] = None,
                            cryptowall: Optional[bool] = None,
                            custom_blocking: Optional[bool] = None,
                            description: Optional[str] = None,
                            detect_on_write: Optional[bool] = None,
                            drive_by_download: Optional[bool] = None,
                            driver_load_prevention: Optional[bool] = None,
                            enabled: Optional[bool] = None,
                            engine_full_visibility: Optional[bool] = None,
                            enhanced_dll_load_visibility: Optional[bool] = None,
                            enhanced_exploitation_visibility: Optional[bool] = None,
                            enhanced_ml_for_larger_files: Optional[bool] = None,
                            extended_user_mode_data: Optional[PreventionPolicyWindowsExtendedUserModeDataArgs] = None,
                            file_encryption: Optional[bool] = None,
                            file_system_access: Optional[bool] = None,
                            file_system_containment: Optional[bool] = None,
                            force_aslr: Optional[bool] = None,
                            force_dep: Optional[bool] = None,
                            hardware_enhanced_exploit_detection: Optional[bool] = None,
                            heap_spray_preallocation: Optional[bool] = None,
                            http_detections: Optional[bool] = None,
                            intelligence_sourced_threats: Optional[bool] = None,
                            interpreter_only: Optional[bool] = None,
                            javascript_via_rundll32: Optional[bool] = None,
                            locky: Optional[bool] = None,
                            memory_scanning: Optional[bool] = None,
                            memory_scanning_scan_with_cpu: Optional[bool] = None,
                            microsoft_office_file_suspicious_macro_removal: Optional[bool] = None,
                            name: Optional[str] = None,
                            notify_end_users: Optional[bool] = None,
                            null_page_allocation: Optional[bool] = None,
                            on_write_script_file_visibility: Optional[bool] = None,
                            prevent_suspicious_processes: Optional[bool] = None,
                            quarantine_and_security_center_registration: Optional[bool] = None,
                            quarantine_on_removable_media: Optional[bool] = None,
                            quarantine_on_write: Optional[bool] = None,
                            redact_http_detection_details: Optional[bool] = None,
                            script_based_execution_monitoring: Optional[bool] = None,
                            seh_overwrite_protection: Optional[bool] = None,
                            sensor_anti_malware: Optional[PreventionPolicyWindowsSensorAntiMalwareArgs] = None,
                            sensor_anti_malware_user_initiated: Optional[PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs] = None,
                            sensor_tampering_protection: Optional[bool] = None,
                            suspicious_registry_operations: Optional[bool] = None,
                            suspicious_scripts_and_commands: Optional[bool] = None,
                            upload_unknown_detection_related_executables: Optional[bool] = None,
                            upload_unknown_executables: Optional[bool] = None,
                            usb_insertion_triggered_scan: Optional[bool] = None,
                            volume_shadow_copy_audit: Optional[bool] = None,
                            volume_shadow_copy_protect: Optional[bool] = None,
                            vulnerable_driver_protection: Optional[bool] = None,
                            windows_logon_bypass_sticky_keys: Optional[bool] = None)
func NewPreventionPolicyWindows(ctx *Context, name string, args PreventionPolicyWindowsArgs, opts ...ResourceOption) (*PreventionPolicyWindows, error)
public PreventionPolicyWindows(string name, PreventionPolicyWindowsArgs args, CustomResourceOptions? opts = null)
public PreventionPolicyWindows(String name, PreventionPolicyWindowsArgs args)
public PreventionPolicyWindows(String name, PreventionPolicyWindowsArgs args, CustomResourceOptions options)

type: crowdstrike:PreventionPolicyWindows
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name This property is required. string
The unique name of the resource.
args This property is required. PreventionPolicyWindowsArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name This property is required. str
The unique name of the resource.
args This property is required. PreventionPolicyWindowsArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name This property is required. string
The unique name of the resource.
args This property is required. PreventionPolicyWindowsArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name This property is required. string
The unique name of the resource.
args This property is required. PreventionPolicyWindowsArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name This property is required. String
The unique name of the resource.
args This property is required. PreventionPolicyWindowsArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var preventionPolicyWindowsResource = new Crowdstrike.PreventionPolicyWindows("preventionPolicyWindowsResource", new()
{
    HostGroups = new[]
    {
        "string",
    },
    IoaRuleGroups = new[]
    {
        "string",
    },
    AdditionalUserModeData = false,
    AdvancedRemediation = false,
    AdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPupArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    ApplicationExploitationActivity = false,
    BackupDeletion = false,
    BiosDeepVisibility = false,
    ChopperWebshell = false,
    CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    CloudAntiMalwareMicrosoftOfficeFiles = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    CloudAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    CodeInjection = false,
    CredentialDumping = false,
    Cryptowall = false,
    CustomBlocking = false,
    Description = "string",
    DetectOnWrite = false,
    DriveByDownload = false,
    DriverLoadPrevention = false,
    Enabled = false,
    EngineFullVisibility = false,
    EnhancedDllLoadVisibility = false,
    EnhancedExploitationVisibility = false,
    EnhancedMlForLargerFiles = false,
    ExtendedUserModeData = new Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeDataArgs
    {
        Detection = "string",
    },
    FileEncryption = false,
    FileSystemAccess = false,
    FileSystemContainment = false,
    ForceAslr = false,
    ForceDep = false,
    HardwareEnhancedExploitDetection = false,
    HeapSprayPreallocation = false,
    HttpDetections = false,
    IntelligenceSourcedThreats = false,
    InterpreterOnly = false,
    JavascriptViaRundll32 = false,
    Locky = false,
    MemoryScanning = false,
    MemoryScanningScanWithCpu = false,
    MicrosoftOfficeFileSuspiciousMacroRemoval = false,
    Name = "string",
    NotifyEndUsers = false,
    NullPageAllocation = false,
    OnWriteScriptFileVisibility = false,
    PreventSuspiciousProcesses = false,
    QuarantineAndSecurityCenterRegistration = false,
    QuarantineOnRemovableMedia = false,
    QuarantineOnWrite = false,
    RedactHttpDetectionDetails = false,
    ScriptBasedExecutionMonitoring = false,
    SehOverwriteProtection = false,
    SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    SensorAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    SensorTamperingProtection = false,
    SuspiciousRegistryOperations = false,
    SuspiciousScriptsAndCommands = false,
    UploadUnknownDetectionRelatedExecutables = false,
    UploadUnknownExecutables = false,
    UsbInsertionTriggeredScan = false,
    VolumeShadowCopyAudit = false,
    VolumeShadowCopyProtect = false,
    VulnerableDriverProtection = false,
    WindowsLogonBypassStickyKeys = false,
});
Copy
example, err := crowdstrike.NewPreventionPolicyWindows(ctx, "preventionPolicyWindowsResource", &crowdstrike.PreventionPolicyWindowsArgs{
	HostGroups: pulumi.StringArray{
		pulumi.String("string"),
	},
	IoaRuleGroups: pulumi.StringArray{
		pulumi.String("string"),
	},
	AdditionalUserModeData: pulumi.Bool(false),
	AdvancedRemediation:    pulumi.Bool(false),
	AdwareAndPup: &crowdstrike.PreventionPolicyWindowsAdwareAndPupArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	ApplicationExploitationActivity: pulumi.Bool(false),
	BackupDeletion:                  pulumi.Bool(false),
	BiosDeepVisibility:              pulumi.Bool(false),
	ChopperWebshell:                 pulumi.Bool(false),
	CloudAntiMalware: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	CloudAntiMalwareMicrosoftOfficeFiles: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	CloudAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	CodeInjection:                  pulumi.Bool(false),
	CredentialDumping:              pulumi.Bool(false),
	Cryptowall:                     pulumi.Bool(false),
	CustomBlocking:                 pulumi.Bool(false),
	Description:                    pulumi.String("string"),
	DetectOnWrite:                  pulumi.Bool(false),
	DriveByDownload:                pulumi.Bool(false),
	DriverLoadPrevention:           pulumi.Bool(false),
	Enabled:                        pulumi.Bool(false),
	EngineFullVisibility:           pulumi.Bool(false),
	EnhancedDllLoadVisibility:      pulumi.Bool(false),
	EnhancedExploitationVisibility: pulumi.Bool(false),
	EnhancedMlForLargerFiles:       pulumi.Bool(false),
	ExtendedUserModeData: &crowdstrike.PreventionPolicyWindowsExtendedUserModeDataArgs{
		Detection: pulumi.String("string"),
	},
	FileEncryption:                   pulumi.Bool(false),
	FileSystemAccess:                 pulumi.Bool(false),
	FileSystemContainment:            pulumi.Bool(false),
	ForceAslr:                        pulumi.Bool(false),
	ForceDep:                         pulumi.Bool(false),
	HardwareEnhancedExploitDetection: pulumi.Bool(false),
	HeapSprayPreallocation:           pulumi.Bool(false),
	HttpDetections:                   pulumi.Bool(false),
	IntelligenceSourcedThreats:       pulumi.Bool(false),
	InterpreterOnly:                  pulumi.Bool(false),
	JavascriptViaRundll32:            pulumi.Bool(false),
	Locky:                            pulumi.Bool(false),
	MemoryScanning:                   pulumi.Bool(false),
	MemoryScanningScanWithCpu:        pulumi.Bool(false),
	MicrosoftOfficeFileSuspiciousMacroRemoval: pulumi.Bool(false),
	Name:                                    pulumi.String("string"),
	NotifyEndUsers:                          pulumi.Bool(false),
	NullPageAllocation:                      pulumi.Bool(false),
	OnWriteScriptFileVisibility:             pulumi.Bool(false),
	PreventSuspiciousProcesses:              pulumi.Bool(false),
	QuarantineAndSecurityCenterRegistration: pulumi.Bool(false),
	QuarantineOnRemovableMedia:              pulumi.Bool(false),
	QuarantineOnWrite:                       pulumi.Bool(false),
	RedactHttpDetectionDetails:              pulumi.Bool(false),
	ScriptBasedExecutionMonitoring:          pulumi.Bool(false),
	SehOverwriteProtection:                  pulumi.Bool(false),
	SensorAntiMalware: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	SensorAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	SensorTamperingProtection:                pulumi.Bool(false),
	SuspiciousRegistryOperations:             pulumi.Bool(false),
	SuspiciousScriptsAndCommands:             pulumi.Bool(false),
	UploadUnknownDetectionRelatedExecutables: pulumi.Bool(false),
	UploadUnknownExecutables:                 pulumi.Bool(false),
	UsbInsertionTriggeredScan:                pulumi.Bool(false),
	VolumeShadowCopyAudit:                    pulumi.Bool(false),
	VolumeShadowCopyProtect:                  pulumi.Bool(false),
	VulnerableDriverProtection:               pulumi.Bool(false),
	WindowsLogonBypassStickyKeys:             pulumi.Bool(false),
})
Copy
var preventionPolicyWindowsResource = new PreventionPolicyWindows("preventionPolicyWindowsResource", PreventionPolicyWindowsArgs.builder()
    .hostGroups("string")
    .ioaRuleGroups("string")
    .additionalUserModeData(false)
    .advancedRemediation(false)
    .adwareAndPup(PreventionPolicyWindowsAdwareAndPupArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .applicationExploitationActivity(false)
    .backupDeletion(false)
    .biosDeepVisibility(false)
    .chopperWebshell(false)
    .cloudAntiMalware(PreventionPolicyWindowsCloudAntiMalwareArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .cloudAntiMalwareMicrosoftOfficeFiles(PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .cloudAntiMalwareUserInitiated(PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .codeInjection(false)
    .credentialDumping(false)
    .cryptowall(false)
    .customBlocking(false)
    .description("string")
    .detectOnWrite(false)
    .driveByDownload(false)
    .driverLoadPrevention(false)
    .enabled(false)
    .engineFullVisibility(false)
    .enhancedDllLoadVisibility(false)
    .enhancedExploitationVisibility(false)
    .enhancedMlForLargerFiles(false)
    .extendedUserModeData(PreventionPolicyWindowsExtendedUserModeDataArgs.builder()
        .detection("string")
        .build())
    .fileEncryption(false)
    .fileSystemAccess(false)
    .fileSystemContainment(false)
    .forceAslr(false)
    .forceDep(false)
    .hardwareEnhancedExploitDetection(false)
    .heapSprayPreallocation(false)
    .httpDetections(false)
    .intelligenceSourcedThreats(false)
    .interpreterOnly(false)
    .javascriptViaRundll32(false)
    .locky(false)
    .memoryScanning(false)
    .memoryScanningScanWithCpu(false)
    .microsoftOfficeFileSuspiciousMacroRemoval(false)
    .name("string")
    .notifyEndUsers(false)
    .nullPageAllocation(false)
    .onWriteScriptFileVisibility(false)
    .preventSuspiciousProcesses(false)
    .quarantineAndSecurityCenterRegistration(false)
    .quarantineOnRemovableMedia(false)
    .quarantineOnWrite(false)
    .redactHttpDetectionDetails(false)
    .scriptBasedExecutionMonitoring(false)
    .sehOverwriteProtection(false)
    .sensorAntiMalware(PreventionPolicyWindowsSensorAntiMalwareArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .sensorAntiMalwareUserInitiated(PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .sensorTamperingProtection(false)
    .suspiciousRegistryOperations(false)
    .suspiciousScriptsAndCommands(false)
    .uploadUnknownDetectionRelatedExecutables(false)
    .uploadUnknownExecutables(false)
    .usbInsertionTriggeredScan(false)
    .volumeShadowCopyAudit(false)
    .volumeShadowCopyProtect(false)
    .vulnerableDriverProtection(false)
    .windowsLogonBypassStickyKeys(false)
    .build());
Copy
prevention_policy_windows_resource = crowdstrike.PreventionPolicyWindows("preventionPolicyWindowsResource",
    host_groups=["string"],
    ioa_rule_groups=["string"],
    additional_user_mode_data=False,
    advanced_remediation=False,
    adware_and_pup={
        "detection": "string",
        "prevention": "string",
    },
    application_exploitation_activity=False,
    backup_deletion=False,
    bios_deep_visibility=False,
    chopper_webshell=False,
    cloud_anti_malware={
        "detection": "string",
        "prevention": "string",
    },
    cloud_anti_malware_microsoft_office_files={
        "detection": "string",
        "prevention": "string",
    },
    cloud_anti_malware_user_initiated={
        "detection": "string",
        "prevention": "string",
    },
    code_injection=False,
    credential_dumping=False,
    cryptowall=False,
    custom_blocking=False,
    description="string",
    detect_on_write=False,
    drive_by_download=False,
    driver_load_prevention=False,
    enabled=False,
    engine_full_visibility=False,
    enhanced_dll_load_visibility=False,
    enhanced_exploitation_visibility=False,
    enhanced_ml_for_larger_files=False,
    extended_user_mode_data={
        "detection": "string",
    },
    file_encryption=False,
    file_system_access=False,
    file_system_containment=False,
    force_aslr=False,
    force_dep=False,
    hardware_enhanced_exploit_detection=False,
    heap_spray_preallocation=False,
    http_detections=False,
    intelligence_sourced_threats=False,
    interpreter_only=False,
    javascript_via_rundll32=False,
    locky=False,
    memory_scanning=False,
    memory_scanning_scan_with_cpu=False,
    microsoft_office_file_suspicious_macro_removal=False,
    name="string",
    notify_end_users=False,
    null_page_allocation=False,
    on_write_script_file_visibility=False,
    prevent_suspicious_processes=False,
    quarantine_and_security_center_registration=False,
    quarantine_on_removable_media=False,
    quarantine_on_write=False,
    redact_http_detection_details=False,
    script_based_execution_monitoring=False,
    seh_overwrite_protection=False,
    sensor_anti_malware={
        "detection": "string",
        "prevention": "string",
    },
    sensor_anti_malware_user_initiated={
        "detection": "string",
        "prevention": "string",
    },
    sensor_tampering_protection=False,
    suspicious_registry_operations=False,
    suspicious_scripts_and_commands=False,
    upload_unknown_detection_related_executables=False,
    upload_unknown_executables=False,
    usb_insertion_triggered_scan=False,
    volume_shadow_copy_audit=False,
    volume_shadow_copy_protect=False,
    vulnerable_driver_protection=False,
    windows_logon_bypass_sticky_keys=False)
Copy
const preventionPolicyWindowsResource = new crowdstrike.PreventionPolicyWindows("preventionPolicyWindowsResource", {
    hostGroups: ["string"],
    ioaRuleGroups: ["string"],
    additionalUserModeData: false,
    advancedRemediation: false,
    adwareAndPup: {
        detection: "string",
        prevention: "string",
    },
    applicationExploitationActivity: false,
    backupDeletion: false,
    biosDeepVisibility: false,
    chopperWebshell: false,
    cloudAntiMalware: {
        detection: "string",
        prevention: "string",
    },
    cloudAntiMalwareMicrosoftOfficeFiles: {
        detection: "string",
        prevention: "string",
    },
    cloudAntiMalwareUserInitiated: {
        detection: "string",
        prevention: "string",
    },
    codeInjection: false,
    credentialDumping: false,
    cryptowall: false,
    customBlocking: false,
    description: "string",
    detectOnWrite: false,
    driveByDownload: false,
    driverLoadPrevention: false,
    enabled: false,
    engineFullVisibility: false,
    enhancedDllLoadVisibility: false,
    enhancedExploitationVisibility: false,
    enhancedMlForLargerFiles: false,
    extendedUserModeData: {
        detection: "string",
    },
    fileEncryption: false,
    fileSystemAccess: false,
    fileSystemContainment: false,
    forceAslr: false,
    forceDep: false,
    hardwareEnhancedExploitDetection: false,
    heapSprayPreallocation: false,
    httpDetections: false,
    intelligenceSourcedThreats: false,
    interpreterOnly: false,
    javascriptViaRundll32: false,
    locky: false,
    memoryScanning: false,
    memoryScanningScanWithCpu: false,
    microsoftOfficeFileSuspiciousMacroRemoval: false,
    name: "string",
    notifyEndUsers: false,
    nullPageAllocation: false,
    onWriteScriptFileVisibility: false,
    preventSuspiciousProcesses: false,
    quarantineAndSecurityCenterRegistration: false,
    quarantineOnRemovableMedia: false,
    quarantineOnWrite: false,
    redactHttpDetectionDetails: false,
    scriptBasedExecutionMonitoring: false,
    sehOverwriteProtection: false,
    sensorAntiMalware: {
        detection: "string",
        prevention: "string",
    },
    sensorAntiMalwareUserInitiated: {
        detection: "string",
        prevention: "string",
    },
    sensorTamperingProtection: false,
    suspiciousRegistryOperations: false,
    suspiciousScriptsAndCommands: false,
    uploadUnknownDetectionRelatedExecutables: false,
    uploadUnknownExecutables: false,
    usbInsertionTriggeredScan: false,
    volumeShadowCopyAudit: false,
    volumeShadowCopyProtect: false,
    vulnerableDriverProtection: false,
    windowsLogonBypassStickyKeys: false,
});
Copy
type: crowdstrike:PreventionPolicyWindows
properties:
    additionalUserModeData: false
    advancedRemediation: false
    adwareAndPup:
        detection: string
        prevention: string
    applicationExploitationActivity: false
    backupDeletion: false
    biosDeepVisibility: false
    chopperWebshell: false
    cloudAntiMalware:
        detection: string
        prevention: string
    cloudAntiMalwareMicrosoftOfficeFiles:
        detection: string
        prevention: string
    cloudAntiMalwareUserInitiated:
        detection: string
        prevention: string
    codeInjection: false
    credentialDumping: false
    cryptowall: false
    customBlocking: false
    description: string
    detectOnWrite: false
    driveByDownload: false
    driverLoadPrevention: false
    enabled: false
    engineFullVisibility: false
    enhancedDllLoadVisibility: false
    enhancedExploitationVisibility: false
    enhancedMlForLargerFiles: false
    extendedUserModeData:
        detection: string
    fileEncryption: false
    fileSystemAccess: false
    fileSystemContainment: false
    forceAslr: false
    forceDep: false
    hardwareEnhancedExploitDetection: false
    heapSprayPreallocation: false
    hostGroups:
        - string
    httpDetections: false
    intelligenceSourcedThreats: false
    interpreterOnly: false
    ioaRuleGroups:
        - string
    javascriptViaRundll32: false
    locky: false
    memoryScanning: false
    memoryScanningScanWithCpu: false
    microsoftOfficeFileSuspiciousMacroRemoval: false
    name: string
    notifyEndUsers: false
    nullPageAllocation: false
    onWriteScriptFileVisibility: false
    preventSuspiciousProcesses: false
    quarantineAndSecurityCenterRegistration: false
    quarantineOnRemovableMedia: false
    quarantineOnWrite: false
    redactHttpDetectionDetails: false
    scriptBasedExecutionMonitoring: false
    sehOverwriteProtection: false
    sensorAntiMalware:
        detection: string
        prevention: string
    sensorAntiMalwareUserInitiated:
        detection: string
        prevention: string
    sensorTamperingProtection: false
    suspiciousRegistryOperations: false
    suspiciousScriptsAndCommands: false
    uploadUnknownDetectionRelatedExecutables: false
    uploadUnknownExecutables: false
    usbInsertionTriggeredScan: false
    volumeShadowCopyAudit: false
    volumeShadowCopyProtect: false
    vulnerableDriverProtection: false
    windowsLogonBypassStickyKeys: false
Copy

PreventionPolicyWindows Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The PreventionPolicyWindows resource accepts the following input properties:

HostGroups This property is required. List<string>
Host Group ids to attach to the prevention policy.
IoaRuleGroups This property is required. List<string>
IOA Rule Group to attach to the prevention policy.
AdditionalUserModeData bool
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
AdvancedRemediation bool
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
AdwareAndPup CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPup
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
ApplicationExploitationActivity bool
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
BackupDeletion bool
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
BiosDeepVisibility bool
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
ChopperWebshell bool
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
CloudAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalware
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
CloudAntiMalwareMicrosoftOfficeFiles CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
CloudAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
CodeInjection bool
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
CredentialDumping bool
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
Cryptowall bool
Whether to enable the setting. A process associated with Cryptowall was blocked.
CustomBlocking bool
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
Description string
Description of the prevention policy.
DetectOnWrite bool
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
DriveByDownload bool
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
DriverLoadPrevention bool
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
Enabled bool
Enable the prevention policy.
EngineFullVisibility bool
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
EnhancedDllLoadVisibility bool
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
EnhancedExploitationVisibility bool
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
EnhancedMlForLargerFiles bool
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
ExtendedUserModeData CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeData
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
FileEncryption bool
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
FileSystemAccess bool
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
FileSystemContainment bool
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
ForceAslr bool
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
ForceDep bool
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
HardwareEnhancedExploitDetection bool
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
HeapSprayPreallocation bool
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
HttpDetections bool
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
IntelligenceSourcedThreats bool
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
InterpreterOnly bool
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
JavascriptViaRundll32 bool
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
Locky bool
Whether to enable the setting. A process determined to be associated with Locky was blocked.
MemoryScanning bool
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
MemoryScanningScanWithCpu bool
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
MicrosoftOfficeFileSuspiciousMacroRemoval bool
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
Name string
Name of the prevention policy.
NotifyEndUsers bool
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
NullPageAllocation bool
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
OnWriteScriptFileVisibility bool
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
PreventSuspiciousProcesses bool
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
QuarantineAndSecurityCenterRegistration bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
QuarantineOnRemovableMedia bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
QuarantineOnWrite bool
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
RedactHttpDetectionDetails bool
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
ScriptBasedExecutionMonitoring bool
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
SehOverwriteProtection bool
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
SensorAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalware
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
SensorAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiated
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
SensorTamperingProtection bool
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
SuspiciousRegistryOperations bool
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
SuspiciousScriptsAndCommands bool
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
UploadUnknownDetectionRelatedExecutables bool
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
UploadUnknownExecutables bool
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
UsbInsertionTriggeredScan bool
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
VolumeShadowCopyAudit bool
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
VolumeShadowCopyProtect bool
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
VulnerableDriverProtection bool
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
WindowsLogonBypassStickyKeys bool
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
HostGroups This property is required. []string
Host Group ids to attach to the prevention policy.
IoaRuleGroups This property is required. []string
IOA Rule Group to attach to the prevention policy.
AdditionalUserModeData bool
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
AdvancedRemediation bool
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
AdwareAndPup PreventionPolicyWindowsAdwareAndPupArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
ApplicationExploitationActivity bool
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
BackupDeletion bool
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
BiosDeepVisibility bool
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
ChopperWebshell bool
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
CloudAntiMalware PreventionPolicyWindowsCloudAntiMalwareArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
CloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
CloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
CodeInjection bool
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
CredentialDumping bool
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
Cryptowall bool
Whether to enable the setting. A process associated with Cryptowall was blocked.
CustomBlocking bool
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
Description string
Description of the prevention policy.
DetectOnWrite bool
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
DriveByDownload bool
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
DriverLoadPrevention bool
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
Enabled bool
Enable the prevention policy.
EngineFullVisibility bool
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
EnhancedDllLoadVisibility bool
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
EnhancedExploitationVisibility bool
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
EnhancedMlForLargerFiles bool
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
ExtendedUserModeData PreventionPolicyWindowsExtendedUserModeDataArgs
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
FileEncryption bool
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
FileSystemAccess bool
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
FileSystemContainment bool
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
ForceAslr bool
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
ForceDep bool
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
HardwareEnhancedExploitDetection bool
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
HeapSprayPreallocation bool
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
HttpDetections bool
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
IntelligenceSourcedThreats bool
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
InterpreterOnly bool
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
JavascriptViaRundll32 bool
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
Locky bool
Whether to enable the setting. A process determined to be associated with Locky was blocked.
MemoryScanning bool
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
MemoryScanningScanWithCpu bool
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
MicrosoftOfficeFileSuspiciousMacroRemoval bool
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
Name string
Name of the prevention policy.
NotifyEndUsers bool
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
NullPageAllocation bool
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
OnWriteScriptFileVisibility bool
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
PreventSuspiciousProcesses bool
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
QuarantineAndSecurityCenterRegistration bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
QuarantineOnRemovableMedia bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
QuarantineOnWrite bool
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
RedactHttpDetectionDetails bool
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
ScriptBasedExecutionMonitoring bool
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
SehOverwriteProtection bool
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
SensorAntiMalware PreventionPolicyWindowsSensorAntiMalwareArgs
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
SensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
SensorTamperingProtection bool
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
SuspiciousRegistryOperations bool
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
SuspiciousScriptsAndCommands bool
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
UploadUnknownDetectionRelatedExecutables bool
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
UploadUnknownExecutables bool
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
UsbInsertionTriggeredScan bool
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
VolumeShadowCopyAudit bool
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
VolumeShadowCopyProtect bool
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
VulnerableDriverProtection bool
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
WindowsLogonBypassStickyKeys bool
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
hostGroups This property is required. List<String>
Host Group ids to attach to the prevention policy.
ioaRuleGroups This property is required. List<String>
IOA Rule Group to attach to the prevention policy.
additionalUserModeData Boolean
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advancedRemediation Boolean
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adwareAndPup PreventionPolicyWindowsAdwareAndPup
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
applicationExploitationActivity Boolean
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backupDeletion Boolean
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
biosDeepVisibility Boolean
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopperWebshell Boolean
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
codeInjection Boolean
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credentialDumping Boolean
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall Boolean
Whether to enable the setting. A process associated with Cryptowall was blocked.
customBlocking Boolean
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description String
Description of the prevention policy.
detectOnWrite Boolean
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
driveByDownload Boolean
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driverLoadPrevention Boolean
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled Boolean
Enable the prevention policy.
engineFullVisibility Boolean
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhancedDllLoadVisibility Boolean
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhancedExploitationVisibility Boolean
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhancedMlForLargerFiles Boolean
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
fileEncryption Boolean
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
fileSystemAccess Boolean
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
fileSystemContainment Boolean
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
forceAslr Boolean
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
forceDep Boolean
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardwareEnhancedExploitDetection Boolean
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heapSprayPreallocation Boolean
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
httpDetections Boolean
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligenceSourcedThreats Boolean
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreterOnly Boolean
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
javascriptViaRundll32 Boolean
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
locky Boolean
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memoryScanning Boolean
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memoryScanningScanWithCpu Boolean
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoftOfficeFileSuspiciousMacroRemoval Boolean
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name String
Name of the prevention policy.
notifyEndUsers Boolean
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
nullPageAllocation Boolean
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
onWriteScriptFileVisibility Boolean
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
preventSuspiciousProcesses Boolean
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantineAndSecurityCenterRegistration Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantineOnRemovableMedia Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantineOnWrite Boolean
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redactHttpDetectionDetails Boolean
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
scriptBasedExecutionMonitoring Boolean
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
sehOverwriteProtection Boolean
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensorTamperingProtection Boolean
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspiciousRegistryOperations Boolean
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspiciousScriptsAndCommands Boolean
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
uploadUnknownDetectionRelatedExecutables Boolean
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
uploadUnknownExecutables Boolean
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usbInsertionTriggeredScan Boolean
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volumeShadowCopyAudit Boolean
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volumeShadowCopyProtect Boolean
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerableDriverProtection Boolean
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windowsLogonBypassStickyKeys Boolean
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
hostGroups This property is required. string[]
Host Group ids to attach to the prevention policy.
ioaRuleGroups This property is required. string[]
IOA Rule Group to attach to the prevention policy.
additionalUserModeData boolean
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advancedRemediation boolean
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adwareAndPup PreventionPolicyWindowsAdwareAndPup
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
applicationExploitationActivity boolean
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backupDeletion boolean
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
biosDeepVisibility boolean
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopperWebshell boolean
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
codeInjection boolean
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credentialDumping boolean
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall boolean
Whether to enable the setting. A process associated with Cryptowall was blocked.
customBlocking boolean
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description string
Description of the prevention policy.
detectOnWrite boolean
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
driveByDownload boolean
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driverLoadPrevention boolean
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled boolean
Enable the prevention policy.
engineFullVisibility boolean
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhancedDllLoadVisibility boolean
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhancedExploitationVisibility boolean
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhancedMlForLargerFiles boolean
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
fileEncryption boolean
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
fileSystemAccess boolean
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
fileSystemContainment boolean
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
forceAslr boolean
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
forceDep boolean
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardwareEnhancedExploitDetection boolean
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heapSprayPreallocation boolean
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
httpDetections boolean
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligenceSourcedThreats boolean
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreterOnly boolean
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
javascriptViaRundll32 boolean
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
locky boolean
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memoryScanning boolean
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memoryScanningScanWithCpu boolean
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoftOfficeFileSuspiciousMacroRemoval boolean
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name string
Name of the prevention policy.
notifyEndUsers boolean
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
nullPageAllocation boolean
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
onWriteScriptFileVisibility boolean
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
preventSuspiciousProcesses boolean
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantineAndSecurityCenterRegistration boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantineOnRemovableMedia boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantineOnWrite boolean
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redactHttpDetectionDetails boolean
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
scriptBasedExecutionMonitoring boolean
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
sehOverwriteProtection boolean
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensorTamperingProtection boolean
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspiciousRegistryOperations boolean
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspiciousScriptsAndCommands boolean
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
uploadUnknownDetectionRelatedExecutables boolean
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
uploadUnknownExecutables boolean
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usbInsertionTriggeredScan boolean
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volumeShadowCopyAudit boolean
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volumeShadowCopyProtect boolean
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerableDriverProtection boolean
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windowsLogonBypassStickyKeys boolean
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
host_groups This property is required. Sequence[str]
Host Group ids to attach to the prevention policy.
ioa_rule_groups This property is required. Sequence[str]
IOA Rule Group to attach to the prevention policy.
additional_user_mode_data bool
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advanced_remediation bool
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adware_and_pup PreventionPolicyWindowsAdwareAndPupArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
application_exploitation_activity bool
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backup_deletion bool
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
bios_deep_visibility bool
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopper_webshell bool
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloud_anti_malware PreventionPolicyWindowsCloudAntiMalwareArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloud_anti_malware_microsoft_office_files PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloud_anti_malware_user_initiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
code_injection bool
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credential_dumping bool
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall bool
Whether to enable the setting. A process associated with Cryptowall was blocked.
custom_blocking bool
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description str
Description of the prevention policy.
detect_on_write bool
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
drive_by_download bool
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driver_load_prevention bool
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled bool
Enable the prevention policy.
engine_full_visibility bool
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhanced_dll_load_visibility bool
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhanced_exploitation_visibility bool
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhanced_ml_for_larger_files bool
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extended_user_mode_data PreventionPolicyWindowsExtendedUserModeDataArgs
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
file_encryption bool
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
file_system_access bool
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
file_system_containment bool
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
force_aslr bool
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
force_dep bool
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardware_enhanced_exploit_detection bool
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heap_spray_preallocation bool
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
http_detections bool
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligence_sourced_threats bool
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreter_only bool
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
javascript_via_rundll32 bool
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
locky bool
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memory_scanning bool
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memory_scanning_scan_with_cpu bool
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoft_office_file_suspicious_macro_removal bool
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name str
Name of the prevention policy.
notify_end_users bool
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
null_page_allocation bool
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
on_write_script_file_visibility bool
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
prevent_suspicious_processes bool
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantine_and_security_center_registration bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantine_on_removable_media bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantine_on_write bool
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redact_http_detection_details bool
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
script_based_execution_monitoring bool
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
seh_overwrite_protection bool
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensor_anti_malware PreventionPolicyWindowsSensorAntiMalwareArgs
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensor_anti_malware_user_initiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensor_tampering_protection bool
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspicious_registry_operations bool
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspicious_scripts_and_commands bool
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
upload_unknown_detection_related_executables bool
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
upload_unknown_executables bool
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usb_insertion_triggered_scan bool
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volume_shadow_copy_audit bool
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volume_shadow_copy_protect bool
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerable_driver_protection bool
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windows_logon_bypass_sticky_keys bool
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
hostGroups This property is required. List<String>
Host Group ids to attach to the prevention policy.
ioaRuleGroups This property is required. List<String>
IOA Rule Group to attach to the prevention policy.
additionalUserModeData Boolean
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advancedRemediation Boolean
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adwareAndPup Property Map
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
applicationExploitationActivity Boolean
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backupDeletion Boolean
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
biosDeepVisibility Boolean
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopperWebshell Boolean
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloudAntiMalware Property Map
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloudAntiMalwareMicrosoftOfficeFiles Property Map
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloudAntiMalwareUserInitiated Property Map
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
codeInjection Boolean
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credentialDumping Boolean
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall Boolean
Whether to enable the setting. A process associated with Cryptowall was blocked.
customBlocking Boolean
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description String
Description of the prevention policy.
detectOnWrite Boolean
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
driveByDownload Boolean
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driverLoadPrevention Boolean
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled Boolean
Enable the prevention policy.
engineFullVisibility Boolean
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhancedDllLoadVisibility Boolean
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhancedExploitationVisibility Boolean
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhancedMlForLargerFiles Boolean
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extendedUserModeData Property Map
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
fileEncryption Boolean
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
fileSystemAccess Boolean
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
fileSystemContainment Boolean
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
forceAslr Boolean
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
forceDep Boolean
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardwareEnhancedExploitDetection Boolean
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heapSprayPreallocation Boolean
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
httpDetections Boolean
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligenceSourcedThreats Boolean
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreterOnly Boolean
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
javascriptViaRundll32 Boolean
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
locky Boolean
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memoryScanning Boolean
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memoryScanningScanWithCpu Boolean
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoftOfficeFileSuspiciousMacroRemoval Boolean
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name String
Name of the prevention policy.
notifyEndUsers Boolean
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
nullPageAllocation Boolean
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
onWriteScriptFileVisibility Boolean
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
preventSuspiciousProcesses Boolean
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantineAndSecurityCenterRegistration Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantineOnRemovableMedia Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantineOnWrite Boolean
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redactHttpDetectionDetails Boolean
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
scriptBasedExecutionMonitoring Boolean
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
sehOverwriteProtection Boolean
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensorAntiMalware Property Map
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensorAntiMalwareUserInitiated Property Map
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensorTamperingProtection Boolean
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspiciousRegistryOperations Boolean
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspiciousScriptsAndCommands Boolean
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
uploadUnknownDetectionRelatedExecutables Boolean
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
uploadUnknownExecutables Boolean
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usbInsertionTriggeredScan Boolean
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volumeShadowCopyAudit Boolean
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volumeShadowCopyProtect Boolean
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerableDriverProtection Boolean
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windowsLogonBypassStickyKeys Boolean
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.

Outputs

All input properties are implicitly available as output properties. Additionally, the PreventionPolicyWindows resource produces the following output properties:

Id string
The provider-assigned unique ID for this managed resource.
LastUpdated string
Id string
The provider-assigned unique ID for this managed resource.
LastUpdated string
id String
The provider-assigned unique ID for this managed resource.
lastUpdated String
id string
The provider-assigned unique ID for this managed resource.
lastUpdated string
id str
The provider-assigned unique ID for this managed resource.
last_updated str
id String
The provider-assigned unique ID for this managed resource.
lastUpdated String

Look up Existing PreventionPolicyWindows Resource

Get an existing PreventionPolicyWindows resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: PreventionPolicyWindowsState, opts?: CustomResourceOptions): PreventionPolicyWindows
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        additional_user_mode_data: Optional[bool] = None,
        advanced_remediation: Optional[bool] = None,
        adware_and_pup: Optional[PreventionPolicyWindowsAdwareAndPupArgs] = None,
        application_exploitation_activity: Optional[bool] = None,
        backup_deletion: Optional[bool] = None,
        bios_deep_visibility: Optional[bool] = None,
        chopper_webshell: Optional[bool] = None,
        cloud_anti_malware: Optional[PreventionPolicyWindowsCloudAntiMalwareArgs] = None,
        cloud_anti_malware_microsoft_office_files: Optional[PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs] = None,
        cloud_anti_malware_user_initiated: Optional[PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs] = None,
        code_injection: Optional[bool] = None,
        credential_dumping: Optional[bool] = None,
        cryptowall: Optional[bool] = None,
        custom_blocking: Optional[bool] = None,
        description: Optional[str] = None,
        detect_on_write: Optional[bool] = None,
        drive_by_download: Optional[bool] = None,
        driver_load_prevention: Optional[bool] = None,
        enabled: Optional[bool] = None,
        engine_full_visibility: Optional[bool] = None,
        enhanced_dll_load_visibility: Optional[bool] = None,
        enhanced_exploitation_visibility: Optional[bool] = None,
        enhanced_ml_for_larger_files: Optional[bool] = None,
        extended_user_mode_data: Optional[PreventionPolicyWindowsExtendedUserModeDataArgs] = None,
        file_encryption: Optional[bool] = None,
        file_system_access: Optional[bool] = None,
        file_system_containment: Optional[bool] = None,
        force_aslr: Optional[bool] = None,
        force_dep: Optional[bool] = None,
        hardware_enhanced_exploit_detection: Optional[bool] = None,
        heap_spray_preallocation: Optional[bool] = None,
        host_groups: Optional[Sequence[str]] = None,
        http_detections: Optional[bool] = None,
        intelligence_sourced_threats: Optional[bool] = None,
        interpreter_only: Optional[bool] = None,
        ioa_rule_groups: Optional[Sequence[str]] = None,
        javascript_via_rundll32: Optional[bool] = None,
        last_updated: Optional[str] = None,
        locky: Optional[bool] = None,
        memory_scanning: Optional[bool] = None,
        memory_scanning_scan_with_cpu: Optional[bool] = None,
        microsoft_office_file_suspicious_macro_removal: Optional[bool] = None,
        name: Optional[str] = None,
        notify_end_users: Optional[bool] = None,
        null_page_allocation: Optional[bool] = None,
        on_write_script_file_visibility: Optional[bool] = None,
        prevent_suspicious_processes: Optional[bool] = None,
        quarantine_and_security_center_registration: Optional[bool] = None,
        quarantine_on_removable_media: Optional[bool] = None,
        quarantine_on_write: Optional[bool] = None,
        redact_http_detection_details: Optional[bool] = None,
        script_based_execution_monitoring: Optional[bool] = None,
        seh_overwrite_protection: Optional[bool] = None,
        sensor_anti_malware: Optional[PreventionPolicyWindowsSensorAntiMalwareArgs] = None,
        sensor_anti_malware_user_initiated: Optional[PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs] = None,
        sensor_tampering_protection: Optional[bool] = None,
        suspicious_registry_operations: Optional[bool] = None,
        suspicious_scripts_and_commands: Optional[bool] = None,
        upload_unknown_detection_related_executables: Optional[bool] = None,
        upload_unknown_executables: Optional[bool] = None,
        usb_insertion_triggered_scan: Optional[bool] = None,
        volume_shadow_copy_audit: Optional[bool] = None,
        volume_shadow_copy_protect: Optional[bool] = None,
        vulnerable_driver_protection: Optional[bool] = None,
        windows_logon_bypass_sticky_keys: Optional[bool] = None) -> PreventionPolicyWindows
func GetPreventionPolicyWindows(ctx *Context, name string, id IDInput, state *PreventionPolicyWindowsState, opts ...ResourceOption) (*PreventionPolicyWindows, error)
public static PreventionPolicyWindows Get(string name, Input<string> id, PreventionPolicyWindowsState? state, CustomResourceOptions? opts = null)
public static PreventionPolicyWindows get(String name, Output<String> id, PreventionPolicyWindowsState state, CustomResourceOptions options)
resources:  _:    type: crowdstrike:PreventionPolicyWindows    get:      id: ${id}
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name This property is required.
The unique name of the resulting resource.
id This property is required.
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
AdditionalUserModeData bool
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
AdvancedRemediation bool
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
AdwareAndPup CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPup
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
ApplicationExploitationActivity bool
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
BackupDeletion bool
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
BiosDeepVisibility bool
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
ChopperWebshell bool
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
CloudAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalware
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
CloudAntiMalwareMicrosoftOfficeFiles CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
CloudAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
CodeInjection bool
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
CredentialDumping bool
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
Cryptowall bool
Whether to enable the setting. A process associated with Cryptowall was blocked.
CustomBlocking bool
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
Description string
Description of the prevention policy.
DetectOnWrite bool
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
DriveByDownload bool
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
DriverLoadPrevention bool
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
Enabled bool
Enable the prevention policy.
EngineFullVisibility bool
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
EnhancedDllLoadVisibility bool
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
EnhancedExploitationVisibility bool
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
EnhancedMlForLargerFiles bool
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
ExtendedUserModeData CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeData
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
FileEncryption bool
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
FileSystemAccess bool
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
FileSystemContainment bool
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
ForceAslr bool
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
ForceDep bool
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
HardwareEnhancedExploitDetection bool
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
HeapSprayPreallocation bool
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
HostGroups List<string>
Host Group ids to attach to the prevention policy.
HttpDetections bool
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
IntelligenceSourcedThreats bool
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
InterpreterOnly bool
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
IoaRuleGroups List<string>
IOA Rule Group to attach to the prevention policy.
JavascriptViaRundll32 bool
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
LastUpdated string
Locky bool
Whether to enable the setting. A process determined to be associated with Locky was blocked.
MemoryScanning bool
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
MemoryScanningScanWithCpu bool
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
MicrosoftOfficeFileSuspiciousMacroRemoval bool
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
Name string
Name of the prevention policy.
NotifyEndUsers bool
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
NullPageAllocation bool
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
OnWriteScriptFileVisibility bool
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
PreventSuspiciousProcesses bool
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
QuarantineAndSecurityCenterRegistration bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
QuarantineOnRemovableMedia bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
QuarantineOnWrite bool
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
RedactHttpDetectionDetails bool
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
ScriptBasedExecutionMonitoring bool
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
SehOverwriteProtection bool
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
SensorAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalware
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
SensorAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiated
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
SensorTamperingProtection bool
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
SuspiciousRegistryOperations bool
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
SuspiciousScriptsAndCommands bool
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
UploadUnknownDetectionRelatedExecutables bool
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
UploadUnknownExecutables bool
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
UsbInsertionTriggeredScan bool
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
VolumeShadowCopyAudit bool
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
VolumeShadowCopyProtect bool
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
VulnerableDriverProtection bool
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
WindowsLogonBypassStickyKeys bool
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
AdditionalUserModeData bool
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
AdvancedRemediation bool
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
AdwareAndPup PreventionPolicyWindowsAdwareAndPupArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
ApplicationExploitationActivity bool
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
BackupDeletion bool
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
BiosDeepVisibility bool
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
ChopperWebshell bool
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
CloudAntiMalware PreventionPolicyWindowsCloudAntiMalwareArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
CloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
CloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
CodeInjection bool
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
CredentialDumping bool
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
Cryptowall bool
Whether to enable the setting. A process associated with Cryptowall was blocked.
CustomBlocking bool
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
Description string
Description of the prevention policy.
DetectOnWrite bool
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
DriveByDownload bool
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
DriverLoadPrevention bool
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
Enabled bool
Enable the prevention policy.
EngineFullVisibility bool
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
EnhancedDllLoadVisibility bool
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
EnhancedExploitationVisibility bool
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
EnhancedMlForLargerFiles bool
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
ExtendedUserModeData PreventionPolicyWindowsExtendedUserModeDataArgs
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
FileEncryption bool
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
FileSystemAccess bool
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
FileSystemContainment bool
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
ForceAslr bool
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
ForceDep bool
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
HardwareEnhancedExploitDetection bool
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
HeapSprayPreallocation bool
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
HostGroups []string
Host Group ids to attach to the prevention policy.
HttpDetections bool
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
IntelligenceSourcedThreats bool
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
InterpreterOnly bool
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
IoaRuleGroups []string
IOA Rule Group to attach to the prevention policy.
JavascriptViaRundll32 bool
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
LastUpdated string
Locky bool
Whether to enable the setting. A process determined to be associated with Locky was blocked.
MemoryScanning bool
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
MemoryScanningScanWithCpu bool
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
MicrosoftOfficeFileSuspiciousMacroRemoval bool
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
Name string
Name of the prevention policy.
NotifyEndUsers bool
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
NullPageAllocation bool
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
OnWriteScriptFileVisibility bool
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
PreventSuspiciousProcesses bool
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
QuarantineAndSecurityCenterRegistration bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
QuarantineOnRemovableMedia bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
QuarantineOnWrite bool
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
RedactHttpDetectionDetails bool
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
ScriptBasedExecutionMonitoring bool
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
SehOverwriteProtection bool
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
SensorAntiMalware PreventionPolicyWindowsSensorAntiMalwareArgs
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
SensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
SensorTamperingProtection bool
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
SuspiciousRegistryOperations bool
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
SuspiciousScriptsAndCommands bool
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
UploadUnknownDetectionRelatedExecutables bool
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
UploadUnknownExecutables bool
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
UsbInsertionTriggeredScan bool
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
VolumeShadowCopyAudit bool
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
VolumeShadowCopyProtect bool
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
VulnerableDriverProtection bool
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
WindowsLogonBypassStickyKeys bool
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
additionalUserModeData Boolean
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advancedRemediation Boolean
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adwareAndPup PreventionPolicyWindowsAdwareAndPup
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
applicationExploitationActivity Boolean
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backupDeletion Boolean
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
biosDeepVisibility Boolean
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopperWebshell Boolean
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
codeInjection Boolean
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credentialDumping Boolean
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall Boolean
Whether to enable the setting. A process associated with Cryptowall was blocked.
customBlocking Boolean
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description String
Description of the prevention policy.
detectOnWrite Boolean
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
driveByDownload Boolean
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driverLoadPrevention Boolean
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled Boolean
Enable the prevention policy.
engineFullVisibility Boolean
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhancedDllLoadVisibility Boolean
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhancedExploitationVisibility Boolean
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhancedMlForLargerFiles Boolean
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
fileEncryption Boolean
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
fileSystemAccess Boolean
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
fileSystemContainment Boolean
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
forceAslr Boolean
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
forceDep Boolean
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardwareEnhancedExploitDetection Boolean
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heapSprayPreallocation Boolean
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
hostGroups List<String>
Host Group ids to attach to the prevention policy.
httpDetections Boolean
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligenceSourcedThreats Boolean
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreterOnly Boolean
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
ioaRuleGroups List<String>
IOA Rule Group to attach to the prevention policy.
javascriptViaRundll32 Boolean
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
lastUpdated String
locky Boolean
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memoryScanning Boolean
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memoryScanningScanWithCpu Boolean
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoftOfficeFileSuspiciousMacroRemoval Boolean
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name String
Name of the prevention policy.
notifyEndUsers Boolean
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
nullPageAllocation Boolean
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
onWriteScriptFileVisibility Boolean
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
preventSuspiciousProcesses Boolean
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantineAndSecurityCenterRegistration Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantineOnRemovableMedia Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantineOnWrite Boolean
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redactHttpDetectionDetails Boolean
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
scriptBasedExecutionMonitoring Boolean
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
sehOverwriteProtection Boolean
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensorTamperingProtection Boolean
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspiciousRegistryOperations Boolean
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspiciousScriptsAndCommands Boolean
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
uploadUnknownDetectionRelatedExecutables Boolean
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
uploadUnknownExecutables Boolean
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usbInsertionTriggeredScan Boolean
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volumeShadowCopyAudit Boolean
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volumeShadowCopyProtect Boolean
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerableDriverProtection Boolean
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windowsLogonBypassStickyKeys Boolean
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
additionalUserModeData boolean
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advancedRemediation boolean
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adwareAndPup PreventionPolicyWindowsAdwareAndPup
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
applicationExploitationActivity boolean
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backupDeletion boolean
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
biosDeepVisibility boolean
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopperWebshell boolean
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
codeInjection boolean
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credentialDumping boolean
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall boolean
Whether to enable the setting. A process associated with Cryptowall was blocked.
customBlocking boolean
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description string
Description of the prevention policy.
detectOnWrite boolean
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
driveByDownload boolean
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driverLoadPrevention boolean
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled boolean
Enable the prevention policy.
engineFullVisibility boolean
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhancedDllLoadVisibility boolean
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhancedExploitationVisibility boolean
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhancedMlForLargerFiles boolean
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
fileEncryption boolean
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
fileSystemAccess boolean
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
fileSystemContainment boolean
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
forceAslr boolean
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
forceDep boolean
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardwareEnhancedExploitDetection boolean
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heapSprayPreallocation boolean
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
hostGroups string[]
Host Group ids to attach to the prevention policy.
httpDetections boolean
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligenceSourcedThreats boolean
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreterOnly boolean
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
ioaRuleGroups string[]
IOA Rule Group to attach to the prevention policy.
javascriptViaRundll32 boolean
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
lastUpdated string
locky boolean
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memoryScanning boolean
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memoryScanningScanWithCpu boolean
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoftOfficeFileSuspiciousMacroRemoval boolean
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name string
Name of the prevention policy.
notifyEndUsers boolean
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
nullPageAllocation boolean
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
onWriteScriptFileVisibility boolean
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
preventSuspiciousProcesses boolean
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantineAndSecurityCenterRegistration boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantineOnRemovableMedia boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantineOnWrite boolean
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redactHttpDetectionDetails boolean
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
scriptBasedExecutionMonitoring boolean
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
sehOverwriteProtection boolean
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensorTamperingProtection boolean
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspiciousRegistryOperations boolean
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspiciousScriptsAndCommands boolean
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
uploadUnknownDetectionRelatedExecutables boolean
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
uploadUnknownExecutables boolean
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usbInsertionTriggeredScan boolean
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volumeShadowCopyAudit boolean
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volumeShadowCopyProtect boolean
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerableDriverProtection boolean
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windowsLogonBypassStickyKeys boolean
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
additional_user_mode_data bool
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advanced_remediation bool
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adware_and_pup PreventionPolicyWindowsAdwareAndPupArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
application_exploitation_activity bool
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backup_deletion bool
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
bios_deep_visibility bool
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopper_webshell bool
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloud_anti_malware PreventionPolicyWindowsCloudAntiMalwareArgs
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloud_anti_malware_microsoft_office_files PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloud_anti_malware_user_initiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
code_injection bool
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credential_dumping bool
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall bool
Whether to enable the setting. A process associated with Cryptowall was blocked.
custom_blocking bool
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description str
Description of the prevention policy.
detect_on_write bool
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
drive_by_download bool
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driver_load_prevention bool
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled bool
Enable the prevention policy.
engine_full_visibility bool
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhanced_dll_load_visibility bool
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhanced_exploitation_visibility bool
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhanced_ml_for_larger_files bool
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extended_user_mode_data PreventionPolicyWindowsExtendedUserModeDataArgs
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
file_encryption bool
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
file_system_access bool
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
file_system_containment bool
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
force_aslr bool
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
force_dep bool
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardware_enhanced_exploit_detection bool
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heap_spray_preallocation bool
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
host_groups Sequence[str]
Host Group ids to attach to the prevention policy.
http_detections bool
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligence_sourced_threats bool
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreter_only bool
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
ioa_rule_groups Sequence[str]
IOA Rule Group to attach to the prevention policy.
javascript_via_rundll32 bool
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
last_updated str
locky bool
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memory_scanning bool
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memory_scanning_scan_with_cpu bool
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoft_office_file_suspicious_macro_removal bool
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name str
Name of the prevention policy.
notify_end_users bool
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
null_page_allocation bool
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
on_write_script_file_visibility bool
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
prevent_suspicious_processes bool
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantine_and_security_center_registration bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantine_on_removable_media bool
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantine_on_write bool
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redact_http_detection_details bool
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
script_based_execution_monitoring bool
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
seh_overwrite_protection bool
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensor_anti_malware PreventionPolicyWindowsSensorAntiMalwareArgs
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensor_anti_malware_user_initiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensor_tampering_protection bool
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspicious_registry_operations bool
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspicious_scripts_and_commands bool
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
upload_unknown_detection_related_executables bool
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
upload_unknown_executables bool
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usb_insertion_triggered_scan bool
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volume_shadow_copy_audit bool
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volume_shadow_copy_protect bool
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerable_driver_protection bool
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windows_logon_bypass_sticky_keys bool
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
additionalUserModeData Boolean
Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
advancedRemediation Boolean
Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
adwareAndPup Property Map
Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
applicationExploitationActivity Boolean
Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
backupDeletion Boolean
Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
biosDeepVisibility Boolean
Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
chopperWebshell Boolean
Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
cloudAntiMalware Property Map
Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
cloudAntiMalwareMicrosoftOfficeFiles Property Map
Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
cloudAntiMalwareUserInitiated Property Map
For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
codeInjection Boolean
Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
credentialDumping Boolean
Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
cryptowall Boolean
Whether to enable the setting. A process associated with Cryptowall was blocked.
customBlocking Boolean
Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
description String
Description of the prevention policy.
detectOnWrite Boolean
Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
driveByDownload Boolean
Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
driverLoadPrevention Boolean
Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
enabled Boolean
Enable the prevention policy.
engineFullVisibility Boolean
Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
enhancedDllLoadVisibility Boolean
Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
enhancedExploitationVisibility Boolean
Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
enhancedMlForLargerFiles Boolean
Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
extendedUserModeData Property Map
Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
fileEncryption Boolean
Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
fileSystemAccess Boolean
Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
fileSystemContainment Boolean
Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode
forceAslr Boolean
Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
forceDep Boolean
Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
hardwareEnhancedExploitDetection Boolean
Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
heapSprayPreallocation Boolean
Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
hostGroups List<String>
Host Group ids to attach to the prevention policy.
httpDetections Boolean
Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
intelligenceSourcedThreats Boolean
Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
interpreterOnly Boolean
Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
ioaRuleGroups List<String>
IOA Rule Group to attach to the prevention policy.
javascriptViaRundll32 Boolean
Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
lastUpdated String
locky Boolean
Whether to enable the setting. A process determined to be associated with Locky was blocked.
memoryScanning Boolean
Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
memoryScanningScanWithCpu Boolean
Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
microsoftOfficeFileSuspiciousMacroRemoval Boolean
Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
name String
Name of the prevention policy.
notifyEndUsers Boolean
Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
nullPageAllocation Boolean
Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
onWriteScriptFileVisibility Boolean
Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
preventSuspiciousProcesses Boolean
Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
quarantineAndSecurityCenterRegistration Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
quarantineOnRemovableMedia Boolean
Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
quarantineOnWrite Boolean
Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
redactHttpDetectionDetails Boolean
Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
scriptBasedExecutionMonitoring Boolean
Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
sehOverwriteProtection Boolean
Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
sensorAntiMalware Property Map
For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
sensorAntiMalwareUserInitiated Property Map
For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
sensorTamperingProtection Boolean
Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
suspiciousRegistryOperations Boolean
Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
suspiciousScriptsAndCommands Boolean
Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
uploadUnknownDetectionRelatedExecutables Boolean
Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
uploadUnknownExecutables Boolean
Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
usbInsertionTriggeredScan Boolean
Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
volumeShadowCopyAudit Boolean
Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
volumeShadowCopyProtect Boolean
Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
vulnerableDriverProtection Boolean
Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
windowsLogonBypassStickyKeys Boolean
Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.

Supporting Types

PreventionPolicyWindowsAdwareAndPup
, PreventionPolicyWindowsAdwareAndPupArgs

Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.
detection This property is required. string
Machine learning level for detection.
prevention This property is required. string
Machine learning level for prevention.
detection This property is required. str
Machine learning level for detection.
prevention This property is required. str
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.

PreventionPolicyWindowsCloudAntiMalware
, PreventionPolicyWindowsCloudAntiMalwareArgs

Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.
detection This property is required. string
Machine learning level for detection.
prevention This property is required. string
Machine learning level for prevention.
detection This property is required. str
Machine learning level for detection.
prevention This property is required. str
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.

PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
, PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs

Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.
detection This property is required. string
Machine learning level for detection.
prevention This property is required. string
Machine learning level for prevention.
detection This property is required. str
Machine learning level for detection.
prevention This property is required. str
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.

PreventionPolicyWindowsCloudAntiMalwareUserInitiated
, PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs

Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.
detection This property is required. string
Machine learning level for detection.
prevention This property is required. string
Machine learning level for prevention.
detection This property is required. str
Machine learning level for detection.
prevention This property is required. str
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.

PreventionPolicyWindowsExtendedUserModeData
, PreventionPolicyWindowsExtendedUserModeDataArgs

Detection This property is required. string
Machine learning level for detection.
Detection This property is required. string
Machine learning level for detection.
detection This property is required. String
Machine learning level for detection.
detection This property is required. string
Machine learning level for detection.
detection This property is required. str
Machine learning level for detection.
detection This property is required. String
Machine learning level for detection.

PreventionPolicyWindowsSensorAntiMalware
, PreventionPolicyWindowsSensorAntiMalwareArgs

Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.
detection This property is required. string
Machine learning level for detection.
prevention This property is required. string
Machine learning level for prevention.
detection This property is required. str
Machine learning level for detection.
prevention This property is required. str
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.

PreventionPolicyWindowsSensorAntiMalwareUserInitiated
, PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs

Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
Detection This property is required. string
Machine learning level for detection.
Prevention This property is required. string
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.
detection This property is required. string
Machine learning level for detection.
prevention This property is required. string
Machine learning level for prevention.
detection This property is required. str
Machine learning level for detection.
prevention This property is required. str
Machine learning level for prevention.
detection This property is required. String
Machine learning level for detection.
prevention This property is required. String
Machine learning level for prevention.

Import

prevention policy can be imported by specifying the policy id.

$ pulumi import crowdstrike:index/preventionPolicyWindows:PreventionPolicyWindows example 7fb858a949034a0cbca175f660f1e769
Copy

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository
crowdstrike crowdstrike/pulumi-crowdstrike
License
Apache-2.0
Notes
This Pulumi package is based on the crowdstrike Terraform Provider.
CrowdStrike v0.0.12 published on Thursday, Apr 3, 2025 by CrowdStrike
crowdstrike/pulumi-crowdstrike