{ "name": "crowdstrike", "displayName": "CrowdStrike", "version": "0.0.14", "description": "A Pulumi package for creating and managing CrowdStrike resources", "keywords": [ "pulumi", "crowdstrike", "category/infrastructure" ], "homepage": "https://crowdstrike.com", "license": "Apache-2.0", "attribution": "This Pulumi package is based on the [`crowdstrike` Terraform Provider](https://github.com/crowdstrike/terraform-provider-crowdstrike).", "repository": "https://github.com/crowdstrike/pulumi-crowdstrike", "logoUrl": "https://raw.githubusercontent.com/crowdstrike/pulumi-crowdstrike/main/docs/crowdstrike.png", "pluginDownloadURL": "github://api.github.com/crowdstrike/pulumi-crowdstrike", "publisher": "CrowdStrike", "meta": { "moduleFormat": "(.*)(?:/[^/]*)" }, "language": { "csharp": { "packageReferences": { "Pulumi": "3.*" }, "compatibility": "tfbridge20", "rootNamespace": "CrowdStrike" }, "go": { "importBasePath": "github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike", "generateResourceContainerTypes": true, "generateExtraInputTypes": true }, "java": { "basePackage": "com.crowdstrike", "buildFiles": "", "gradleNexusPublishPluginVersion": "", "gradleTest": "" }, "nodejs": { "packageName": "@crowdstrike/pulumi", "packageDescription": "A Pulumi package for creating and managing CrowdStrike resources. Based on terraform-provider-crowdstrike: version v0.0.4", "readme": "> This provider is a derived work of the [Terraform Provider](https://github.com/crowdstrike/terraform-provider-crowdstrike)\n> distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n> first check the [`pulumi-crowdstrike` repo](https://github.com/crowdstrike/pulumi-crowdstrike/issues); however, if that doesn't turn up anything,\n> please consult the source [`terraform-provider-crowdstrike` repo](https://github.com/crowdstrike/terraform-provider-crowdstrike/issues).", "dependencies": { "@pulumi/pulumi": "^3.0.0" }, "devDependencies": { "@types/mime": "^2.0.0", "@types/node": "^10.0.0" }, "compatibility": "tfbridge20", "disableUnionOutputTypes": true }, "python": { "packageName": "crowdstrike_pulumi", "requires": { "pulumi": ">=3.0.0,<4.0.0" }, "readme": "> This provider is a derived work of the [Terraform Provider](https://github.com/crowdstrike/terraform-provider-crowdstrike)\n> distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n> first check the [`pulumi-crowdstrike` repo](https://github.com/crowdstrike/pulumi-crowdstrike/issues); however, if that doesn't turn up anything,\n> please consult the source [`terraform-provider-crowdstrike` repo](https://github.com/crowdstrike/terraform-provider-crowdstrike/issues).", "compatibility": "tfbridge20", "pyproject": {} } }, "config": { "variables": { "clientId": { "type": "string", "description": "Falcon Client Id for authenticating to the CrowdStrike APIs. Will use FALCON_CLIENT_ID environment variable when left\nblank.\n", "secret": true }, "clientSecret": { "type": "string", "description": "Falcon Client Secret used for authenticating to the CrowdStrike APIs. Will use FALCON_CLIENT_SECRET environment variable\nwhen left blank.\n", "secret": true }, "cloud": { "type": "string", "description": "Falcon Cloud to authenticate to. Valid values are autodiscover, us-1, us-2, eu-1, us-gov-1. Will use FALCON_CLOUD\nenvironment variable when left blank.\n" }, "memberCid": { "type": "string", "description": "For MSSP Master CIDs, optionally lock the token to act on behalf of this member CID\n" } } }, "types": { "crowdstrike:index/CloudAwsAccountAssetInventory:CloudAwsAccountAssetInventory": { "properties": { "enabled": { "type": "boolean", "description": "Enable asset inventory\n" }, "roleName": { "type": "string", "description": "Custom AWS IAM role name\n" } }, "type": "object", "required": [ "enabled" ] }, "crowdstrike:index/CloudAwsAccountDspm:CloudAwsAccountDspm": { "properties": { "enabled": { "type": "boolean", "description": "Enable Data Security Posture Management\n" }, "roleName": { "type": "string", "description": "Custom AWS IAM role name for Data Security Posture Management\n" } }, "type": "object", "required": [ "enabled" ] }, "crowdstrike:index/CloudAwsAccountIdp:CloudAwsAccountIdp": { "properties": { "enabled": { "type": "boolean", "description": "Enable Identity Protection\n" }, "status": { "type": "string", "description": "Current status of the Identity Protection integration\n" } }, "type": "object", "required": [ "enabled" ], "language": { "nodejs": { "requiredOutputs": [ "enabled", "status" ] } } }, "crowdstrike:index/CloudAwsAccountRealtimeVisibility:CloudAwsAccountRealtimeVisibility": { "properties": { "cloudtrailRegion": { "type": "string", "description": "The AWS region of the CloudTrail bucket\n" }, "enabled": { "type": "boolean", "description": "Enable real-time visibility and detection\n" }, "useExistingCloudtrail": { "type": "boolean", "description": "Set to true if a CloudTrail already exists\n" } }, "type": "object", "required": [ "cloudtrailRegion", "enabled" ], "language": { "nodejs": { "requiredOutputs": [ "cloudtrailRegion", "enabled", "useExistingCloudtrail" ] } } }, "crowdstrike:index/CloudAwsAccountSensorManagement:CloudAwsAccountSensorManagement": { "properties": { "enabled": { "type": "boolean", "description": "Enable 1-click sensor deployment\n" } }, "type": "object", "required": [ "enabled" ] }, "crowdstrike:index/DefaultPreventionPolicyLinuxCloudAntiMalware:DefaultPreventionPolicyLinuxCloudAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyLinuxSensorAntiMalware:DefaultPreventionPolicyLinuxSensorAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyMacCloudAdwareAndPup:DefaultPreventionPolicyMacCloudAdwareAndPup": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyMacCloudAntiMalware:DefaultPreventionPolicyMacCloudAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyMacSensorAdwareAndPup:DefaultPreventionPolicyMacSensorAdwareAndPup": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyMacSensorAntiMalware:DefaultPreventionPolicyMacSensorAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsAdwareAndPup:DefaultPreventionPolicyWindowsAdwareAndPup": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsCloudAntiMalware:DefaultPreventionPolicyWindowsCloudAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsExtendedUserModeData:DefaultPreventionPolicyWindowsExtendedUserModeData": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" } }, "type": "object", "required": [ "detection" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsSensorAntiMalware:DefaultPreventionPolicyWindowsSensorAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/DefaultSensorUpdatePolicySchedule:DefaultSensorUpdatePolicySchedule": { "properties": { "enabled": { "type": "boolean", "description": "Enable the scheduler for sensor update policy.\n" }, "timeBlocks": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FDefaultSensorUpdatePolicyScheduleTimeBlock:DefaultSensorUpdatePolicyScheduleTimeBlock" }, "description": "The time block to prevent sensor updates. Only set when enabled is true.\n" }, "timezone": { "type": "string", "description": "The time zones that will be used for the time blocks. Only set when enabled is true.\n" } }, "type": "object", "required": [ "enabled" ] }, "crowdstrike:index/DefaultSensorUpdatePolicyScheduleTimeBlock:DefaultSensorUpdatePolicyScheduleTimeBlock": { "properties": { "days": { "type": "array", "items": { "type": "string" }, "description": "The days of the week the time block should be active.\n" }, "endTime": { "type": "string", "description": "The end time for the time block in 24HR format. Must be atleast 1 hour more than start_time.\n" }, "startTime": { "type": "string", "description": "The start time for the time block in 24HR format. Must be atleast 1 hour before end_time.\n" } }, "type": "object", "required": [ "days", "endTime", "startTime" ] }, "crowdstrike:index/FilevantagePolicyScheduledExclusion:FilevantagePolicyScheduledExclusion": { "properties": { "description": { "type": "string", "description": "Description of the scheduled exclusion.\n" }, "endDate": { "type": "string", "description": "The end date of the scheduled exclusion. Format: YYYY-MM-DD\n" }, "endTime": { "type": "string", "description": "The end time of the scheduled exclusion in 24 hour format. Format: HH:MM\n" }, "id": { "type": "string", "description": "Identifier for the scheduled exclusion.\n" }, "name": { "type": "string", "description": "Name of the scheduled exclusion.\n" }, "processes": { "type": "string", "description": "A comma separated list of processes to exclude changes from. Example: **/run*me.sh excludes changes made by run*me.sh in any location\n" }, "repeated": { "$ref": "#/types/crowdstrike:index%2FFilevantagePolicyScheduledExclusionRepeated:FilevantagePolicyScheduledExclusionRepeated", "description": "Repeated scheduled exclusion\n" }, "startDate": { "type": "string", "description": "The start date of the scheduled exclusion. Format: YYYY-MM-DD\n" }, "startTime": { "type": "string", "description": "The start time of the scheduled exclusion in 24 hour format. Format: HH:MM\n" }, "timezone": { "type": "string", "description": "The timezone to use for the time fields. See https://en.wikipedia.org/wiki/List*of*tz*database*time_zones.\n" }, "users": { "type": "string", "description": "A comma separated list of users to exclude changes from. Example: user1,user2,admin* excludes changes made by user1, user2, and any user starting with admin\n" } }, "type": "object", "required": [ "name", "startDate", "startTime", "timezone" ], "language": { "nodejs": { "requiredOutputs": [ "description", "endDate", "endTime", "id", "name", "processes", "startDate", "startTime", "timezone", "users" ] } } }, "crowdstrike:index/FilevantagePolicyScheduledExclusionRepeated:FilevantagePolicyScheduledExclusionRepeated": { "properties": { "allDay": { "type": "boolean", "description": "If the exclusion is all day.\n" }, "daysOfMonths": { "type": "array", "items": { "type": "integer" }, "description": "The days of the month to allow the exclusion. Required if frequency is set to monthly and monthly_occurrence is set to days. Options: 1-31\n" }, "daysOfWeeks": { "type": "array", "items": { "type": "string" }, "description": "The days of the week to allow the exclusion. Required if frequency is set to weekly or set to monthly and monthly_occurrence is set to a week. Options: Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday\n" }, "endTime": { "type": "string", "description": "The end time to end the scheduled exclusion in 24 hour format. Format: HH:MM required if all_day is false\n" }, "frequency": { "type": "string", "description": "The frequency of the exclusion. Options: daily, weekly, monthly\n" }, "monthlyOccurrence": { "type": "string", "description": "The monthly occurrence of the exclusion. Either specify a week (first, second, third, fourth) or set to days to specify days of the month. Options: first, second, third, fourth, days. Required if frequency is set to monthly\n" }, "startTime": { "type": "string", "description": "The start time to allow the scheduled exclusion in 24 hour format. Format: HH:MM required if all_day is false\n" } }, "type": "object", "required": [ "allDay", "frequency" ], "language": { "nodejs": { "requiredOutputs": [ "allDay", "daysOfMonths", "daysOfWeeks", "endTime", "frequency", "monthlyOccurrence", "startTime" ] } } }, "crowdstrike:index/FilevantageRuleGroupRule:FilevantageRuleGroupRule": { "properties": { "depth": { "type": "string", "description": "Depth below the base path to monitor.\n" }, "description": { "type": "string", "description": "Description of the filevantage rule.\n" }, "enableContentCapture": { "type": "boolean", "description": "Enable content capture for the rule. Requires watch*file*write*changes or watch*key*value*set_changes to be enabled.\n" }, "exclude": { "type": "string", "description": "Represents the files, directories, registry keys, or registry values that will be excluded from monitoring.\n" }, "excludeProcesses": { "type": "string", "description": "Represents the changes performed by specific processes that will be excluded from monitoring.\n" }, "excludeUsers": { "type": "string", "description": "Represents the changes performed by specific users that will be excluded from monitoring.\n" }, "fileNames": { "type": "array", "items": { "type": "string" }, "description": "List of file names whose content will be monitored. Listed files must match the file include pattern and not match the file exclude pattern.\n" }, "id": { "type": "string", "description": "Identifier for the filevantage rule.\n" }, "include": { "type": "string", "description": "Represents the files, directories, registry keys, or registry values that will be monitored. Defaults to all (*)\n" }, "includeProcesses": { "type": "string", "description": "Represents the changes performed by specific processes that will be monitored.\n" }, "includeUsers": { "type": "string", "description": "Represents the changes performed by specific users that will be monitored.\n" }, "path": { "type": "string", "description": "Representing the file system or registry path to monitor. All paths must end with the path separator, e.g. c:\\windows\\ for windows and /usr/bin/ for linux/mac.\n" }, "precedence": { "type": "integer", "description": "Precedence of the rule in the rule group.\n" }, "registryValues": { "type": "array", "items": { "type": "string" }, "description": "List of registry values whose content will be monitored. Listed registry values must match the registry include pattern and not match the registry exclude pattern.\n" }, "severity": { "type": "string", "description": "Severity to categorize change events produced by this rule.\n" }, "watchDirectoryAttributeChanges": { "type": "boolean", "description": "Monitor directory attribute change events.\n" }, "watchDirectoryCreateChanges": { "type": "boolean", "description": "Monitor directory creation events.\n" }, "watchDirectoryDeleteChanges": { "type": "boolean", "description": "Monitor directory deletion events.\n" }, "watchDirectoryPermissionChanges": { "type": "boolean", "description": "Monitor directory permission change events.\n" }, "watchDirectoryRenameChanges": { "type": "boolean", "description": "Monitor directory rename events.\n" }, "watchFileAttributeChanges": { "type": "boolean", "description": "Monitor file attribute change events.\n" }, "watchFileCreateChanges": { "type": "boolean", "description": "Monitor file creation events.\n" }, "watchFileDeleteChanges": { "type": "boolean", "description": "Monitor file deletion events.\n" }, "watchFilePermissionChanges": { "type": "boolean", "description": "Monitor file permission change events.\n" }, "watchFileRenameChanges": { "type": "boolean", "description": "Monitor file rename events.\n" }, "watchFileWriteChanges": { "type": "boolean", "description": "Monitor file write events.\n" }, "watchKeyCreateChanges": { "type": "boolean", "description": "Monitor registry key creation events.\n" }, "watchKeyDeleteChanges": { "type": "boolean", "description": "Monitor registry key deletion events.\n" }, "watchKeyPermissionsChanges": { "type": "boolean", "description": "Monitor registry key permission change events.\n" }, "watchKeyRenameChanges": { "type": "boolean", "description": "Monitor registry key rename events.\n" }, "watchKeyValueDeleteChanges": { "type": "boolean", "description": "Monitor registry value deletion events.\n" }, "watchKeyValueSetChanges": { "type": "boolean", "description": "Monitor registry value set events.\n" } }, "type": "object", "required": [ "description", "path", "severity" ], "language": { "nodejs": { "requiredOutputs": [ "depth", "description", "enableContentCapture", "exclude", "excludeProcesses", "excludeUsers", "fileNames", "id", "include", "includeProcesses", "includeUsers", "path", "precedence", "registryValues", "severity", "watchDirectoryAttributeChanges", "watchDirectoryCreateChanges", "watchDirectoryDeleteChanges", "watchDirectoryPermissionChanges", "watchDirectoryRenameChanges", "watchFileAttributeChanges", "watchFileCreateChanges", "watchFileDeleteChanges", "watchFilePermissionChanges", "watchFileRenameChanges", "watchFileWriteChanges", "watchKeyCreateChanges", "watchKeyDeleteChanges", "watchKeyPermissionsChanges", "watchKeyRenameChanges", "watchKeyValueDeleteChanges", "watchKeyValueSetChanges" ] } } }, "crowdstrike:index/PreventionPolicyLinuxCloudAntiMalware:PreventionPolicyLinuxCloudAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyLinuxSensorAntiMalware:PreventionPolicyLinuxSensorAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyMacCloudAdwareAndPup:PreventionPolicyMacCloudAdwareAndPup": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyMacCloudAntiMalware:PreventionPolicyMacCloudAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyMacSensorAdwareAndPup:PreventionPolicyMacSensorAdwareAndPup": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyMacSensorAntiMalware:PreventionPolicyMacSensorAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyWindowsAdwareAndPup:PreventionPolicyWindowsAdwareAndPup": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyWindowsCloudAntiMalware:PreventionPolicyWindowsCloudAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyWindowsCloudAntiMalwareUserInitiated:PreventionPolicyWindowsCloudAntiMalwareUserInitiated": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyWindowsExtendedUserModeData:PreventionPolicyWindowsExtendedUserModeData": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" } }, "type": "object", "required": [ "detection" ] }, "crowdstrike:index/PreventionPolicyWindowsSensorAntiMalware:PreventionPolicyWindowsSensorAntiMalware": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/PreventionPolicyWindowsSensorAntiMalwareUserInitiated:PreventionPolicyWindowsSensorAntiMalwareUserInitiated": { "properties": { "detection": { "type": "string", "description": "Machine learning level for detection.\n" }, "prevention": { "type": "string", "description": "Machine learning level for prevention.\n" } }, "type": "object", "required": [ "detection", "prevention" ] }, "crowdstrike:index/SensorUpdatePolicySchedule:SensorUpdatePolicySchedule": { "properties": { "enabled": { "type": "boolean", "description": "Enable the scheduler for sensor update policy.\n" }, "timeBlocks": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FSensorUpdatePolicyScheduleTimeBlock:SensorUpdatePolicyScheduleTimeBlock" }, "description": "The time block to prevent sensor updates. Only set when enabled is true.\n" }, "timezone": { "type": "string", "description": "The time zones that will be used for the time blocks. Only set when enabled is true.\n" } }, "type": "object", "required": [ "enabled" ] }, "crowdstrike:index/SensorUpdatePolicyScheduleTimeBlock:SensorUpdatePolicyScheduleTimeBlock": { "properties": { "days": { "type": "array", "items": { "type": "string" }, "description": "The days of the week the time block should be active.\n" }, "endTime": { "type": "string", "description": "The end time for the time block in 24HR format. Must be atleast 1 hour more than start_time.\n" }, "startTime": { "type": "string", "description": "The start time for the time block in 24HR format. Must be atleast 1 hour before end_time.\n" } }, "type": "object", "required": [ "days", "endTime", "startTime" ] }, "crowdstrike:index/getCloudAwsAccountAccount:getCloudAwsAccountAccount": { "properties": { "accountId": { "type": "string", "description": "The AWS Account ID\n" }, "accountType": { "type": "string", "description": "The AWS account type. Value is 'commercial' for Commercial cloud accounts. For GovCloud environments, value can be either 'commercial' or 'gov' depending on the account type\n" }, "assetInventoryEnabled": { "type": "boolean", "description": "Whether asset inventory is enabled\n" }, "cloudtrailBucketName": { "type": "string", "description": "The name of the CloudTrail S3 bucket used for real-time visibility\n" }, "cloudtrailRegion": { "type": "string", "description": "The AWS region of the CloudTrail bucket\n" }, "dspmEnabled": { "type": "boolean", "description": "Whether Data Security Posture Management is enabled\n" }, "dspmRoleArn": { "type": "string", "description": "The ARN of the IAM role to be used by CrowdStrike DSPM\n" }, "dspmRoleName": { "type": "string", "description": "The name of the IAM role to be used by CrowdStrike DSPM\n" }, "eventbusArn": { "type": "string", "description": "The ARN of the Amazon EventBridge used by CrowdStrike to forward messages\n" }, "eventbusName": { "type": "string", "description": "The name of the Amazon EventBridge used by CrowdStrike to forward messages\n" }, "externalId": { "type": "string", "description": "The external ID used to assume the AWS IAM role\n" }, "iamRoleArn": { "type": "string", "description": "The ARN of the AWS IAM role used to access this AWS account\n" }, "iamRoleName": { "type": "string", "description": "The name of the AWS IAM role used to access this AWS account\n" }, "idpEnabled": { "type": "boolean", "description": "Whether Identity Protection is enabled\n" }, "intermediateRoleArn": { "type": "string", "description": "The ARN of the intermediate role used to assume the AWS IAM role\n" }, "isOrganizationManagementAccount": { "type": "boolean", "description": "Indicates whether this is the management account (formerly known as the root account) of an AWS Organization\n" }, "organizationId": { "type": "string", "description": "The AWS Organization ID\n" }, "realtimeVisibilityEnabled": { "type": "boolean", "description": "Whether real-time visibility is enabled\n" }, "sensorManagementEnabled": { "type": "boolean", "description": "Whether 1-click sensor deployment is enabled\n" }, "targetOuses": { "type": "array", "items": { "type": "string" }, "description": "The list of AWS Organizational Units (OUs) targeted for this account\n" } }, "type": "object", "required": [ "accountId", "accountType", "assetInventoryEnabled", "cloudtrailBucketName", "cloudtrailRegion", "dspmEnabled", "dspmRoleArn", "dspmRoleName", "eventbusArn", "eventbusName", "externalId", "iamRoleArn", "iamRoleName", "idpEnabled", "intermediateRoleArn", "isOrganizationManagementAccount", "organizationId", "realtimeVisibilityEnabled", "sensorManagementEnabled", "targetOuses" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinux:getSensorUpdatePolicyBuildsLinux": { "properties": { "alls": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxAll:getSensorUpdatePolicyBuildsLinuxAll" }, "description": "All sensor builds for the specific platform.\n" }, "latest": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxLatest:getSensorUpdatePolicyBuildsLinuxLatest", "description": "The latest sensor build.\n" }, "n1": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxN1:getSensorUpdatePolicyBuildsLinuxN1", "description": "The n-1 sensor build.\n" }, "n2": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxN2:getSensorUpdatePolicyBuildsLinuxN2", "description": "The n-2 sensor build.\n" } }, "type": "object", "required": [ "alls", "latest", "n1", "n2" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxAll:getSensorUpdatePolicyBuildsLinuxAll": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxArm64:getSensorUpdatePolicyBuildsLinuxArm64": { "properties": { "alls": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxArm64All:getSensorUpdatePolicyBuildsLinuxArm64All" }, "description": "All sensor builds for the specific platform.\n" }, "latest": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxArm64Latest:getSensorUpdatePolicyBuildsLinuxArm64Latest", "description": "The latest sensor build.\n" }, "n1": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxArm64N1:getSensorUpdatePolicyBuildsLinuxArm64N1", "description": "The n-1 sensor build.\n" }, "n2": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxArm64N2:getSensorUpdatePolicyBuildsLinuxArm64N2", "description": "The n-2 sensor build.\n" } }, "type": "object", "required": [ "alls", "latest", "n1", "n2" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxArm64All:getSensorUpdatePolicyBuildsLinuxArm64All": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxArm64Latest:getSensorUpdatePolicyBuildsLinuxArm64Latest": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxArm64N1:getSensorUpdatePolicyBuildsLinuxArm64N1": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxArm64N2:getSensorUpdatePolicyBuildsLinuxArm64N2": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxLatest:getSensorUpdatePolicyBuildsLinuxLatest": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxN1:getSensorUpdatePolicyBuildsLinuxN1": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsLinuxN2:getSensorUpdatePolicyBuildsLinuxN2": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsMac:getSensorUpdatePolicyBuildsMac": { "properties": { "alls": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsMacAll:getSensorUpdatePolicyBuildsMacAll" }, "description": "All sensor builds for the specific platform.\n" }, "latest": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsMacLatest:getSensorUpdatePolicyBuildsMacLatest", "description": "The latest sensor build.\n" }, "n1": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsMacN1:getSensorUpdatePolicyBuildsMacN1", "description": "The n-1 sensor build.\n" }, "n2": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsMacN2:getSensorUpdatePolicyBuildsMacN2", "description": "The n-2 sensor build.\n" } }, "type": "object", "required": [ "alls", "latest", "n1", "n2" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsMacAll:getSensorUpdatePolicyBuildsMacAll": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsMacLatest:getSensorUpdatePolicyBuildsMacLatest": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsMacN1:getSensorUpdatePolicyBuildsMacN1": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsMacN2:getSensorUpdatePolicyBuildsMacN2": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsWindows:getSensorUpdatePolicyBuildsWindows": { "properties": { "alls": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsWindowsAll:getSensorUpdatePolicyBuildsWindowsAll" }, "description": "All sensor builds for the specific platform.\n" }, "latest": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsWindowsLatest:getSensorUpdatePolicyBuildsWindowsLatest", "description": "The latest sensor build.\n" }, "n1": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsWindowsN1:getSensorUpdatePolicyBuildsWindowsN1", "description": "The n-1 sensor build.\n" }, "n2": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsWindowsN2:getSensorUpdatePolicyBuildsWindowsN2", "description": "The n-2 sensor build.\n" } }, "type": "object", "required": [ "alls", "latest", "n1", "n2" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsWindowsAll:getSensorUpdatePolicyBuildsWindowsAll": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsWindowsLatest:getSensorUpdatePolicyBuildsWindowsLatest": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsWindowsN1:getSensorUpdatePolicyBuildsWindowsN1": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } }, "crowdstrike:index/getSensorUpdatePolicyBuildsWindowsN2:getSensorUpdatePolicyBuildsWindowsN2": { "properties": { "build": { "type": "string", "description": "The build number for a specific sensor version.\n" }, "platform": { "type": "string", "description": "The target platform for a the build.\n" }, "sensorVersion": { "type": "string", "description": "CrowdStrike Falcon Sensor version.\n" }, "stage": { "type": "string", "description": "The stage for the build.\n" } }, "type": "object", "required": [ "build", "platform", "sensorVersion", "stage" ], "language": { "nodejs": { "requiredInputs": [] } } } }, "provider": { "description": "The provider type for the crowdstrike package. By default, resources use package-wide configuration\nsettings, however an explicit `Provider` instance may be created and passed during resource\nconstruction to achieve fine-grained programmatic control over provider settings. See the\n[documentation](https://www.pulumi.com/docs/reference/programming-model/#providers) for more information.\n", "properties": { "clientId": { "type": "string", "description": "Falcon Client Id for authenticating to the CrowdStrike APIs. Will use FALCON_CLIENT_ID environment variable when left\nblank.\n", "secret": true }, "clientSecret": { "type": "string", "description": "Falcon Client Secret used for authenticating to the CrowdStrike APIs. Will use FALCON_CLIENT_SECRET environment variable\nwhen left blank.\n", "secret": true }, "cloud": { "type": "string", "description": "Falcon Cloud to authenticate to. Valid values are autodiscover, us-1, us-2, eu-1, us-gov-1. Will use FALCON_CLOUD\nenvironment variable when left blank.\n" }, "memberCid": { "type": "string", "description": "For MSSP Master CIDs, optionally lock the token to act on behalf of this member CID\n" } }, "type": "object", "inputProperties": { "clientId": { "type": "string", "description": "Falcon Client Id for authenticating to the CrowdStrike APIs. Will use FALCON_CLIENT_ID environment variable when left\nblank.\n", "secret": true }, "clientSecret": { "type": "string", "description": "Falcon Client Secret used for authenticating to the CrowdStrike APIs. Will use FALCON_CLIENT_SECRET environment variable\nwhen left blank.\n", "secret": true }, "cloud": { "type": "string", "description": "Falcon Cloud to authenticate to. Valid values are autodiscover, us-1, us-2, eu-1, us-gov-1. Will use FALCON_CLOUD\nenvironment variable when left blank.\n" }, "memberCid": { "type": "string", "description": "For MSSP Master CIDs, optionally lock the token to act on behalf of this member CID\n" } } }, "resources": { "crowdstrike:index/cloudAwsAccount:CloudAwsAccount": { "description": "This resource allows management of an AWS account in Falcon.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Cloud security AWS registration | Read & Write\n- CSPM registration | Read & Write\n\n\n## Example Usage\n\n\n```yaml\nresources:\n org:\n type: crowdstrike:CloudAwsAccount\n properties:\n accountId: '123456789012'\n dspm:\n enabled: true\n idp:\n enabled: true\n organizationId: o-1234567890\n realtimeVisibility:\n cloudtrail_region: us-east-1\n enabled: true\n sensorManagement:\n enabled: true\n```\n\n\n## Import\n\nA previously registered cloud aws account can be imported by account id.\n\n```sh\n$ pulumi import crowdstrike:index/cloudAwsAccount:CloudAwsAccount account 12345678910\n```\n\n", "properties": { "accountId": { "type": "string", "description": "The AWS Account ID\n" }, "accountType": { "type": "string", "description": "The AWS account type. Value is 'commercial' for Commercial cloud accounts. For GovCloud environments, value can be either 'commercial' or 'gov' depending on the account type\n" }, "assetInventory": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountAssetInventory:CloudAwsAccountAssetInventory" }, "cloudtrailBucketName": { "type": "string", "description": "The name of the CloudTrail S3 bucket used for real-time visibility\n" }, "deploymentMethod": { "type": "string" }, "dspm": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountDspm:CloudAwsAccountDspm" }, "dspmRoleArn": { "type": "string", "description": "The ARN of the IAM role to be used by CrowdStrike Data Security Posture Management\n" }, "dspmRoleName": { "type": "string", "description": "The name of the IAM role to be used by CrowdStrike Data Security Posture Management\n" }, "eventbusArn": { "type": "string", "description": "The ARN of the Amazon EventBridge used by CrowdStrike to forward messages\n" }, "eventbusName": { "type": "string", "description": "The name of the Amazon EventBridge used by CrowdStrike to forward messages\n" }, "externalId": { "type": "string", "description": "The external ID used to assume the AWS IAM role\n" }, "iamRoleArn": { "type": "string", "description": "The ARN of the AWS IAM role used to access this AWS account\n" }, "iamRoleName": { "type": "string", "description": "The name of the AWS IAM role used to access this AWS account\n" }, "idp": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountIdp:CloudAwsAccountIdp" }, "intermediateRoleArn": { "type": "string", "description": "The ARN of the intermediate role used to assume the AWS IAM role\n" }, "isOrganizationManagementAccount": { "type": "boolean", "description": "Indicates whether this is the management account (formerly known as the root account) of an AWS Organization\n" }, "organizationId": { "type": "string", "description": "The AWS Organization ID (starts with `o-`). When specified, accounts within the organization will be registered. If `target_ous` is empty, all accounts in the organization will be registered. The `account_id` must be the organization's management account ID.\n" }, "realtimeVisibility": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountRealtimeVisibility:CloudAwsAccountRealtimeVisibility" }, "sensorManagement": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountSensorManagement:CloudAwsAccountSensorManagement" }, "targetOuses": { "type": "array", "items": { "type": "string" }, "description": "The list of target Organizational Units\n" } }, "type": "object", "required": [ "accountId", "accountType", "assetInventory", "cloudtrailBucketName", "deploymentMethod", "dspm", "dspmRoleArn", "dspmRoleName", "eventbusArn", "eventbusName", "externalId", "iamRoleArn", "iamRoleName", "idp", "intermediateRoleArn", "isOrganizationManagementAccount", "organizationId", "realtimeVisibility", "sensorManagement", "targetOuses" ], "inputProperties": { "accountId": { "type": "string", "description": "The AWS Account ID\n" }, "accountType": { "type": "string", "description": "The AWS account type. Value is 'commercial' for Commercial cloud accounts. For GovCloud environments, value can be either 'commercial' or 'gov' depending on the account type\n" }, "assetInventory": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountAssetInventory:CloudAwsAccountAssetInventory" }, "deploymentMethod": { "type": "string" }, "dspm": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountDspm:CloudAwsAccountDspm" }, "idp": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountIdp:CloudAwsAccountIdp" }, "organizationId": { "type": "string", "description": "The AWS Organization ID (starts with `o-`). When specified, accounts within the organization will be registered. If `target_ous` is empty, all accounts in the organization will be registered. The `account_id` must be the organization's management account ID.\n" }, "realtimeVisibility": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountRealtimeVisibility:CloudAwsAccountRealtimeVisibility" }, "sensorManagement": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountSensorManagement:CloudAwsAccountSensorManagement" }, "targetOuses": { "type": "array", "items": { "type": "string" }, "description": "The list of target Organizational Units\n" } }, "requiredInputs": [ "accountId" ], "stateInputs": { "description": "Input properties used for looking up and filtering CloudAwsAccount resources.\n", "properties": { "accountId": { "type": "string", "description": "The AWS Account ID\n" }, "accountType": { "type": "string", "description": "The AWS account type. Value is 'commercial' for Commercial cloud accounts. For GovCloud environments, value can be either 'commercial' or 'gov' depending on the account type\n" }, "assetInventory": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountAssetInventory:CloudAwsAccountAssetInventory" }, "cloudtrailBucketName": { "type": "string", "description": "The name of the CloudTrail S3 bucket used for real-time visibility\n" }, "deploymentMethod": { "type": "string" }, "dspm": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountDspm:CloudAwsAccountDspm" }, "dspmRoleArn": { "type": "string", "description": "The ARN of the IAM role to be used by CrowdStrike Data Security Posture Management\n" }, "dspmRoleName": { "type": "string", "description": "The name of the IAM role to be used by CrowdStrike Data Security Posture Management\n" }, "eventbusArn": { "type": "string", "description": "The ARN of the Amazon EventBridge used by CrowdStrike to forward messages\n" }, "eventbusName": { "type": "string", "description": "The name of the Amazon EventBridge used by CrowdStrike to forward messages\n" }, "externalId": { "type": "string", "description": "The external ID used to assume the AWS IAM role\n" }, "iamRoleArn": { "type": "string", "description": "The ARN of the AWS IAM role used to access this AWS account\n" }, "iamRoleName": { "type": "string", "description": "The name of the AWS IAM role used to access this AWS account\n" }, "idp": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountIdp:CloudAwsAccountIdp" }, "intermediateRoleArn": { "type": "string", "description": "The ARN of the intermediate role used to assume the AWS IAM role\n" }, "isOrganizationManagementAccount": { "type": "boolean", "description": "Indicates whether this is the management account (formerly known as the root account) of an AWS Organization\n" }, "organizationId": { "type": "string", "description": "The AWS Organization ID (starts with `o-`). When specified, accounts within the organization will be registered. If `target_ous` is empty, all accounts in the organization will be registered. The `account_id` must be the organization's management account ID.\n" }, "realtimeVisibility": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountRealtimeVisibility:CloudAwsAccountRealtimeVisibility" }, "sensorManagement": { "$ref": "#/types/crowdstrike:index%2FCloudAwsAccountSensorManagement:CloudAwsAccountSensorManagement" }, "targetOuses": { "type": "array", "items": { "type": "string" }, "description": "The list of target Organizational Units\n" } }, "type": "object" } }, "crowdstrike:index/defaultPreventionPolicyLinux:DefaultPreventionPolicyLinux": { "description": "This resource allows you to manage the default prevention policy for Linux hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts. Destruction of this resource *will not* delete the default prevention policy or remove any configured settings.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst _default = new crowdstrike.DefaultPreventionPolicyLinux(\"default\", {\n description: \"managed by terraform\",\n ioaRuleGroups: [],\n cloudAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n quarantine: true,\n customBlocking: true,\n preventSuspiciousProcesses: true,\n scriptBasedExecutionMonitoring: true,\n uploadUnknownExecutables: true,\n uploadUnknownDetectionRelatedExecutables: true,\n driftPrevention: true,\n emailProtocolVisibility: true,\n filesystemVisibility: true,\n ftpVisibility: true,\n httpVisibility: true,\n networkVisibility: true,\n tlsVisibility: true,\n sensorTamperingProtection: true,\n onWriteScriptFileVisibility: true,\n memoryVisibility: true,\n extendedCommandLineVisibility: true,\n});\nexport const defaultPreventionPolicyLinux = _default;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\ndefault = crowdstrike.DefaultPreventionPolicyLinux(\"default\",\n description=\"managed by terraform\",\n ioa_rule_groups=[],\n cloud_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n quarantine=True,\n custom_blocking=True,\n prevent_suspicious_processes=True,\n script_based_execution_monitoring=True,\n upload_unknown_executables=True,\n upload_unknown_detection_related_executables=True,\n drift_prevention=True,\n email_protocol_visibility=True,\n filesystem_visibility=True,\n ftp_visibility=True,\n http_visibility=True,\n network_visibility=True,\n tls_visibility=True,\n sensor_tampering_protection=True,\n on_write_script_file_visibility=True,\n memory_visibility=True,\n extended_command_line_visibility=True)\npulumi.export(\"defaultPreventionPolicyLinux\", default)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var @default = new Crowdstrike.DefaultPreventionPolicyLinux(\"default\", new()\n {\n Description = \"managed by terraform\",\n IoaRuleGroups = new[] {},\n CloudAntiMalware = new Crowdstrike.Inputs.DefaultPreventionPolicyLinuxCloudAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalware = new Crowdstrike.Inputs.DefaultPreventionPolicyLinuxSensorAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n Quarantine = true,\n CustomBlocking = true,\n PreventSuspiciousProcesses = true,\n ScriptBasedExecutionMonitoring = true,\n UploadUnknownExecutables = true,\n UploadUnknownDetectionRelatedExecutables = true,\n DriftPrevention = true,\n EmailProtocolVisibility = true,\n FilesystemVisibility = true,\n FtpVisibility = true,\n HttpVisibility = true,\n NetworkVisibility = true,\n TlsVisibility = true,\n SensorTamperingProtection = true,\n OnWriteScriptFileVisibility = true,\n MemoryVisibility = true,\n ExtendedCommandLineVisibility = true,\n });\n\n return new Dictionary\n {\n [\"defaultPreventionPolicyLinux\"] = @default,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := crowdstrike.NewDefaultPreventionPolicyLinux(ctx, \"default\", &crowdstrike.DefaultPreventionPolicyLinuxArgs{\n\t\t\tDescription: pulumi.String(\"managed by terraform\"),\n\t\t\tIoaRuleGroups: pulumi.StringArray{},\n\t\t\tCloudAntiMalware: &crowdstrike.DefaultPreventionPolicyLinuxCloudAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalware: &crowdstrike.DefaultPreventionPolicyLinuxSensorAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tQuarantine: pulumi.Bool(true),\n\t\t\tCustomBlocking: pulumi.Bool(true),\n\t\t\tPreventSuspiciousProcesses: pulumi.Bool(true),\n\t\t\tScriptBasedExecutionMonitoring: pulumi.Bool(true),\n\t\t\tUploadUnknownExecutables: pulumi.Bool(true),\n\t\t\tUploadUnknownDetectionRelatedExecutables: pulumi.Bool(true),\n\t\t\tDriftPrevention: pulumi.Bool(true),\n\t\t\tEmailProtocolVisibility: pulumi.Bool(true),\n\t\t\tFilesystemVisibility: pulumi.Bool(true),\n\t\t\tFtpVisibility: pulumi.Bool(true),\n\t\t\tHttpVisibility: pulumi.Bool(true),\n\t\t\tNetworkVisibility: pulumi.Bool(true),\n\t\t\tTlsVisibility: pulumi.Bool(true),\n\t\t\tSensorTamperingProtection: pulumi.Bool(true),\n\t\t\tOnWriteScriptFileVisibility: pulumi.Bool(true),\n\t\t\tMemoryVisibility: pulumi.Bool(true),\n\t\t\tExtendedCommandLineVisibility: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"defaultPreventionPolicyLinux\", _default)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.DefaultPreventionPolicyLinux;\nimport com.crowdstrike.crowdstrike.DefaultPreventionPolicyLinuxArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyLinuxCloudAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyLinuxSensorAntiMalwareArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var default_ = new DefaultPreventionPolicyLinux(\"default\", DefaultPreventionPolicyLinuxArgs.builder()\n .description(\"managed by terraform\")\n .ioaRuleGroups()\n .cloudAntiMalware(DefaultPreventionPolicyLinuxCloudAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalware(DefaultPreventionPolicyLinuxSensorAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .quarantine(true)\n .customBlocking(true)\n .preventSuspiciousProcesses(true)\n .scriptBasedExecutionMonitoring(true)\n .uploadUnknownExecutables(true)\n .uploadUnknownDetectionRelatedExecutables(true)\n .driftPrevention(true)\n .emailProtocolVisibility(true)\n .filesystemVisibility(true)\n .ftpVisibility(true)\n .httpVisibility(true)\n .networkVisibility(true)\n .tlsVisibility(true)\n .sensorTamperingProtection(true)\n .onWriteScriptFileVisibility(true)\n .memoryVisibility(true)\n .extendedCommandLineVisibility(true)\n .build());\n\n ctx.export(\"defaultPreventionPolicyLinux\", default_);\n }\n}\n```\n```yaml\nresources:\n default:\n type: crowdstrike:DefaultPreventionPolicyLinux\n properties:\n description: managed by terraform\n ioaRuleGroups: []\n cloudAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n quarantine: true\n customBlocking: true\n preventSuspiciousProcesses: true\n scriptBasedExecutionMonitoring: true\n uploadUnknownExecutables: true\n uploadUnknownDetectionRelatedExecutables: true\n driftPrevention: true\n emailProtocolVisibility: true\n filesystemVisibility: true\n ftpVisibility: true\n httpVisibility: true\n networkVisibility: true\n tlsVisibility: true\n sensorTamperingProtection: true\n onWriteScriptFileVisibility: true\n memoryVisibility: true\n extendedCommandLineVisibility: true\noutputs:\n defaultPreventionPolicyLinux: ${default}\n```\n\n\n## Import\n\nThe mac default prevention policy can be imported by specifying the id.\n\n```sh\n$ pulumi import crowdstrike:index/defaultPreventionPolicyLinux:DefaultPreventionPolicyLinux default 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyLinuxCloudAntiMalware:DefaultPreventionPolicyLinuxCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "driftPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.\n" }, "emailProtocolVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.\n" }, "extendedCommandLineVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.\n" }, "filesystemVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.\n" }, "ftpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.\n" }, "httpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "lastUpdated": { "type": "string" }, "memoryVisibility": { "type": "boolean", "description": "Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.\n" }, "networkVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyLinuxSensorAntiMalware:DefaultPreventionPolicyLinuxSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.\n" }, "tlsVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" } }, "type": "object", "required": [ "cloudAntiMalware", "customBlocking", "driftPrevention", "emailProtocolVisibility", "extendedCommandLineVisibility", "filesystemVisibility", "ftpVisibility", "httpVisibility", "ioaRuleGroups", "lastUpdated", "memoryVisibility", "networkVisibility", "onWriteScriptFileVisibility", "preventSuspiciousProcesses", "quarantine", "scriptBasedExecutionMonitoring", "sensorAntiMalware", "sensorTamperingProtection", "tlsVisibility", "uploadUnknownDetectionRelatedExecutables", "uploadUnknownExecutables" ], "inputProperties": { "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyLinuxCloudAntiMalware:DefaultPreventionPolicyLinuxCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "driftPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.\n" }, "emailProtocolVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.\n" }, "extendedCommandLineVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.\n" }, "filesystemVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.\n" }, "ftpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.\n" }, "httpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "memoryVisibility": { "type": "boolean", "description": "Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.\n" }, "networkVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyLinuxSensorAntiMalware:DefaultPreventionPolicyLinuxSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.\n" }, "tlsVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" } }, "requiredInputs": [ "ioaRuleGroups" ], "stateInputs": { "description": "Input properties used for looking up and filtering DefaultPreventionPolicyLinux resources.\n", "properties": { "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyLinuxCloudAntiMalware:DefaultPreventionPolicyLinuxCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "driftPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.\n" }, "emailProtocolVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.\n" }, "extendedCommandLineVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.\n" }, "filesystemVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.\n" }, "ftpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.\n" }, "httpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "lastUpdated": { "type": "string" }, "memoryVisibility": { "type": "boolean", "description": "Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.\n" }, "networkVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyLinuxSensorAntiMalware:DefaultPreventionPolicyLinuxSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.\n" }, "tlsVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" } }, "type": "object" } }, "crowdstrike:index/defaultPreventionPolicyMac:DefaultPreventionPolicyMac": { "description": "This resource allows you to manage the default prevention policy for Mac hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts. Destruction of this resource *will not* delete the default prevention policy or remove any configured settings.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst _default = new crowdstrike.DefaultPreventionPolicyMac(\"default\", {\n description: \"managed by terraform\",\n ioaRuleGroups: [],\n cloudAdwareAndPup: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n cloudAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAdwareAndPup: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n notifyEndUsers: true,\n customBlocking: true,\n detectOnWrite: true,\n intelligenceSourcedThreats: true,\n preventSuspiciousProcesses: true,\n quarantine: true,\n quarantineOnWrite: true,\n scriptBasedExecutionMonitoring: true,\n sensorTamperingProtection: true,\n uploadUnknownExecutables: true,\n uploadUnknownDetectionRelatedExecutables: true,\n xpcomShell: true,\n kcPasswordDecoded: true,\n hashCollector: true,\n empyreBackdoor: true,\n chopperWebshell: true,\n});\nexport const defaultPreventionPolicyMac = _default;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\ndefault = crowdstrike.DefaultPreventionPolicyMac(\"default\",\n description=\"managed by terraform\",\n ioa_rule_groups=[],\n cloud_adware_and_pup={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n cloud_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_adware_and_pup={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n notify_end_users=True,\n custom_blocking=True,\n detect_on_write=True,\n intelligence_sourced_threats=True,\n prevent_suspicious_processes=True,\n quarantine=True,\n quarantine_on_write=True,\n script_based_execution_monitoring=True,\n sensor_tampering_protection=True,\n upload_unknown_executables=True,\n upload_unknown_detection_related_executables=True,\n xpcom_shell=True,\n kc_password_decoded=True,\n hash_collector=True,\n empyre_backdoor=True,\n chopper_webshell=True)\npulumi.export(\"defaultPreventionPolicyMac\", default)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var @default = new Crowdstrike.DefaultPreventionPolicyMac(\"default\", new()\n {\n Description = \"managed by terraform\",\n IoaRuleGroups = new[] {},\n CloudAdwareAndPup = new Crowdstrike.Inputs.DefaultPreventionPolicyMacCloudAdwareAndPupArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n CloudAntiMalware = new Crowdstrike.Inputs.DefaultPreventionPolicyMacCloudAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalware = new Crowdstrike.Inputs.DefaultPreventionPolicyMacSensorAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAdwareAndPup = new Crowdstrike.Inputs.DefaultPreventionPolicyMacSensorAdwareAndPupArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n NotifyEndUsers = true,\n CustomBlocking = true,\n DetectOnWrite = true,\n IntelligenceSourcedThreats = true,\n PreventSuspiciousProcesses = true,\n Quarantine = true,\n QuarantineOnWrite = true,\n ScriptBasedExecutionMonitoring = true,\n SensorTamperingProtection = true,\n UploadUnknownExecutables = true,\n UploadUnknownDetectionRelatedExecutables = true,\n XpcomShell = true,\n KcPasswordDecoded = true,\n HashCollector = true,\n EmpyreBackdoor = true,\n ChopperWebshell = true,\n });\n\n return new Dictionary\n {\n [\"defaultPreventionPolicyMac\"] = @default,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := crowdstrike.NewDefaultPreventionPolicyMac(ctx, \"default\", &crowdstrike.DefaultPreventionPolicyMacArgs{\n\t\t\tDescription: pulumi.String(\"managed by terraform\"),\n\t\t\tIoaRuleGroups: pulumi.StringArray{},\n\t\t\tCloudAdwareAndPup: &crowdstrike.DefaultPreventionPolicyMacCloudAdwareAndPupArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tCloudAntiMalware: &crowdstrike.DefaultPreventionPolicyMacCloudAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalware: &crowdstrike.DefaultPreventionPolicyMacSensorAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAdwareAndPup: &crowdstrike.DefaultPreventionPolicyMacSensorAdwareAndPupArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tNotifyEndUsers: pulumi.Bool(true),\n\t\t\tCustomBlocking: pulumi.Bool(true),\n\t\t\tDetectOnWrite: pulumi.Bool(true),\n\t\t\tIntelligenceSourcedThreats: pulumi.Bool(true),\n\t\t\tPreventSuspiciousProcesses: pulumi.Bool(true),\n\t\t\tQuarantine: pulumi.Bool(true),\n\t\t\tQuarantineOnWrite: pulumi.Bool(true),\n\t\t\tScriptBasedExecutionMonitoring: pulumi.Bool(true),\n\t\t\tSensorTamperingProtection: pulumi.Bool(true),\n\t\t\tUploadUnknownExecutables: pulumi.Bool(true),\n\t\t\tUploadUnknownDetectionRelatedExecutables: pulumi.Bool(true),\n\t\t\tXpcomShell: pulumi.Bool(true),\n\t\t\tKcPasswordDecoded: pulumi.Bool(true),\n\t\t\tHashCollector: pulumi.Bool(true),\n\t\t\tEmpyreBackdoor: pulumi.Bool(true),\n\t\t\tChopperWebshell: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"defaultPreventionPolicyMac\", _default)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.DefaultPreventionPolicyMac;\nimport com.crowdstrike.crowdstrike.DefaultPreventionPolicyMacArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyMacCloudAdwareAndPupArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyMacCloudAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyMacSensorAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyMacSensorAdwareAndPupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var default_ = new DefaultPreventionPolicyMac(\"default\", DefaultPreventionPolicyMacArgs.builder()\n .description(\"managed by terraform\")\n .ioaRuleGroups()\n .cloudAdwareAndPup(DefaultPreventionPolicyMacCloudAdwareAndPupArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .cloudAntiMalware(DefaultPreventionPolicyMacCloudAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalware(DefaultPreventionPolicyMacSensorAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAdwareAndPup(DefaultPreventionPolicyMacSensorAdwareAndPupArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .notifyEndUsers(true)\n .customBlocking(true)\n .detectOnWrite(true)\n .intelligenceSourcedThreats(true)\n .preventSuspiciousProcesses(true)\n .quarantine(true)\n .quarantineOnWrite(true)\n .scriptBasedExecutionMonitoring(true)\n .sensorTamperingProtection(true)\n .uploadUnknownExecutables(true)\n .uploadUnknownDetectionRelatedExecutables(true)\n .xpcomShell(true)\n .kcPasswordDecoded(true)\n .hashCollector(true)\n .empyreBackdoor(true)\n .chopperWebshell(true)\n .build());\n\n ctx.export(\"defaultPreventionPolicyMac\", default_);\n }\n}\n```\n```yaml\nresources:\n default:\n type: crowdstrike:DefaultPreventionPolicyMac\n properties:\n description: managed by terraform\n ioaRuleGroups: []\n cloudAdwareAndPup:\n detection: MODERATE\n prevention: CAUTIOUS\n cloudAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAdwareAndPup:\n detection: MODERATE\n prevention: CAUTIOUS\n notifyEndUsers: true\n customBlocking: true\n detectOnWrite: true\n intelligenceSourcedThreats: true\n preventSuspiciousProcesses: true\n quarantine: true\n quarantineOnWrite: true\n scriptBasedExecutionMonitoring: true\n sensorTamperingProtection: true\n uploadUnknownExecutables: true\n uploadUnknownDetectionRelatedExecutables: true\n xpcomShell: true\n kcPasswordDecoded: true\n hashCollector: true\n empyreBackdoor: true\n chopperWebshell: true\noutputs:\n defaultPreventionPolicyMac: ${default}\n```\n\n\n## Import\n\nThe windows default prevention policy can be imported by specifying the id.\n\n```sh\n$ pulumi import crowdstrike:index/defaultPreventionPolicyMac:DefaultPreventionPolicyMac default 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacCloudAdwareAndPup:DefaultPreventionPolicyMacCloudAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacCloudAntiMalware:DefaultPreventionPolicyMacCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "empyreBackdoor": { "type": "boolean", "description": "Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.\n" }, "hashCollector": { "type": "boolean", "description": "Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "kcPasswordDecoded": { "type": "boolean", "description": "Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.\n" }, "lastUpdated": { "type": "string" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacSensorAdwareAndPup:DefaultPreventionPolicyMacSensorAdwareAndPup", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP).\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacSensorAntiMalware:DefaultPreventionPolicyMacSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "xpcomShell": { "type": "boolean", "description": "Whether to enable the setting. The execution of an XPCOM shell was blocked.\n" } }, "type": "object", "required": [ "chopperWebshell", "cloudAdwareAndPup", "cloudAntiMalware", "customBlocking", "detectOnWrite", "empyreBackdoor", "hashCollector", "intelligenceSourcedThreats", "ioaRuleGroups", "kcPasswordDecoded", "lastUpdated", "notifyEndUsers", "preventSuspiciousProcesses", "quarantine", "quarantineOnWrite", "scriptBasedExecutionMonitoring", "sensorAdwareAndPup", "sensorAntiMalware", "sensorTamperingProtection", "uploadUnknownDetectionRelatedExecutables", "uploadUnknownExecutables", "xpcomShell" ], "inputProperties": { "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacCloudAdwareAndPup:DefaultPreventionPolicyMacCloudAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacCloudAntiMalware:DefaultPreventionPolicyMacCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "empyreBackdoor": { "type": "boolean", "description": "Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.\n" }, "hashCollector": { "type": "boolean", "description": "Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "kcPasswordDecoded": { "type": "boolean", "description": "Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacSensorAdwareAndPup:DefaultPreventionPolicyMacSensorAdwareAndPup", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP).\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacSensorAntiMalware:DefaultPreventionPolicyMacSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "xpcomShell": { "type": "boolean", "description": "Whether to enable the setting. The execution of an XPCOM shell was blocked.\n" } }, "requiredInputs": [ "ioaRuleGroups" ], "stateInputs": { "description": "Input properties used for looking up and filtering DefaultPreventionPolicyMac resources.\n", "properties": { "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacCloudAdwareAndPup:DefaultPreventionPolicyMacCloudAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacCloudAntiMalware:DefaultPreventionPolicyMacCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "empyreBackdoor": { "type": "boolean", "description": "Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.\n" }, "hashCollector": { "type": "boolean", "description": "Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "kcPasswordDecoded": { "type": "boolean", "description": "Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.\n" }, "lastUpdated": { "type": "string" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacSensorAdwareAndPup:DefaultPreventionPolicyMacSensorAdwareAndPup", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP).\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyMacSensorAntiMalware:DefaultPreventionPolicyMacSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "xpcomShell": { "type": "boolean", "description": "Whether to enable the setting. The execution of an XPCOM shell was blocked.\n" } }, "type": "object" } }, "crowdstrike:index/defaultPreventionPolicyWindows:DefaultPreventionPolicyWindows": { "description": "This resource allows you to manage the default prevention policy for Windows hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts. Destruction of this resource *will not* delete the default prevention policy or remove any configured settings.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst _default = new crowdstrike.DefaultPreventionPolicyWindows(\"default\", {\n description: \"managed by terraform\",\n ioaRuleGroups: [],\n adwareAndPup: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n cloudAntiMalwareMicrosoftOfficeFiles: {\n detection: \"MODERATE\",\n prevention: \"DISABLED\",\n },\n cloudAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n cloudAntiMalwareUserInitiated: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalwareUserInitiated: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n extendedUserModeData: {\n detection: \"MODERATE\",\n },\n usbInsertionTriggeredScan: true,\n applicationExploitationActivity: true,\n additionalUserModeData: true,\n notifyEndUsers: true,\n advancedRemediation: true,\n backupDeletion: true,\n biosDeepVisibility: true,\n chopperWebshell: true,\n codeInjection: true,\n credentialDumping: true,\n cryptowall: true,\n customBlocking: true,\n detectOnWrite: true,\n driveByDownload: true,\n driverLoadPrevention: true,\n interpreterOnly: true,\n engineFullVisibility: true,\n enhancedExploitationVisibility: true,\n enhancedDllLoadVisibility: true,\n enhancedMlForLargerFiles: true,\n fileEncryption: true,\n fileSystemAccess: true,\n forceAslr: true,\n forceDep: true,\n heapSprayPreallocation: true,\n nullPageAllocation: true,\n sehOverwriteProtection: true,\n hardwareEnhancedExploitDetection: true,\n httpDetections: true,\n redactHttpDetectionDetails: true,\n intelligenceSourcedThreats: true,\n javascriptViaRundll32: true,\n locky: true,\n memoryScanning: true,\n memoryScanningScanWithCpu: true,\n microsoftOfficeFileSuspiciousMacroRemoval: true,\n onWriteScriptFileVisibility: true,\n preventSuspiciousProcesses: true,\n quarantineAndSecurityCenterRegistration: true,\n quarantineOnRemovableMedia: true,\n quarantineOnWrite: true,\n scriptBasedExecutionMonitoring: true,\n sensorTamperingProtection: true,\n suspiciousRegistryOperations: true,\n suspiciousScriptsAndCommands: true,\n uploadUnknownExecutables: true,\n uploadUnknownDetectionRelatedExecutables: true,\n volumeShadowCopyAudit: true,\n volumeShadowCopyProtect: true,\n vulnerableDriverProtection: true,\n windowsLogonBypassStickyKeys: true,\n fileSystemContainment: true,\n});\nexport const defaultPreventionPolicyWindows = _default;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\ndefault = crowdstrike.DefaultPreventionPolicyWindows(\"default\",\n description=\"managed by terraform\",\n ioa_rule_groups=[],\n adware_and_pup={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n cloud_anti_malware_microsoft_office_files={\n \"detection\": \"MODERATE\",\n \"prevention\": \"DISABLED\",\n },\n cloud_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n cloud_anti_malware_user_initiated={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware_user_initiated={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n extended_user_mode_data={\n \"detection\": \"MODERATE\",\n },\n usb_insertion_triggered_scan=True,\n application_exploitation_activity=True,\n additional_user_mode_data=True,\n notify_end_users=True,\n advanced_remediation=True,\n backup_deletion=True,\n bios_deep_visibility=True,\n chopper_webshell=True,\n code_injection=True,\n credential_dumping=True,\n cryptowall=True,\n custom_blocking=True,\n detect_on_write=True,\n drive_by_download=True,\n driver_load_prevention=True,\n interpreter_only=True,\n engine_full_visibility=True,\n enhanced_exploitation_visibility=True,\n enhanced_dll_load_visibility=True,\n enhanced_ml_for_larger_files=True,\n file_encryption=True,\n file_system_access=True,\n force_aslr=True,\n force_dep=True,\n heap_spray_preallocation=True,\n null_page_allocation=True,\n seh_overwrite_protection=True,\n hardware_enhanced_exploit_detection=True,\n http_detections=True,\n redact_http_detection_details=True,\n intelligence_sourced_threats=True,\n javascript_via_rundll32=True,\n locky=True,\n memory_scanning=True,\n memory_scanning_scan_with_cpu=True,\n microsoft_office_file_suspicious_macro_removal=True,\n on_write_script_file_visibility=True,\n prevent_suspicious_processes=True,\n quarantine_and_security_center_registration=True,\n quarantine_on_removable_media=True,\n quarantine_on_write=True,\n script_based_execution_monitoring=True,\n sensor_tampering_protection=True,\n suspicious_registry_operations=True,\n suspicious_scripts_and_commands=True,\n upload_unknown_executables=True,\n upload_unknown_detection_related_executables=True,\n volume_shadow_copy_audit=True,\n volume_shadow_copy_protect=True,\n vulnerable_driver_protection=True,\n windows_logon_bypass_sticky_keys=True,\n file_system_containment=True)\npulumi.export(\"defaultPreventionPolicyWindows\", default)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var @default = new Crowdstrike.DefaultPreventionPolicyWindows(\"default\", new()\n {\n Description = \"managed by terraform\",\n IoaRuleGroups = new[] {},\n AdwareAndPup = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsAdwareAndPupArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n CloudAntiMalwareMicrosoftOfficeFiles = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"DISABLED\",\n },\n CloudAntiMalware = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsCloudAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n CloudAntiMalwareUserInitiated = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalware = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsSensorAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalwareUserInitiated = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n ExtendedUserModeData = new Crowdstrike.Inputs.DefaultPreventionPolicyWindowsExtendedUserModeDataArgs\n {\n Detection = \"MODERATE\",\n },\n UsbInsertionTriggeredScan = true,\n ApplicationExploitationActivity = true,\n AdditionalUserModeData = true,\n NotifyEndUsers = true,\n AdvancedRemediation = true,\n BackupDeletion = true,\n BiosDeepVisibility = true,\n ChopperWebshell = true,\n CodeInjection = true,\n CredentialDumping = true,\n Cryptowall = true,\n CustomBlocking = true,\n DetectOnWrite = true,\n DriveByDownload = true,\n DriverLoadPrevention = true,\n InterpreterOnly = true,\n EngineFullVisibility = true,\n EnhancedExploitationVisibility = true,\n EnhancedDllLoadVisibility = true,\n EnhancedMlForLargerFiles = true,\n FileEncryption = true,\n FileSystemAccess = true,\n ForceAslr = true,\n ForceDep = true,\n HeapSprayPreallocation = true,\n NullPageAllocation = true,\n SehOverwriteProtection = true,\n HardwareEnhancedExploitDetection = true,\n HttpDetections = true,\n RedactHttpDetectionDetails = true,\n IntelligenceSourcedThreats = true,\n JavascriptViaRundll32 = true,\n Locky = true,\n MemoryScanning = true,\n MemoryScanningScanWithCpu = true,\n MicrosoftOfficeFileSuspiciousMacroRemoval = true,\n OnWriteScriptFileVisibility = true,\n PreventSuspiciousProcesses = true,\n QuarantineAndSecurityCenterRegistration = true,\n QuarantineOnRemovableMedia = true,\n QuarantineOnWrite = true,\n ScriptBasedExecutionMonitoring = true,\n SensorTamperingProtection = true,\n SuspiciousRegistryOperations = true,\n SuspiciousScriptsAndCommands = true,\n UploadUnknownExecutables = true,\n UploadUnknownDetectionRelatedExecutables = true,\n VolumeShadowCopyAudit = true,\n VolumeShadowCopyProtect = true,\n VulnerableDriverProtection = true,\n WindowsLogonBypassStickyKeys = true,\n FileSystemContainment = true,\n });\n\n return new Dictionary\n {\n [\"defaultPreventionPolicyWindows\"] = @default,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_default, err := crowdstrike.NewDefaultPreventionPolicyWindows(ctx, \"default\", &crowdstrike.DefaultPreventionPolicyWindowsArgs{\n\t\t\tDescription: pulumi.String(\"managed by terraform\"),\n\t\t\tIoaRuleGroups: pulumi.StringArray{},\n\t\t\tAdwareAndPup: &crowdstrike.DefaultPreventionPolicyWindowsAdwareAndPupArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tCloudAntiMalwareMicrosoftOfficeFiles: &crowdstrike.DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"DISABLED\"),\n\t\t\t},\n\t\t\tCloudAntiMalware: &crowdstrike.DefaultPreventionPolicyWindowsCloudAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tCloudAntiMalwareUserInitiated: &crowdstrike.DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalware: &crowdstrike.DefaultPreventionPolicyWindowsSensorAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalwareUserInitiated: &crowdstrike.DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tExtendedUserModeData: &crowdstrike.DefaultPreventionPolicyWindowsExtendedUserModeDataArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t},\n\t\t\tUsbInsertionTriggeredScan: pulumi.Bool(true),\n\t\t\tApplicationExploitationActivity: pulumi.Bool(true),\n\t\t\tAdditionalUserModeData: pulumi.Bool(true),\n\t\t\tNotifyEndUsers: pulumi.Bool(true),\n\t\t\tAdvancedRemediation: pulumi.Bool(true),\n\t\t\tBackupDeletion: pulumi.Bool(true),\n\t\t\tBiosDeepVisibility: pulumi.Bool(true),\n\t\t\tChopperWebshell: pulumi.Bool(true),\n\t\t\tCodeInjection: pulumi.Bool(true),\n\t\t\tCredentialDumping: pulumi.Bool(true),\n\t\t\tCryptowall: pulumi.Bool(true),\n\t\t\tCustomBlocking: pulumi.Bool(true),\n\t\t\tDetectOnWrite: pulumi.Bool(true),\n\t\t\tDriveByDownload: pulumi.Bool(true),\n\t\t\tDriverLoadPrevention: pulumi.Bool(true),\n\t\t\tInterpreterOnly: pulumi.Bool(true),\n\t\t\tEngineFullVisibility: pulumi.Bool(true),\n\t\t\tEnhancedExploitationVisibility: pulumi.Bool(true),\n\t\t\tEnhancedDllLoadVisibility: pulumi.Bool(true),\n\t\t\tEnhancedMlForLargerFiles: pulumi.Bool(true),\n\t\t\tFileEncryption: pulumi.Bool(true),\n\t\t\tFileSystemAccess: pulumi.Bool(true),\n\t\t\tForceAslr: pulumi.Bool(true),\n\t\t\tForceDep: pulumi.Bool(true),\n\t\t\tHeapSprayPreallocation: pulumi.Bool(true),\n\t\t\tNullPageAllocation: pulumi.Bool(true),\n\t\t\tSehOverwriteProtection: pulumi.Bool(true),\n\t\t\tHardwareEnhancedExploitDetection: pulumi.Bool(true),\n\t\t\tHttpDetections: pulumi.Bool(true),\n\t\t\tRedactHttpDetectionDetails: pulumi.Bool(true),\n\t\t\tIntelligenceSourcedThreats: pulumi.Bool(true),\n\t\t\tJavascriptViaRundll32: pulumi.Bool(true),\n\t\t\tLocky: pulumi.Bool(true),\n\t\t\tMemoryScanning: pulumi.Bool(true),\n\t\t\tMemoryScanningScanWithCpu: pulumi.Bool(true),\n\t\t\tMicrosoftOfficeFileSuspiciousMacroRemoval: pulumi.Bool(true),\n\t\t\tOnWriteScriptFileVisibility: pulumi.Bool(true),\n\t\t\tPreventSuspiciousProcesses: pulumi.Bool(true),\n\t\t\tQuarantineAndSecurityCenterRegistration: pulumi.Bool(true),\n\t\t\tQuarantineOnRemovableMedia: pulumi.Bool(true),\n\t\t\tQuarantineOnWrite: pulumi.Bool(true),\n\t\t\tScriptBasedExecutionMonitoring: pulumi.Bool(true),\n\t\t\tSensorTamperingProtection: pulumi.Bool(true),\n\t\t\tSuspiciousRegistryOperations: pulumi.Bool(true),\n\t\t\tSuspiciousScriptsAndCommands: pulumi.Bool(true),\n\t\t\tUploadUnknownExecutables: pulumi.Bool(true),\n\t\t\tUploadUnknownDetectionRelatedExecutables: pulumi.Bool(true),\n\t\t\tVolumeShadowCopyAudit: pulumi.Bool(true),\n\t\t\tVolumeShadowCopyProtect: pulumi.Bool(true),\n\t\t\tVulnerableDriverProtection: pulumi.Bool(true),\n\t\t\tWindowsLogonBypassStickyKeys: pulumi.Bool(true),\n\t\t\tFileSystemContainment: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"defaultPreventionPolicyWindows\", _default)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.DefaultPreventionPolicyWindows;\nimport com.crowdstrike.crowdstrike.DefaultPreventionPolicyWindowsArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsAdwareAndPupArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsCloudAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsSensorAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs;\nimport com.pulumi.crowdstrike.inputs.DefaultPreventionPolicyWindowsExtendedUserModeDataArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var default_ = new DefaultPreventionPolicyWindows(\"default\", DefaultPreventionPolicyWindowsArgs.builder()\n .description(\"managed by terraform\")\n .ioaRuleGroups()\n .adwareAndPup(DefaultPreventionPolicyWindowsAdwareAndPupArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .cloudAntiMalwareMicrosoftOfficeFiles(DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs.builder()\n .detection(\"MODERATE\")\n .prevention(\"DISABLED\")\n .build())\n .cloudAntiMalware(DefaultPreventionPolicyWindowsCloudAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .cloudAntiMalwareUserInitiated(DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalware(DefaultPreventionPolicyWindowsSensorAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalwareUserInitiated(DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .extendedUserModeData(DefaultPreventionPolicyWindowsExtendedUserModeDataArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .usbInsertionTriggeredScan(true)\n .applicationExploitationActivity(true)\n .additionalUserModeData(true)\n .notifyEndUsers(true)\n .advancedRemediation(true)\n .backupDeletion(true)\n .biosDeepVisibility(true)\n .chopperWebshell(true)\n .codeInjection(true)\n .credentialDumping(true)\n .cryptowall(true)\n .customBlocking(true)\n .detectOnWrite(true)\n .driveByDownload(true)\n .driverLoadPrevention(true)\n .interpreterOnly(true)\n .engineFullVisibility(true)\n .enhancedExploitationVisibility(true)\n .enhancedDllLoadVisibility(true)\n .enhancedMlForLargerFiles(true)\n .fileEncryption(true)\n .fileSystemAccess(true)\n .forceAslr(true)\n .forceDep(true)\n .heapSprayPreallocation(true)\n .nullPageAllocation(true)\n .sehOverwriteProtection(true)\n .hardwareEnhancedExploitDetection(true)\n .httpDetections(true)\n .redactHttpDetectionDetails(true)\n .intelligenceSourcedThreats(true)\n .javascriptViaRundll32(true)\n .locky(true)\n .memoryScanning(true)\n .memoryScanningScanWithCpu(true)\n .microsoftOfficeFileSuspiciousMacroRemoval(true)\n .onWriteScriptFileVisibility(true)\n .preventSuspiciousProcesses(true)\n .quarantineAndSecurityCenterRegistration(true)\n .quarantineOnRemovableMedia(true)\n .quarantineOnWrite(true)\n .scriptBasedExecutionMonitoring(true)\n .sensorTamperingProtection(true)\n .suspiciousRegistryOperations(true)\n .suspiciousScriptsAndCommands(true)\n .uploadUnknownExecutables(true)\n .uploadUnknownDetectionRelatedExecutables(true)\n .volumeShadowCopyAudit(true)\n .volumeShadowCopyProtect(true)\n .vulnerableDriverProtection(true)\n .windowsLogonBypassStickyKeys(true)\n .fileSystemContainment(true)\n .build());\n\n ctx.export(\"defaultPreventionPolicyWindows\", default_);\n }\n}\n```\n```yaml\nresources:\n default:\n type: crowdstrike:DefaultPreventionPolicyWindows\n properties:\n description: managed by terraform\n ioaRuleGroups: []\n adwareAndPup:\n detection: MODERATE\n prevention: CAUTIOUS\n cloudAntiMalwareMicrosoftOfficeFiles:\n detection: MODERATE\n prevention: DISABLED\n cloudAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n cloudAntiMalwareUserInitiated:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalwareUserInitiated:\n detection: MODERATE\n prevention: CAUTIOUS\n extendedUserModeData:\n detection: MODERATE\n usbInsertionTriggeredScan: true\n applicationExploitationActivity: true\n additionalUserModeData: true\n notifyEndUsers: true\n advancedRemediation: true\n backupDeletion: true\n biosDeepVisibility: true\n chopperWebshell: true\n codeInjection: true\n credentialDumping: true\n cryptowall: true\n customBlocking: true\n detectOnWrite: true\n driveByDownload: true\n driverLoadPrevention: true\n interpreterOnly: true\n engineFullVisibility: true\n enhancedExploitationVisibility: true\n enhancedDllLoadVisibility: true\n enhancedMlForLargerFiles: true\n fileEncryption: true\n fileSystemAccess: true\n forceAslr: true\n forceDep: true\n heapSprayPreallocation: true\n nullPageAllocation: true\n sehOverwriteProtection: true\n hardwareEnhancedExploitDetection: true\n httpDetections: true\n redactHttpDetectionDetails: true\n intelligenceSourcedThreats: true\n javascriptViaRundll32: true\n locky: true\n memoryScanning: true\n memoryScanningScanWithCpu: true\n microsoftOfficeFileSuspiciousMacroRemoval: true\n onWriteScriptFileVisibility: true\n preventSuspiciousProcesses: true\n quarantineAndSecurityCenterRegistration: true\n quarantineOnRemovableMedia: true\n quarantineOnWrite: true\n scriptBasedExecutionMonitoring: true\n sensorTamperingProtection: true\n suspiciousRegistryOperations: true\n suspiciousScriptsAndCommands: true\n uploadUnknownExecutables: true\n uploadUnknownDetectionRelatedExecutables: true\n volumeShadowCopyAudit: true\n volumeShadowCopyProtect: true\n vulnerableDriverProtection: true\n windowsLogonBypassStickyKeys: true\n fileSystemContainment: true\noutputs:\n defaultPreventionPolicyWindows: ${default}\n```\n\n\n## Import\n\nThe linux default prevention policy can be imported by specifying the id.\n\n```sh\n$ pulumi import crowdstrike:index/defaultPreventionPolicyWindows:DefaultPreventionPolicyWindows default 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "additionalUserModeData": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "advancedRemediation": { "type": "boolean", "description": "Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.\n" }, "adwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsAdwareAndPup:DefaultPreventionPolicyWindowsAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "applicationExploitationActivity": { "type": "boolean", "description": "Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.\n" }, "backupDeletion": { "type": "boolean", "description": "Whether to enable the setting. Deletion of backups often indicative of ransomware activity.\n" }, "biosDeepVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.\n" }, "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalware:DefaultPreventionPolicyWindowsCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "cloudAntiMalwareMicrosoftOfficeFiles": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles", "description": "Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "cloudAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated", "description": "For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.\n" }, "codeInjection": { "type": "boolean", "description": "Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.\n" }, "credentialDumping": { "type": "boolean", "description": "Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.\n" }, "cryptowall": { "type": "boolean", "description": "Whether to enable the setting. A process associated with Cryptowall was blocked.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "driveByDownload": { "type": "boolean", "description": "Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.\n" }, "driverLoadPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.\n" }, "engineFullVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.\n" }, "enhancedDllLoadVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.\n" }, "enhancedExploitationVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.\n" }, "enhancedMlForLargerFiles": { "type": "boolean", "description": "Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.\n" }, "extendedUserModeData": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsExtendedUserModeData:DefaultPreventionPolicyWindowsExtendedUserModeData", "description": "Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "fileEncryption": { "type": "boolean", "description": "Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.\n" }, "fileSystemAccess": { "type": "boolean", "description": "Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.\n" }, "fileSystemContainment": { "type": "boolean", "description": "Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode\n" }, "forceAslr": { "type": "boolean", "description": "Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "forceDep": { "type": "boolean", "description": "Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.\n" }, "hardwareEnhancedExploitDetection": { "type": "boolean", "description": "Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.\n" }, "heapSprayPreallocation": { "type": "boolean", "description": "Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "httpDetections": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "interpreterOnly": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "javascriptViaRundll32": { "type": "boolean", "description": "Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.\n" }, "lastUpdated": { "type": "string" }, "locky": { "type": "boolean", "description": "Whether to enable the setting. A process determined to be associated with Locky was blocked.\n" }, "memoryScanning": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.\n" }, "memoryScanningScanWithCpu": { "type": "boolean", "description": "Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.\n" }, "microsoftOfficeFileSuspiciousMacroRemoval": { "type": "boolean", "description": "Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.\n" }, "nullPageAllocation": { "type": "boolean", "description": "Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantineAndSecurityCenterRegistration": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.\n" }, "quarantineOnRemovableMedia": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "redactHttpDetectionDetails": { "type": "boolean", "description": "Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.\n" }, "sehOverwriteProtection": { "type": "boolean", "description": "Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsSensorAntiMalware:DefaultPreventionPolicyWindowsSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated", "description": "For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "suspiciousRegistryOperations": { "type": "boolean", "description": "Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.\n" }, "suspiciousScriptsAndCommands": { "type": "boolean", "description": "Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "usbInsertionTriggeredScan": { "type": "boolean", "description": "Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.\n" }, "volumeShadowCopyAudit": { "type": "boolean", "description": "Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.\n" }, "volumeShadowCopyProtect": { "type": "boolean", "description": "Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.\n" }, "vulnerableDriverProtection": { "type": "boolean", "description": "Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.\n" }, "windowsLogonBypassStickyKeys": { "type": "boolean", "description": "Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.\n" } }, "type": "object", "required": [ "additionalUserModeData", "advancedRemediation", "adwareAndPup", "applicationExploitationActivity", "backupDeletion", "biosDeepVisibility", "chopperWebshell", "cloudAntiMalware", "cloudAntiMalwareMicrosoftOfficeFiles", "cloudAntiMalwareUserInitiated", "codeInjection", "credentialDumping", "cryptowall", "customBlocking", "detectOnWrite", "driveByDownload", "driverLoadPrevention", "engineFullVisibility", "enhancedDllLoadVisibility", "enhancedExploitationVisibility", "enhancedMlForLargerFiles", "extendedUserModeData", "fileEncryption", "fileSystemAccess", "fileSystemContainment", "forceAslr", "forceDep", "hardwareEnhancedExploitDetection", "heapSprayPreallocation", "httpDetections", "intelligenceSourcedThreats", "interpreterOnly", "ioaRuleGroups", "javascriptViaRundll32", "lastUpdated", "locky", "memoryScanning", "memoryScanningScanWithCpu", "microsoftOfficeFileSuspiciousMacroRemoval", "notifyEndUsers", "nullPageAllocation", "onWriteScriptFileVisibility", "preventSuspiciousProcesses", "quarantineAndSecurityCenterRegistration", "quarantineOnRemovableMedia", "quarantineOnWrite", "redactHttpDetectionDetails", "scriptBasedExecutionMonitoring", "sehOverwriteProtection", "sensorAntiMalware", "sensorAntiMalwareUserInitiated", "sensorTamperingProtection", "suspiciousRegistryOperations", "suspiciousScriptsAndCommands", "uploadUnknownDetectionRelatedExecutables", "uploadUnknownExecutables", "usbInsertionTriggeredScan", "volumeShadowCopyAudit", "volumeShadowCopyProtect", "vulnerableDriverProtection", "windowsLogonBypassStickyKeys" ], "inputProperties": { "additionalUserModeData": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "advancedRemediation": { "type": "boolean", "description": "Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.\n" }, "adwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsAdwareAndPup:DefaultPreventionPolicyWindowsAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "applicationExploitationActivity": { "type": "boolean", "description": "Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.\n" }, "backupDeletion": { "type": "boolean", "description": "Whether to enable the setting. Deletion of backups often indicative of ransomware activity.\n" }, "biosDeepVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.\n" }, "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalware:DefaultPreventionPolicyWindowsCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "cloudAntiMalwareMicrosoftOfficeFiles": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles", "description": "Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "cloudAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated", "description": "For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.\n" }, "codeInjection": { "type": "boolean", "description": "Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.\n" }, "credentialDumping": { "type": "boolean", "description": "Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.\n" }, "cryptowall": { "type": "boolean", "description": "Whether to enable the setting. A process associated with Cryptowall was blocked.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "driveByDownload": { "type": "boolean", "description": "Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.\n" }, "driverLoadPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.\n" }, "engineFullVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.\n" }, "enhancedDllLoadVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.\n" }, "enhancedExploitationVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.\n" }, "enhancedMlForLargerFiles": { "type": "boolean", "description": "Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.\n" }, "extendedUserModeData": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsExtendedUserModeData:DefaultPreventionPolicyWindowsExtendedUserModeData", "description": "Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "fileEncryption": { "type": "boolean", "description": "Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.\n" }, "fileSystemAccess": { "type": "boolean", "description": "Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.\n" }, "fileSystemContainment": { "type": "boolean", "description": "Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode\n" }, "forceAslr": { "type": "boolean", "description": "Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "forceDep": { "type": "boolean", "description": "Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.\n" }, "hardwareEnhancedExploitDetection": { "type": "boolean", "description": "Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.\n" }, "heapSprayPreallocation": { "type": "boolean", "description": "Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "httpDetections": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "interpreterOnly": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "javascriptViaRundll32": { "type": "boolean", "description": "Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.\n" }, "locky": { "type": "boolean", "description": "Whether to enable the setting. A process determined to be associated with Locky was blocked.\n" }, "memoryScanning": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.\n" }, "memoryScanningScanWithCpu": { "type": "boolean", "description": "Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.\n" }, "microsoftOfficeFileSuspiciousMacroRemoval": { "type": "boolean", "description": "Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.\n" }, "nullPageAllocation": { "type": "boolean", "description": "Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantineAndSecurityCenterRegistration": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.\n" }, "quarantineOnRemovableMedia": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "redactHttpDetectionDetails": { "type": "boolean", "description": "Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.\n" }, "sehOverwriteProtection": { "type": "boolean", "description": "Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsSensorAntiMalware:DefaultPreventionPolicyWindowsSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated", "description": "For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "suspiciousRegistryOperations": { "type": "boolean", "description": "Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.\n" }, "suspiciousScriptsAndCommands": { "type": "boolean", "description": "Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "usbInsertionTriggeredScan": { "type": "boolean", "description": "Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.\n" }, "volumeShadowCopyAudit": { "type": "boolean", "description": "Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.\n" }, "volumeShadowCopyProtect": { "type": "boolean", "description": "Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.\n" }, "vulnerableDriverProtection": { "type": "boolean", "description": "Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.\n" }, "windowsLogonBypassStickyKeys": { "type": "boolean", "description": "Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.\n" } }, "requiredInputs": [ "ioaRuleGroups" ], "stateInputs": { "description": "Input properties used for looking up and filtering DefaultPreventionPolicyWindows resources.\n", "properties": { "additionalUserModeData": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "advancedRemediation": { "type": "boolean", "description": "Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.\n" }, "adwareAndPup": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsAdwareAndPup:DefaultPreventionPolicyWindowsAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "applicationExploitationActivity": { "type": "boolean", "description": "Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.\n" }, "backupDeletion": { "type": "boolean", "description": "Whether to enable the setting. Deletion of backups often indicative of ransomware activity.\n" }, "biosDeepVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.\n" }, "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalware:DefaultPreventionPolicyWindowsCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "cloudAntiMalwareMicrosoftOfficeFiles": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:DefaultPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles", "description": "Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "cloudAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsCloudAntiMalwareUserInitiated", "description": "For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.\n" }, "codeInjection": { "type": "boolean", "description": "Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.\n" }, "credentialDumping": { "type": "boolean", "description": "Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.\n" }, "cryptowall": { "type": "boolean", "description": "Whether to enable the setting. A process associated with Cryptowall was blocked.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "driveByDownload": { "type": "boolean", "description": "Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.\n" }, "driverLoadPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.\n" }, "engineFullVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.\n" }, "enhancedDllLoadVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.\n" }, "enhancedExploitationVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.\n" }, "enhancedMlForLargerFiles": { "type": "boolean", "description": "Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.\n" }, "extendedUserModeData": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsExtendedUserModeData:DefaultPreventionPolicyWindowsExtendedUserModeData", "description": "Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "fileEncryption": { "type": "boolean", "description": "Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.\n" }, "fileSystemAccess": { "type": "boolean", "description": "Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.\n" }, "fileSystemContainment": { "type": "boolean", "description": "Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode\n" }, "forceAslr": { "type": "boolean", "description": "Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "forceDep": { "type": "boolean", "description": "Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.\n" }, "hardwareEnhancedExploitDetection": { "type": "boolean", "description": "Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.\n" }, "heapSprayPreallocation": { "type": "boolean", "description": "Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "httpDetections": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "interpreterOnly": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "javascriptViaRundll32": { "type": "boolean", "description": "Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.\n" }, "lastUpdated": { "type": "string" }, "locky": { "type": "boolean", "description": "Whether to enable the setting. A process determined to be associated with Locky was blocked.\n" }, "memoryScanning": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.\n" }, "memoryScanningScanWithCpu": { "type": "boolean", "description": "Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.\n" }, "microsoftOfficeFileSuspiciousMacroRemoval": { "type": "boolean", "description": "Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.\n" }, "nullPageAllocation": { "type": "boolean", "description": "Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantineAndSecurityCenterRegistration": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.\n" }, "quarantineOnRemovableMedia": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "redactHttpDetectionDetails": { "type": "boolean", "description": "Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.\n" }, "sehOverwriteProtection": { "type": "boolean", "description": "Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsSensorAntiMalware:DefaultPreventionPolicyWindowsSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FDefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated:DefaultPreventionPolicyWindowsSensorAntiMalwareUserInitiated", "description": "For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "suspiciousRegistryOperations": { "type": "boolean", "description": "Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.\n" }, "suspiciousScriptsAndCommands": { "type": "boolean", "description": "Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "usbInsertionTriggeredScan": { "type": "boolean", "description": "Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.\n" }, "volumeShadowCopyAudit": { "type": "boolean", "description": "Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.\n" }, "volumeShadowCopyProtect": { "type": "boolean", "description": "Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.\n" }, "vulnerableDriverProtection": { "type": "boolean", "description": "Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.\n" }, "windowsLogonBypassStickyKeys": { "type": "boolean", "description": "Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.\n" } }, "type": "object" } }, "crowdstrike:index/defaultSensorUpdatePolicy:DefaultSensorUpdatePolicy": { "description": "This resource allows management of the default sensor update policy in the CrowdStrike Falcon platform. Destruction of this resource *will not* delete the default sensor update policy or remove any configured settings.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Sensor update policies | Read & Write\n\n\n## Example Usage\n\n\n```yaml\nresources:\n default:\n type: crowdstrike:DefaultSensorUpdatePolicy\n properties:\n platformName: windows\n build: ${all.windows.n1.build}\n uninstallProtection: true\n schedule:\n enabled: true\n timezone: Etc/UTC\n time_blocks:\n - days:\n - sunday\n - wednesday\n startTime: 12:40\n endTime: 16:40\nvariables:\n all:\n fn::invoke:\n function: crowdstrike:getSensorUpdatePolicyBuilds\n arguments: {}\noutputs:\n sensorPolicy: ${default}\n```\n\n\n## Import\n\nA default sensor update policy can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/defaultSensorUpdatePolicy:DefaultSensorUpdatePolicy default 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "build": { "type": "string", "description": "Sensor build to use for the default sensor update policy.\n" }, "buildArm64": { "type": "string", "description": "Sensor arm64 build to use for the default sensor update policy (Linux only). Required if platform_name is Linux.\n" }, "lastUpdated": { "type": "string" }, "platformName": { "type": "string", "description": "Chooses which default sensor update policy to manage. (Windows, Mac, Linux)\n" }, "schedule": { "$ref": "#/types/crowdstrike:index%2FDefaultSensorUpdatePolicySchedule:DefaultSensorUpdatePolicySchedule", "description": "Prohibit sensor updates during a set of time blocks.\n" }, "uninstallProtection": { "type": "boolean", "description": "Enable uninstall protection. Windows and Mac only.\n" } }, "type": "object", "required": [ "build", "lastUpdated", "platformName", "schedule", "uninstallProtection" ], "inputProperties": { "build": { "type": "string", "description": "Sensor build to use for the default sensor update policy.\n" }, "buildArm64": { "type": "string", "description": "Sensor arm64 build to use for the default sensor update policy (Linux only). Required if platform_name is Linux.\n" }, "platformName": { "type": "string", "description": "Chooses which default sensor update policy to manage. (Windows, Mac, Linux)\n" }, "schedule": { "$ref": "#/types/crowdstrike:index%2FDefaultSensorUpdatePolicySchedule:DefaultSensorUpdatePolicySchedule", "description": "Prohibit sensor updates during a set of time blocks.\n" }, "uninstallProtection": { "type": "boolean", "description": "Enable uninstall protection. Windows and Mac only.\n" } }, "requiredInputs": [ "build", "platformName", "schedule" ], "stateInputs": { "description": "Input properties used for looking up and filtering DefaultSensorUpdatePolicy resources.\n", "properties": { "build": { "type": "string", "description": "Sensor build to use for the default sensor update policy.\n" }, "buildArm64": { "type": "string", "description": "Sensor arm64 build to use for the default sensor update policy (Linux only). Required if platform_name is Linux.\n" }, "lastUpdated": { "type": "string" }, "platformName": { "type": "string", "description": "Chooses which default sensor update policy to manage. (Windows, Mac, Linux)\n" }, "schedule": { "$ref": "#/types/crowdstrike:index%2FDefaultSensorUpdatePolicySchedule:DefaultSensorUpdatePolicySchedule", "description": "Prohibit sensor updates during a set of time blocks.\n" }, "uninstallProtection": { "type": "boolean", "description": "Enable uninstall protection. Windows and Mac only.\n" } }, "type": "object" } }, "crowdstrike:index/filevantagePolicy:FilevantagePolicy": { "description": "This resource allows management of a FileVantage policy. A FileVantage policy is a collection of file integrity rules and rule groups that you can apply to host groups.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Falcon FileVantage | Read & Write\n\n\n## Example Usage\n\n\n```yaml\nresources:\n exampleFilevantageRuleGroup:\n type: crowdstrike:FilevantageRuleGroup\n properties:\n description: Made with Pulumi\n type: MacFiles\n rules:\n - description: first rule\n path: /path/to/example/\n severity: High\n depth: ANY\n example2:\n type: crowdstrike:FilevantageRuleGroup\n properties:\n description: Made with Pulumi\n type: MacFiles\n rules:\n - description: first rule\n path: /path/to/example/\n severity: High\n depth: ANY\n enable_content_capture: true\n watch_file_write_changes: true\n file_names:\n - example.exe\n exampleFilevantagePolicy:\n type: crowdstrike:FilevantagePolicy\n properties:\n enabled: true\n description: Made with Pulumi\n platformName: Mac\n # host_groups = [\"1232313\"]\n ruleGroups:\n - ${exampleFilevantageRuleGroup.id}\n - ${example2.id}\n scheduledExclusions:\n - name: policy1\n description: Run the first 3 days of the month. All day.\n start_date: 2024-05-21\n start_time: 11:09\n timezone: US/Central\n processes: '**/example.exe,/path/to/example2.exe'\n repeated:\n allDay: true\n frequency: monthly\n monthlyOccurrence: Days\n daysOfMonth:\n - 1\n - 2\n - 3\n - name: policy2\n description: Run monday, tuesday, wednesday. 11:09 - 12:10.\n start_date: 2024-05-21\n start_time: 11:09\n users: admin*,example\n timezone: US/Central\n repeated:\n allDay: false\n startTime: 11:09\n endTime: 12:10\n frequency: weekly\n daysOfWeek:\n - Monday\n - Tuesday\n - Wednesday\noutputs:\n filevantagePolicy: ${exampleFilevantagePolicy}\n```\n\n\n## Import\n\nfilvantage policy can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/filevantagePolicy:FilevantagePolicy example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "description": { "type": "string", "description": "Description of the filevantage policy.\n" }, "enabled": { "type": "boolean", "description": "Enable the filevantage policy.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the filevantage policy.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the filevantage policy.\n" }, "platformName": { "type": "string", "description": "Platform for the filevantage policy to manage. (Windows, Mac, Linux)\n" }, "ruleGroups": { "type": "array", "items": { "type": "string" }, "description": "Rule Group ids to attach to the filevantage policy. Precedence is based on the order of the list. Rule groups must be the same type as the policy.\n" }, "scheduledExclusions": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FFilevantagePolicyScheduledExclusion:FilevantagePolicyScheduledExclusion" }, "description": "Scheduled exclusions for the filevantage policy.\n" } }, "type": "object", "required": [ "enabled", "lastUpdated", "name", "platformName" ], "inputProperties": { "description": { "type": "string", "description": "Description of the filevantage policy.\n" }, "enabled": { "type": "boolean", "description": "Enable the filevantage policy.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the filevantage policy.\n" }, "name": { "type": "string", "description": "Name of the filevantage policy.\n" }, "platformName": { "type": "string", "description": "Platform for the filevantage policy to manage. (Windows, Mac, Linux)\n" }, "ruleGroups": { "type": "array", "items": { "type": "string" }, "description": "Rule Group ids to attach to the filevantage policy. Precedence is based on the order of the list. Rule groups must be the same type as the policy.\n" }, "scheduledExclusions": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FFilevantagePolicyScheduledExclusion:FilevantagePolicyScheduledExclusion" }, "description": "Scheduled exclusions for the filevantage policy.\n" } }, "requiredInputs": [ "platformName" ], "stateInputs": { "description": "Input properties used for looking up and filtering FilevantagePolicy resources.\n", "properties": { "description": { "type": "string", "description": "Description of the filevantage policy.\n" }, "enabled": { "type": "boolean", "description": "Enable the filevantage policy.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the filevantage policy.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the filevantage policy.\n" }, "platformName": { "type": "string", "description": "Platform for the filevantage policy to manage. (Windows, Mac, Linux)\n" }, "ruleGroups": { "type": "array", "items": { "type": "string" }, "description": "Rule Group ids to attach to the filevantage policy. Precedence is based on the order of the list. Rule groups must be the same type as the policy.\n" }, "scheduledExclusions": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FFilevantagePolicyScheduledExclusion:FilevantagePolicyScheduledExclusion" }, "description": "Scheduled exclusions for the filevantage policy.\n" } }, "type": "object" } }, "crowdstrike:index/filevantageRuleGroup:FilevantageRuleGroup": { "description": "This resource allows management of a FileVantage rule group. A FileVantage rule group is a collection of file integrity rules that can be assigned to a FileVantge policy.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Falcon FileVantage | Read & Write\n\n\n## Example Usage\n\n\n```yaml\nresources:\n example:\n type: crowdstrike:FilevantageRuleGroup\n properties:\n description: Made with Pulumi\n type: WindowsRegistry\n rules:\n - description: first rule\n path: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\\n severity: High\n depth: ANY\n registry_values:\n - first\n - rule\n watch_key_value_set_changes: true\n enable_content_capture: true\n - description: second rule\n path: HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\\n severity: High\n depth: ANY\n registry_values:\n - Value1\n - Value2\n watch_key_value_set_changes: true\n enable_content_capture: true\noutputs:\n filevantageRuleGroup: ${example}\n```\n\n\n## Import\n\nfilevantage rule group can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/filevantageRuleGroup:FilevantageRuleGroup example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "description": { "type": "string", "description": "Description of the filevantage rule group.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the filevantage rule group.\n" }, "rules": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FFilevantageRuleGroupRule:FilevantageRuleGroupRule" }, "description": "Rules to be associated with the rule group. Precedence is determined by the order of the rules in the list.\n" }, "type": { "type": "string", "description": "The type of filevantage rule group.\n" } }, "type": "object", "required": [ "lastUpdated", "name" ], "inputProperties": { "description": { "type": "string", "description": "Description of the filevantage rule group.\n" }, "name": { "type": "string", "description": "Name of the filevantage rule group.\n" }, "rules": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FFilevantageRuleGroupRule:FilevantageRuleGroupRule" }, "description": "Rules to be associated with the rule group. Precedence is determined by the order of the rules in the list.\n" }, "type": { "type": "string", "description": "The type of filevantage rule group.\n" } }, "stateInputs": { "description": "Input properties used for looking up and filtering FilevantageRuleGroup resources.\n", "properties": { "description": { "type": "string", "description": "Description of the filevantage rule group.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the filevantage rule group.\n" }, "rules": { "type": "array", "items": { "$ref": "#/types/crowdstrike:index%2FFilevantageRuleGroupRule:FilevantageRuleGroupRule" }, "description": "Rules to be associated with the rule group. Precedence is determined by the order of the rules in the list.\n" }, "type": { "type": "string", "description": "The type of filevantage rule group.\n" } }, "type": "object" } }, "crowdstrike:index/hostGroup:HostGroup": { "description": "This resource allows you to manage host groups in the CrowdStrike Falcon Platform.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Host groups | Read & Write\n- Firewall management | Read & Write\n- Prevention policies | Read & Write\n- Response policies | Read & Write\n- Sensor update policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst dynamic = new crowdstrike.HostGroup(\"dynamic\", {\n assignmentRule: \"tags:'SensorGroupingTags/molecule'+os_version:'Debian GNU 11'\",\n description: \"Made with Pulumi\",\n type: \"dynamic\",\n});\nconst static = new crowdstrike.HostGroup(\"static\", {\n description: \"Made with Pulumi\",\n type: \"staticByID\",\n hostIds: [\n \"host1\",\n \"host2\",\n ],\n});\nconst staticByID = new crowdstrike.HostGroup(\"staticByID\", {\n description: \"Made with Pulumi\",\n type: \"staticByID\",\n hostIds: [\n \"123123\",\n \"124124\",\n ],\n});\nexport const hostGroup = dynamic;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\ndynamic = crowdstrike.HostGroup(\"dynamic\",\n assignment_rule=\"tags:'SensorGroupingTags/molecule'+os_version:'Debian GNU 11'\",\n description=\"Made with Pulumi\",\n type=\"dynamic\")\nstatic = crowdstrike.HostGroup(\"static\",\n description=\"Made with Pulumi\",\n type=\"staticByID\",\n host_ids=[\n \"host1\",\n \"host2\",\n ])\nstatic_by_id = crowdstrike.HostGroup(\"staticByID\",\n description=\"Made with Pulumi\",\n type=\"staticByID\",\n host_ids=[\n \"123123\",\n \"124124\",\n ])\npulumi.export(\"hostGroup\", dynamic)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var @dynamic = new Crowdstrike.HostGroup(\"dynamic\", new()\n {\n AssignmentRule = \"tags:'SensorGroupingTags/molecule'+os_version:'Debian GNU 11'\",\n Description = \"Made with Pulumi\",\n Type = \"dynamic\",\n });\n\n var @static = new Crowdstrike.HostGroup(\"static\", new()\n {\n Description = \"Made with Pulumi\",\n Type = \"staticByID\",\n HostIds = new[]\n {\n \"host1\",\n \"host2\",\n },\n });\n\n var staticByID = new Crowdstrike.HostGroup(\"staticByID\", new()\n {\n Description = \"Made with Pulumi\",\n Type = \"staticByID\",\n HostIds = new[]\n {\n \"123123\",\n \"124124\",\n },\n });\n\n return new Dictionary\n {\n [\"hostGroup\"] = @dynamic,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tdynamic, err := crowdstrike.NewHostGroup(ctx, \"dynamic\", &crowdstrike.HostGroupArgs{\n\t\t\tAssignmentRule: pulumi.String(\"tags:'SensorGroupingTags/molecule'+os_version:'Debian GNU 11'\"),\n\t\t\tDescription: pulumi.String(\"Made with Pulumi\"),\n\t\t\tType: pulumi.String(\"dynamic\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = crowdstrike.NewHostGroup(ctx, \"static\", &crowdstrike.HostGroupArgs{\n\t\t\tDescription: pulumi.String(\"Made with Pulumi\"),\n\t\t\tType: pulumi.String(\"staticByID\"),\n\t\t\tHostIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"host1\"),\n\t\t\t\tpulumi.String(\"host2\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = crowdstrike.NewHostGroup(ctx, \"staticByID\", &crowdstrike.HostGroupArgs{\n\t\t\tDescription: pulumi.String(\"Made with Pulumi\"),\n\t\t\tType: pulumi.String(\"staticByID\"),\n\t\t\tHostIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"123123\"),\n\t\t\t\tpulumi.String(\"124124\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"hostGroup\", dynamic)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.HostGroup;\nimport com.crowdstrike.crowdstrike.HostGroupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var dynamic = new HostGroup(\"dynamic\", HostGroupArgs.builder()\n .assignmentRule(\"tags:'SensorGroupingTags/molecule'+os_version:'Debian GNU 11'\")\n .description(\"Made with Pulumi\")\n .type(\"dynamic\")\n .build());\n\n var static_ = new HostGroup(\"static\", HostGroupArgs.builder()\n .description(\"Made with Pulumi\")\n .type(\"staticByID\")\n .hostIds( \n \"host1\",\n \"host2\")\n .build());\n\n var staticByID = new HostGroup(\"staticByID\", HostGroupArgs.builder()\n .description(\"Made with Pulumi\")\n .type(\"staticByID\")\n .hostIds( \n \"123123\",\n \"124124\")\n .build());\n\n ctx.export(\"hostGroup\", dynamic);\n }\n}\n```\n```yaml\nresources:\n dynamic:\n type: crowdstrike:HostGroup\n properties:\n assignmentRule: tags:'SensorGroupingTags/molecule'+os_version:'Debian GNU 11'\n description: Made with Pulumi\n type: dynamic\n static:\n type: crowdstrike:HostGroup\n properties:\n description: Made with Pulumi\n type: staticByID\n hostIds:\n - host1\n - host2\n staticByID:\n type: crowdstrike:HostGroup\n properties:\n description: Made with Pulumi\n type: staticByID\n hostIds:\n - '123123'\n - '124124'\noutputs:\n hostGroup: ${dynamic}\n```\n\n\n## Import\n\nhost group can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/hostGroup:HostGroup example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "assignmentRule": { "type": "string", "description": "The assignment rule for dynamic host groups.\n" }, "description": { "type": "string", "description": "Description of the host group.\n" }, "hostIds": { "type": "array", "items": { "type": "string" }, "description": "List of host ids to add to a staticByID host group.\n" }, "hostnames": { "type": "array", "items": { "type": "string" }, "description": "List of hostnames to add to a static host group.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the host group.\n" }, "type": { "type": "string", "description": "The host group type, case sensitive. (dynamic, static, staticByID)\n" } }, "type": "object", "required": [ "description", "lastUpdated", "name", "type" ], "inputProperties": { "assignmentRule": { "type": "string", "description": "The assignment rule for dynamic host groups.\n" }, "description": { "type": "string", "description": "Description of the host group.\n" }, "hostIds": { "type": "array", "items": { "type": "string" }, "description": "List of host ids to add to a staticByID host group.\n" }, "hostnames": { "type": "array", "items": { "type": "string" }, "description": "List of hostnames to add to a static host group.\n" }, "name": { "type": "string", "description": "Name of the host group.\n" }, "type": { "type": "string", "description": "The host group type, case sensitive. (dynamic, static, staticByID)\n" } }, "requiredInputs": [ "description", "type" ], "stateInputs": { "description": "Input properties used for looking up and filtering HostGroup resources.\n", "properties": { "assignmentRule": { "type": "string", "description": "The assignment rule for dynamic host groups.\n" }, "description": { "type": "string", "description": "Description of the host group.\n" }, "hostIds": { "type": "array", "items": { "type": "string" }, "description": "List of host ids to add to a staticByID host group.\n" }, "hostnames": { "type": "array", "items": { "type": "string" }, "description": "List of hostnames to add to a static host group.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the host group.\n" }, "type": { "type": "string", "description": "The host group type, case sensitive. (dynamic, static, staticByID)\n" } }, "type": "object" } }, "crowdstrike:index/preventionPolicyAttachment:PreventionPolicyAttachment": { "description": "This resource allows managing the host groups and ioa rule groups attached to a prevention policy. This resource takes exclusive ownership over the host groups and ioa rule groups assigned to a prevention policy. If you want to fully create or manage a prevention policy please use the `prevention_policy_*` resource for the platform you want to manage.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.PreventionPolicyAttachment(\"example\", {\n idProperty: \"16c0eecfeebb47ce95185fda2e5b3112\",\n hostGroups: [\"df868c936cd443e5a95b2603e2483602\"],\n ioaRuleGroups: [\"507117bc669d41bb93d0a009f557bb23\"],\n});\nexport const preventionPolicyAttachment = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.PreventionPolicyAttachment(\"example\",\n id_property=\"16c0eecfeebb47ce95185fda2e5b3112\",\n host_groups=[\"df868c936cd443e5a95b2603e2483602\"],\n ioa_rule_groups=[\"507117bc669d41bb93d0a009f557bb23\"])\npulumi.export(\"preventionPolicyAttachment\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.PreventionPolicyAttachment(\"example\", new()\n {\n IdProperty = \"16c0eecfeebb47ce95185fda2e5b3112\",\n HostGroups = new[]\n {\n \"df868c936cd443e5a95b2603e2483602\",\n },\n IoaRuleGroups = new[]\n {\n \"507117bc669d41bb93d0a009f557bb23\",\n },\n });\n\n return new Dictionary\n {\n [\"preventionPolicyAttachment\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewPreventionPolicyAttachment(ctx, \"example\", &crowdstrike.PreventionPolicyAttachmentArgs{\n\t\t\tIdProperty: pulumi.String(\"16c0eecfeebb47ce95185fda2e5b3112\"),\n\t\t\tHostGroups: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"df868c936cd443e5a95b2603e2483602\"),\n\t\t\t},\n\t\t\tIoaRuleGroups: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"507117bc669d41bb93d0a009f557bb23\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"preventionPolicyAttachment\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.PreventionPolicyAttachment;\nimport com.crowdstrike.crowdstrike.PreventionPolicyAttachmentArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new PreventionPolicyAttachment(\"example\", PreventionPolicyAttachmentArgs.builder()\n .idProperty(\"16c0eecfeebb47ce95185fda2e5b3112\")\n .hostGroups(\"df868c936cd443e5a95b2603e2483602\")\n .ioaRuleGroups(\"507117bc669d41bb93d0a009f557bb23\")\n .build());\n\n ctx.export(\"preventionPolicyAttachment\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:PreventionPolicyAttachment\n properties:\n idProperty: 16c0eecfeebb47ce95185fda2e5b3112\n hostGroups:\n - df868c936cd443e5a95b2603e2483602\n ioaRuleGroups:\n - 507117bc669d41bb93d0a009f557bb23\noutputs:\n preventionPolicyAttachment: ${example}\n```\n\n\n## Import\n\nPrevention Policy Attachment can be imported by specifying the id.\n\n```sh\n$ pulumi import crowdstrike:index/preventionPolicyAttachment:PreventionPolicyAttachment example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "idProperty": { "type": "string", "description": "The prevention policy id you want to attach to.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "lastUpdated": { "type": "string" } }, "type": "object", "required": [ "idProperty", "lastUpdated" ], "inputProperties": { "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "idProperty": { "type": "string", "description": "The prevention policy id you want to attach to.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" } }, "requiredInputs": [ "idProperty" ], "stateInputs": { "description": "Input properties used for looking up and filtering PreventionPolicyAttachment resources.\n", "properties": { "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "idProperty": { "type": "string", "description": "The prevention policy id you want to attach to.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "lastUpdated": { "type": "string" } }, "type": "object" } }, "crowdstrike:index/preventionPolicyLinux:PreventionPolicyLinux": { "description": "This resource allows you to manage prevention policies for Linux hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.PreventionPolicyLinux(\"example\", {\n enabled: true,\n description: \"Made with Pulumi\",\n hostGroups: [],\n ioaRuleGroups: [],\n cloudAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n quarantine: true,\n customBlocking: true,\n preventSuspiciousProcesses: true,\n scriptBasedExecutionMonitoring: true,\n uploadUnknownExecutables: true,\n uploadUnknownDetectionRelatedExecutables: true,\n driftPrevention: true,\n emailProtocolVisibility: true,\n filesystemVisibility: true,\n ftpVisibility: true,\n httpVisibility: true,\n networkVisibility: true,\n tlsVisibility: true,\n sensorTamperingProtection: true,\n onWriteScriptFileVisibility: true,\n memoryVisibility: true,\n extendedCommandLineVisibility: true,\n});\nexport const preventionPolicyLinux = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.PreventionPolicyLinux(\"example\",\n enabled=True,\n description=\"Made with Pulumi\",\n host_groups=[],\n ioa_rule_groups=[],\n cloud_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n quarantine=True,\n custom_blocking=True,\n prevent_suspicious_processes=True,\n script_based_execution_monitoring=True,\n upload_unknown_executables=True,\n upload_unknown_detection_related_executables=True,\n drift_prevention=True,\n email_protocol_visibility=True,\n filesystem_visibility=True,\n ftp_visibility=True,\n http_visibility=True,\n network_visibility=True,\n tls_visibility=True,\n sensor_tampering_protection=True,\n on_write_script_file_visibility=True,\n memory_visibility=True,\n extended_command_line_visibility=True)\npulumi.export(\"preventionPolicyLinux\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.PreventionPolicyLinux(\"example\", new()\n {\n Enabled = true,\n Description = \"Made with Pulumi\",\n HostGroups = new[] {},\n IoaRuleGroups = new[] {},\n CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyLinuxCloudAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyLinuxSensorAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n Quarantine = true,\n CustomBlocking = true,\n PreventSuspiciousProcesses = true,\n ScriptBasedExecutionMonitoring = true,\n UploadUnknownExecutables = true,\n UploadUnknownDetectionRelatedExecutables = true,\n DriftPrevention = true,\n EmailProtocolVisibility = true,\n FilesystemVisibility = true,\n FtpVisibility = true,\n HttpVisibility = true,\n NetworkVisibility = true,\n TlsVisibility = true,\n SensorTamperingProtection = true,\n OnWriteScriptFileVisibility = true,\n MemoryVisibility = true,\n ExtendedCommandLineVisibility = true,\n });\n\n return new Dictionary\n {\n [\"preventionPolicyLinux\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewPreventionPolicyLinux(ctx, \"example\", &crowdstrike.PreventionPolicyLinuxArgs{\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tDescription: pulumi.String(\"Made with Pulumi\"),\n\t\t\tHostGroups: pulumi.StringArray{},\n\t\t\tIoaRuleGroups: pulumi.StringArray{},\n\t\t\tCloudAntiMalware: &crowdstrike.PreventionPolicyLinuxCloudAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalware: &crowdstrike.PreventionPolicyLinuxSensorAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tQuarantine: pulumi.Bool(true),\n\t\t\tCustomBlocking: pulumi.Bool(true),\n\t\t\tPreventSuspiciousProcesses: pulumi.Bool(true),\n\t\t\tScriptBasedExecutionMonitoring: pulumi.Bool(true),\n\t\t\tUploadUnknownExecutables: pulumi.Bool(true),\n\t\t\tUploadUnknownDetectionRelatedExecutables: pulumi.Bool(true),\n\t\t\tDriftPrevention: pulumi.Bool(true),\n\t\t\tEmailProtocolVisibility: pulumi.Bool(true),\n\t\t\tFilesystemVisibility: pulumi.Bool(true),\n\t\t\tFtpVisibility: pulumi.Bool(true),\n\t\t\tHttpVisibility: pulumi.Bool(true),\n\t\t\tNetworkVisibility: pulumi.Bool(true),\n\t\t\tTlsVisibility: pulumi.Bool(true),\n\t\t\tSensorTamperingProtection: pulumi.Bool(true),\n\t\t\tOnWriteScriptFileVisibility: pulumi.Bool(true),\n\t\t\tMemoryVisibility: pulumi.Bool(true),\n\t\t\tExtendedCommandLineVisibility: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"preventionPolicyLinux\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.PreventionPolicyLinux;\nimport com.crowdstrike.crowdstrike.PreventionPolicyLinuxArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyLinuxCloudAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyLinuxSensorAntiMalwareArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new PreventionPolicyLinux(\"example\", PreventionPolicyLinuxArgs.builder()\n .enabled(true)\n .description(\"Made with Pulumi\")\n .hostGroups()\n .ioaRuleGroups()\n .cloudAntiMalware(PreventionPolicyLinuxCloudAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalware(PreventionPolicyLinuxSensorAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .quarantine(true)\n .customBlocking(true)\n .preventSuspiciousProcesses(true)\n .scriptBasedExecutionMonitoring(true)\n .uploadUnknownExecutables(true)\n .uploadUnknownDetectionRelatedExecutables(true)\n .driftPrevention(true)\n .emailProtocolVisibility(true)\n .filesystemVisibility(true)\n .ftpVisibility(true)\n .httpVisibility(true)\n .networkVisibility(true)\n .tlsVisibility(true)\n .sensorTamperingProtection(true)\n .onWriteScriptFileVisibility(true)\n .memoryVisibility(true)\n .extendedCommandLineVisibility(true)\n .build());\n\n ctx.export(\"preventionPolicyLinux\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:PreventionPolicyLinux\n properties:\n enabled: true\n description: Made with Pulumi\n hostGroups: []\n ioaRuleGroups: []\n cloudAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n quarantine: true\n customBlocking: true\n preventSuspiciousProcesses: true\n scriptBasedExecutionMonitoring: true\n uploadUnknownExecutables: true\n uploadUnknownDetectionRelatedExecutables: true\n driftPrevention: true\n emailProtocolVisibility: true\n filesystemVisibility: true\n ftpVisibility: true\n httpVisibility: true\n networkVisibility: true\n tlsVisibility: true\n sensorTamperingProtection: true\n onWriteScriptFileVisibility: true\n memoryVisibility: true\n extendedCommandLineVisibility: true\noutputs:\n preventionPolicyLinux: ${example}\n```\n\n\n## Import\n\nprevention policy can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/preventionPolicyLinux:PreventionPolicyLinux example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyLinuxCloudAntiMalware:PreventionPolicyLinuxCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "driftPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.\n" }, "emailProtocolVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "extendedCommandLineVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.\n" }, "filesystemVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.\n" }, "ftpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "httpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "lastUpdated": { "type": "string" }, "memoryVisibility": { "type": "boolean", "description": "Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "networkVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyLinuxSensorAntiMalware:PreventionPolicyLinuxSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.\n" }, "tlsVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" } }, "type": "object", "required": [ "cloudAntiMalware", "customBlocking", "driftPrevention", "emailProtocolVisibility", "enabled", "extendedCommandLineVisibility", "filesystemVisibility", "ftpVisibility", "hostGroups", "httpVisibility", "ioaRuleGroups", "lastUpdated", "memoryVisibility", "name", "networkVisibility", "onWriteScriptFileVisibility", "preventSuspiciousProcesses", "quarantine", "scriptBasedExecutionMonitoring", "sensorAntiMalware", "sensorTamperingProtection", "tlsVisibility", "uploadUnknownDetectionRelatedExecutables", "uploadUnknownExecutables" ], "inputProperties": { "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyLinuxCloudAntiMalware:PreventionPolicyLinuxCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "driftPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.\n" }, "emailProtocolVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "extendedCommandLineVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.\n" }, "filesystemVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.\n" }, "ftpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "httpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "memoryVisibility": { "type": "boolean", "description": "Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "networkVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyLinuxSensorAntiMalware:PreventionPolicyLinuxSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.\n" }, "tlsVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" } }, "requiredInputs": [ "hostGroups", "ioaRuleGroups" ], "stateInputs": { "description": "Input properties used for looking up and filtering PreventionPolicyLinux resources.\n", "properties": { "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyLinuxCloudAntiMalware:PreventionPolicyLinuxCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "driftPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block new processes originating from files written in a container. This prevents a container from drifting from its immutable runtime state.\n" }, "emailProtocolVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor SMTP, IMAP, and POP3 traffic for malicious patterns and improved detections.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "extendedCommandLineVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor full CLI commands that include pipes and redirects. This is applicable only for User mode.\n" }, "filesystemVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor filesystem activity for additional telemetry and improved detections.\n" }, "ftpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted FTP traffic for malicious patterns and improved detections.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "httpVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic for malicious patterns and improved detections.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "lastUpdated": { "type": "string" }, "memoryVisibility": { "type": "boolean", "description": "Whether to enable the setting. When enabled, the sensor will inspect memory-related operations: mmap, mprotect, ptrace and reading/writing remote process memory and produce events.\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "networkVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor network activity for additional telemetry and improved detections.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyLinuxSensorAntiMalware:PreventionPolicyLinuxSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Block attempts to tamper with the sensor by protecting critical components and resources. If disabled, the sensor still creates detections for tampering attempts but will not prevent the activity from occurring. Disabling is not recommended.\n" }, "tlsVisibility": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor TLS traffic for malicious patterns and improved detections.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" } }, "type": "object" } }, "crowdstrike:index/preventionPolicyMac:PreventionPolicyMac": { "description": "This resource allows you to manage prevention policies for Mac hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.PreventionPolicyMac(\"example\", {\n enabled: false,\n description: \"Made with Pulumi\",\n hostGroups: [],\n ioaRuleGroups: [],\n cloudAdwareAndPup: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n cloudAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAdwareAndPup: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n notifyEndUsers: true,\n customBlocking: true,\n detectOnWrite: true,\n intelligenceSourcedThreats: true,\n preventSuspiciousProcesses: true,\n quarantine: true,\n quarantineOnWrite: true,\n scriptBasedExecutionMonitoring: true,\n sensorTamperingProtection: true,\n uploadUnknownExecutables: true,\n uploadUnknownDetectionRelatedExecutables: true,\n xpcomShell: true,\n kcPasswordDecoded: true,\n hashCollector: true,\n empyreBackdoor: true,\n chopperWebshell: true,\n});\nexport const preventionPolicyMac = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.PreventionPolicyMac(\"example\",\n enabled=False,\n description=\"Made with Pulumi\",\n host_groups=[],\n ioa_rule_groups=[],\n cloud_adware_and_pup={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n cloud_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_adware_and_pup={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n notify_end_users=True,\n custom_blocking=True,\n detect_on_write=True,\n intelligence_sourced_threats=True,\n prevent_suspicious_processes=True,\n quarantine=True,\n quarantine_on_write=True,\n script_based_execution_monitoring=True,\n sensor_tampering_protection=True,\n upload_unknown_executables=True,\n upload_unknown_detection_related_executables=True,\n xpcom_shell=True,\n kc_password_decoded=True,\n hash_collector=True,\n empyre_backdoor=True,\n chopper_webshell=True)\npulumi.export(\"preventionPolicyMac\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.PreventionPolicyMac(\"example\", new()\n {\n Enabled = false,\n Description = \"Made with Pulumi\",\n HostGroups = new[] {},\n IoaRuleGroups = new[] {},\n CloudAdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyMacCloudAdwareAndPupArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyMacCloudAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyMacSensorAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyMacSensorAdwareAndPupArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n NotifyEndUsers = true,\n CustomBlocking = true,\n DetectOnWrite = true,\n IntelligenceSourcedThreats = true,\n PreventSuspiciousProcesses = true,\n Quarantine = true,\n QuarantineOnWrite = true,\n ScriptBasedExecutionMonitoring = true,\n SensorTamperingProtection = true,\n UploadUnknownExecutables = true,\n UploadUnknownDetectionRelatedExecutables = true,\n XpcomShell = true,\n KcPasswordDecoded = true,\n HashCollector = true,\n EmpyreBackdoor = true,\n ChopperWebshell = true,\n });\n\n return new Dictionary\n {\n [\"preventionPolicyMac\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewPreventionPolicyMac(ctx, \"example\", &crowdstrike.PreventionPolicyMacArgs{\n\t\t\tEnabled: pulumi.Bool(false),\n\t\t\tDescription: pulumi.String(\"Made with Pulumi\"),\n\t\t\tHostGroups: pulumi.StringArray{},\n\t\t\tIoaRuleGroups: pulumi.StringArray{},\n\t\t\tCloudAdwareAndPup: &crowdstrike.PreventionPolicyMacCloudAdwareAndPupArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tCloudAntiMalware: &crowdstrike.PreventionPolicyMacCloudAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalware: &crowdstrike.PreventionPolicyMacSensorAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAdwareAndPup: &crowdstrike.PreventionPolicyMacSensorAdwareAndPupArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tNotifyEndUsers: pulumi.Bool(true),\n\t\t\tCustomBlocking: pulumi.Bool(true),\n\t\t\tDetectOnWrite: pulumi.Bool(true),\n\t\t\tIntelligenceSourcedThreats: pulumi.Bool(true),\n\t\t\tPreventSuspiciousProcesses: pulumi.Bool(true),\n\t\t\tQuarantine: pulumi.Bool(true),\n\t\t\tQuarantineOnWrite: pulumi.Bool(true),\n\t\t\tScriptBasedExecutionMonitoring: pulumi.Bool(true),\n\t\t\tSensorTamperingProtection: pulumi.Bool(true),\n\t\t\tUploadUnknownExecutables: pulumi.Bool(true),\n\t\t\tUploadUnknownDetectionRelatedExecutables: pulumi.Bool(true),\n\t\t\tXpcomShell: pulumi.Bool(true),\n\t\t\tKcPasswordDecoded: pulumi.Bool(true),\n\t\t\tHashCollector: pulumi.Bool(true),\n\t\t\tEmpyreBackdoor: pulumi.Bool(true),\n\t\t\tChopperWebshell: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"preventionPolicyMac\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.PreventionPolicyMac;\nimport com.crowdstrike.crowdstrike.PreventionPolicyMacArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyMacCloudAdwareAndPupArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyMacCloudAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyMacSensorAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyMacSensorAdwareAndPupArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new PreventionPolicyMac(\"example\", PreventionPolicyMacArgs.builder()\n .enabled(false)\n .description(\"Made with Pulumi\")\n .hostGroups()\n .ioaRuleGroups()\n .cloudAdwareAndPup(PreventionPolicyMacCloudAdwareAndPupArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .cloudAntiMalware(PreventionPolicyMacCloudAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalware(PreventionPolicyMacSensorAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAdwareAndPup(PreventionPolicyMacSensorAdwareAndPupArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .notifyEndUsers(true)\n .customBlocking(true)\n .detectOnWrite(true)\n .intelligenceSourcedThreats(true)\n .preventSuspiciousProcesses(true)\n .quarantine(true)\n .quarantineOnWrite(true)\n .scriptBasedExecutionMonitoring(true)\n .sensorTamperingProtection(true)\n .uploadUnknownExecutables(true)\n .uploadUnknownDetectionRelatedExecutables(true)\n .xpcomShell(true)\n .kcPasswordDecoded(true)\n .hashCollector(true)\n .empyreBackdoor(true)\n .chopperWebshell(true)\n .build());\n\n ctx.export(\"preventionPolicyMac\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:PreventionPolicyMac\n properties:\n enabled: false\n description: Made with Pulumi\n hostGroups: []\n ioaRuleGroups: []\n cloudAdwareAndPup:\n detection: MODERATE\n prevention: CAUTIOUS\n cloudAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAdwareAndPup:\n detection: MODERATE\n prevention: CAUTIOUS\n notifyEndUsers: true\n customBlocking: true\n detectOnWrite: true\n intelligenceSourcedThreats: true\n preventSuspiciousProcesses: true\n quarantine: true\n quarantineOnWrite: true\n scriptBasedExecutionMonitoring: true\n sensorTamperingProtection: true\n uploadUnknownExecutables: true\n uploadUnknownDetectionRelatedExecutables: true\n xpcomShell: true\n kcPasswordDecoded: true\n hashCollector: true\n empyreBackdoor: true\n chopperWebshell: true\noutputs:\n preventionPolicyMac: ${example}\n```\n\n\n## Import\n\nprevention policy can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/preventionPolicyMac:PreventionPolicyMac example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacCloudAdwareAndPup:PreventionPolicyMacCloudAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacCloudAntiMalware:PreventionPolicyMacCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "empyreBackdoor": { "type": "boolean", "description": "Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "hashCollector": { "type": "boolean", "description": "Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "kcPasswordDecoded": { "type": "boolean", "description": "Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacSensorAdwareAndPup:PreventionPolicyMacSensorAdwareAndPup", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP).\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacSensorAntiMalware:PreventionPolicyMacSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "xpcomShell": { "type": "boolean", "description": "Whether to enable the setting. The execution of an XPCOM shell was blocked.\n" } }, "type": "object", "required": [ "chopperWebshell", "cloudAdwareAndPup", "cloudAntiMalware", "customBlocking", "detectOnWrite", "empyreBackdoor", "enabled", "hashCollector", "hostGroups", "intelligenceSourcedThreats", "ioaRuleGroups", "kcPasswordDecoded", "lastUpdated", "name", "notifyEndUsers", "preventSuspiciousProcesses", "quarantine", "quarantineOnWrite", "scriptBasedExecutionMonitoring", "sensorAdwareAndPup", "sensorAntiMalware", "sensorTamperingProtection", "uploadUnknownDetectionRelatedExecutables", "uploadUnknownExecutables", "xpcomShell" ], "inputProperties": { "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacCloudAdwareAndPup:PreventionPolicyMacCloudAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacCloudAntiMalware:PreventionPolicyMacCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "empyreBackdoor": { "type": "boolean", "description": "Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "hashCollector": { "type": "boolean", "description": "Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "kcPasswordDecoded": { "type": "boolean", "description": "Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacSensorAdwareAndPup:PreventionPolicyMacSensorAdwareAndPup", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP).\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacSensorAntiMalware:PreventionPolicyMacSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "xpcomShell": { "type": "boolean", "description": "Whether to enable the setting. The execution of an XPCOM shell was blocked.\n" } }, "requiredInputs": [ "hostGroups", "ioaRuleGroups" ], "stateInputs": { "description": "Input properties used for looking up and filtering PreventionPolicyMac resources.\n", "properties": { "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacCloudAdwareAndPup:PreventionPolicyMacCloudAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacCloudAntiMalware:PreventionPolicyMacCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "empyreBackdoor": { "type": "boolean", "description": "Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "hashCollector": { "type": "boolean", "description": "Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "kcPasswordDecoded": { "type": "boolean", "description": "Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantine": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.\n" }, "sensorAdwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacSensorAdwareAndPup:PreventionPolicyMacSensorAdwareAndPup", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP).\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyMacSensorAntiMalware:PreventionPolicyMacSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "xpcomShell": { "type": "boolean", "description": "Whether to enable the setting. The execution of an XPCOM shell was blocked.\n" } }, "type": "object" } }, "crowdstrike:index/preventionPolicyPrecedence:PreventionPolicyPrecedence": { "description": "This resource allows you set the precedence of Prevention Policies based on the order of IDs.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.PreventionPolicyPrecedence(\"example\", {\n ids: [\n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\",\n ],\n platformName: \"linux\",\n enforcement: \"dynamic\",\n});\nexport const preventionPolicyPrecedence = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.PreventionPolicyPrecedence(\"example\",\n ids=[\n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\",\n ],\n platform_name=\"linux\",\n enforcement=\"dynamic\")\npulumi.export(\"preventionPolicyPrecedence\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.PreventionPolicyPrecedence(\"example\", new()\n {\n Ids = new[]\n {\n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\",\n },\n PlatformName = \"linux\",\n Enforcement = \"dynamic\",\n });\n\n return new Dictionary\n {\n [\"preventionPolicyPrecedence\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewPreventionPolicyPrecedence(ctx, \"example\", &crowdstrike.PreventionPolicyPrecedenceArgs{\n\t\t\tIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\"),\n\t\t\t\tpulumi.String(\"2asia54xti93bg0jbr5hfpqqbhxbyeoa\"),\n\t\t\t\tpulumi.String(\"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\"),\n\t\t\t},\n\t\t\tPlatformName: pulumi.String(\"linux\"),\n\t\t\tEnforcement: pulumi.String(\"dynamic\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"preventionPolicyPrecedence\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.PreventionPolicyPrecedence;\nimport com.crowdstrike.crowdstrike.PreventionPolicyPrecedenceArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new PreventionPolicyPrecedence(\"example\", PreventionPolicyPrecedenceArgs.builder()\n .ids( \n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\")\n .platformName(\"linux\")\n .enforcement(\"dynamic\")\n .build());\n\n ctx.export(\"preventionPolicyPrecedence\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:PreventionPolicyPrecedence\n properties:\n ids:\n - a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\n - 2asia54xti93bg0jbr5hfpqqbhxbyeoa\n - xuzq8hs1uyc2s7zdar3fli0shiyl22vc\n platformName: linux\n enforcement: dynamic\noutputs:\n preventionPolicyPrecedence: ${example}\n```\n\n", "properties": { "enforcement": { "type": "string", "description": "The enforcement type for this resource. `strict` requires all non-default prevention policy ids for platform to be provided. `dynamic` will ensure the provided policies have precedence over others. When using dynamic, policy ids not included in `ids` will retain their current ordering after the managed ids.\n" }, "ids": { "type": "array", "items": { "type": "string" }, "description": "The policy ids in order. The first ID specified will have the highest precedence and the last ID specified will have the lowest.\n" }, "lastUpdated": { "type": "string" }, "platformName": { "type": "string", "description": "That platform of the prevention policies. (Windows, Mac, Linux)\n" } }, "type": "object", "required": [ "enforcement", "ids", "lastUpdated", "platformName" ], "inputProperties": { "enforcement": { "type": "string", "description": "The enforcement type for this resource. `strict` requires all non-default prevention policy ids for platform to be provided. `dynamic` will ensure the provided policies have precedence over others. When using dynamic, policy ids not included in `ids` will retain their current ordering after the managed ids.\n" }, "ids": { "type": "array", "items": { "type": "string" }, "description": "The policy ids in order. The first ID specified will have the highest precedence and the last ID specified will have the lowest.\n" }, "platformName": { "type": "string", "description": "That platform of the prevention policies. (Windows, Mac, Linux)\n" } }, "requiredInputs": [ "enforcement", "ids", "platformName" ], "stateInputs": { "description": "Input properties used for looking up and filtering PreventionPolicyPrecedence resources.\n", "properties": { "enforcement": { "type": "string", "description": "The enforcement type for this resource. `strict` requires all non-default prevention policy ids for platform to be provided. `dynamic` will ensure the provided policies have precedence over others. When using dynamic, policy ids not included in `ids` will retain their current ordering after the managed ids.\n" }, "ids": { "type": "array", "items": { "type": "string" }, "description": "The policy ids in order. The first ID specified will have the highest precedence and the last ID specified will have the lowest.\n" }, "lastUpdated": { "type": "string" }, "platformName": { "type": "string", "description": "That platform of the prevention policies. (Windows, Mac, Linux)\n" } }, "type": "object" } }, "crowdstrike:index/preventionPolicyWindows:PreventionPolicyWindows": { "description": "This resource allows you to manage prevention policies for Windows hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Prevention policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.PreventionPolicyWindows(\"example\", {\n enabled: true,\n description: \"Made with Pulumi\",\n hostGroups: [],\n ioaRuleGroups: [],\n adwareAndPup: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n cloudAntiMalwareMicrosoftOfficeFiles: {\n detection: \"MODERATE\",\n prevention: \"DISABLED\",\n },\n cloudAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n cloudAntiMalwareUserInitiated: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalware: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n sensorAntiMalwareUserInitiated: {\n detection: \"MODERATE\",\n prevention: \"CAUTIOUS\",\n },\n extendedUserModeData: {\n detection: \"MODERATE\",\n },\n usbInsertionTriggeredScan: true,\n applicationExploitationActivity: true,\n additionalUserModeData: true,\n notifyEndUsers: true,\n advancedRemediation: true,\n backupDeletion: true,\n biosDeepVisibility: true,\n chopperWebshell: true,\n codeInjection: true,\n credentialDumping: true,\n cryptowall: true,\n customBlocking: true,\n detectOnWrite: true,\n driveByDownload: true,\n driverLoadPrevention: true,\n interpreterOnly: true,\n engineFullVisibility: true,\n enhancedExploitationVisibility: true,\n enhancedDllLoadVisibility: true,\n enhancedMlForLargerFiles: true,\n fileEncryption: true,\n fileSystemAccess: true,\n forceAslr: true,\n forceDep: true,\n heapSprayPreallocation: true,\n nullPageAllocation: true,\n sehOverwriteProtection: true,\n hardwareEnhancedExploitDetection: true,\n httpDetections: true,\n redactHttpDetectionDetails: true,\n intelligenceSourcedThreats: true,\n javascriptViaRundll32: true,\n locky: true,\n memoryScanning: true,\n memoryScanningScanWithCpu: true,\n microsoftOfficeFileSuspiciousMacroRemoval: true,\n onWriteScriptFileVisibility: true,\n preventSuspiciousProcesses: true,\n quarantineAndSecurityCenterRegistration: true,\n quarantineOnRemovableMedia: true,\n quarantineOnWrite: true,\n scriptBasedExecutionMonitoring: true,\n sensorTamperingProtection: true,\n suspiciousRegistryOperations: true,\n suspiciousScriptsAndCommands: true,\n uploadUnknownExecutables: true,\n uploadUnknownDetectionRelatedExecutables: true,\n volumeShadowCopyAudit: true,\n volumeShadowCopyProtect: true,\n vulnerableDriverProtection: true,\n windowsLogonBypassStickyKeys: true,\n fileSystemContainment: true,\n});\nexport const preventionPolicyWindows = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.PreventionPolicyWindows(\"example\",\n enabled=True,\n description=\"Made with Pulumi\",\n host_groups=[],\n ioa_rule_groups=[],\n adware_and_pup={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n cloud_anti_malware_microsoft_office_files={\n \"detection\": \"MODERATE\",\n \"prevention\": \"DISABLED\",\n },\n cloud_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n cloud_anti_malware_user_initiated={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n sensor_anti_malware_user_initiated={\n \"detection\": \"MODERATE\",\n \"prevention\": \"CAUTIOUS\",\n },\n extended_user_mode_data={\n \"detection\": \"MODERATE\",\n },\n usb_insertion_triggered_scan=True,\n application_exploitation_activity=True,\n additional_user_mode_data=True,\n notify_end_users=True,\n advanced_remediation=True,\n backup_deletion=True,\n bios_deep_visibility=True,\n chopper_webshell=True,\n code_injection=True,\n credential_dumping=True,\n cryptowall=True,\n custom_blocking=True,\n detect_on_write=True,\n drive_by_download=True,\n driver_load_prevention=True,\n interpreter_only=True,\n engine_full_visibility=True,\n enhanced_exploitation_visibility=True,\n enhanced_dll_load_visibility=True,\n enhanced_ml_for_larger_files=True,\n file_encryption=True,\n file_system_access=True,\n force_aslr=True,\n force_dep=True,\n heap_spray_preallocation=True,\n null_page_allocation=True,\n seh_overwrite_protection=True,\n hardware_enhanced_exploit_detection=True,\n http_detections=True,\n redact_http_detection_details=True,\n intelligence_sourced_threats=True,\n javascript_via_rundll32=True,\n locky=True,\n memory_scanning=True,\n memory_scanning_scan_with_cpu=True,\n microsoft_office_file_suspicious_macro_removal=True,\n on_write_script_file_visibility=True,\n prevent_suspicious_processes=True,\n quarantine_and_security_center_registration=True,\n quarantine_on_removable_media=True,\n quarantine_on_write=True,\n script_based_execution_monitoring=True,\n sensor_tampering_protection=True,\n suspicious_registry_operations=True,\n suspicious_scripts_and_commands=True,\n upload_unknown_executables=True,\n upload_unknown_detection_related_executables=True,\n volume_shadow_copy_audit=True,\n volume_shadow_copy_protect=True,\n vulnerable_driver_protection=True,\n windows_logon_bypass_sticky_keys=True,\n file_system_containment=True)\npulumi.export(\"preventionPolicyWindows\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.PreventionPolicyWindows(\"example\", new()\n {\n Enabled = true,\n Description = \"Made with Pulumi\",\n HostGroups = new[] {},\n IoaRuleGroups = new[] {},\n AdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPupArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n CloudAntiMalwareMicrosoftOfficeFiles = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"DISABLED\",\n },\n CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n CloudAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n SensorAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs\n {\n Detection = \"MODERATE\",\n Prevention = \"CAUTIOUS\",\n },\n ExtendedUserModeData = new Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeDataArgs\n {\n Detection = \"MODERATE\",\n },\n UsbInsertionTriggeredScan = true,\n ApplicationExploitationActivity = true,\n AdditionalUserModeData = true,\n NotifyEndUsers = true,\n AdvancedRemediation = true,\n BackupDeletion = true,\n BiosDeepVisibility = true,\n ChopperWebshell = true,\n CodeInjection = true,\n CredentialDumping = true,\n Cryptowall = true,\n CustomBlocking = true,\n DetectOnWrite = true,\n DriveByDownload = true,\n DriverLoadPrevention = true,\n InterpreterOnly = true,\n EngineFullVisibility = true,\n EnhancedExploitationVisibility = true,\n EnhancedDllLoadVisibility = true,\n EnhancedMlForLargerFiles = true,\n FileEncryption = true,\n FileSystemAccess = true,\n ForceAslr = true,\n ForceDep = true,\n HeapSprayPreallocation = true,\n NullPageAllocation = true,\n SehOverwriteProtection = true,\n HardwareEnhancedExploitDetection = true,\n HttpDetections = true,\n RedactHttpDetectionDetails = true,\n IntelligenceSourcedThreats = true,\n JavascriptViaRundll32 = true,\n Locky = true,\n MemoryScanning = true,\n MemoryScanningScanWithCpu = true,\n MicrosoftOfficeFileSuspiciousMacroRemoval = true,\n OnWriteScriptFileVisibility = true,\n PreventSuspiciousProcesses = true,\n QuarantineAndSecurityCenterRegistration = true,\n QuarantineOnRemovableMedia = true,\n QuarantineOnWrite = true,\n ScriptBasedExecutionMonitoring = true,\n SensorTamperingProtection = true,\n SuspiciousRegistryOperations = true,\n SuspiciousScriptsAndCommands = true,\n UploadUnknownExecutables = true,\n UploadUnknownDetectionRelatedExecutables = true,\n VolumeShadowCopyAudit = true,\n VolumeShadowCopyProtect = true,\n VulnerableDriverProtection = true,\n WindowsLogonBypassStickyKeys = true,\n FileSystemContainment = true,\n });\n\n return new Dictionary\n {\n [\"preventionPolicyWindows\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewPreventionPolicyWindows(ctx, \"example\", &crowdstrike.PreventionPolicyWindowsArgs{\n\t\t\tEnabled: pulumi.Bool(true),\n\t\t\tDescription: pulumi.String(\"Made with Pulumi\"),\n\t\t\tHostGroups: pulumi.StringArray{},\n\t\t\tIoaRuleGroups: pulumi.StringArray{},\n\t\t\tAdwareAndPup: &crowdstrike.PreventionPolicyWindowsAdwareAndPupArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tCloudAntiMalwareMicrosoftOfficeFiles: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"DISABLED\"),\n\t\t\t},\n\t\t\tCloudAntiMalware: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tCloudAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalware: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tSensorAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t\tPrevention: pulumi.String(\"CAUTIOUS\"),\n\t\t\t},\n\t\t\tExtendedUserModeData: &crowdstrike.PreventionPolicyWindowsExtendedUserModeDataArgs{\n\t\t\t\tDetection: pulumi.String(\"MODERATE\"),\n\t\t\t},\n\t\t\tUsbInsertionTriggeredScan: pulumi.Bool(true),\n\t\t\tApplicationExploitationActivity: pulumi.Bool(true),\n\t\t\tAdditionalUserModeData: pulumi.Bool(true),\n\t\t\tNotifyEndUsers: pulumi.Bool(true),\n\t\t\tAdvancedRemediation: pulumi.Bool(true),\n\t\t\tBackupDeletion: pulumi.Bool(true),\n\t\t\tBiosDeepVisibility: pulumi.Bool(true),\n\t\t\tChopperWebshell: pulumi.Bool(true),\n\t\t\tCodeInjection: pulumi.Bool(true),\n\t\t\tCredentialDumping: pulumi.Bool(true),\n\t\t\tCryptowall: pulumi.Bool(true),\n\t\t\tCustomBlocking: pulumi.Bool(true),\n\t\t\tDetectOnWrite: pulumi.Bool(true),\n\t\t\tDriveByDownload: pulumi.Bool(true),\n\t\t\tDriverLoadPrevention: pulumi.Bool(true),\n\t\t\tInterpreterOnly: pulumi.Bool(true),\n\t\t\tEngineFullVisibility: pulumi.Bool(true),\n\t\t\tEnhancedExploitationVisibility: pulumi.Bool(true),\n\t\t\tEnhancedDllLoadVisibility: pulumi.Bool(true),\n\t\t\tEnhancedMlForLargerFiles: pulumi.Bool(true),\n\t\t\tFileEncryption: pulumi.Bool(true),\n\t\t\tFileSystemAccess: pulumi.Bool(true),\n\t\t\tForceAslr: pulumi.Bool(true),\n\t\t\tForceDep: pulumi.Bool(true),\n\t\t\tHeapSprayPreallocation: pulumi.Bool(true),\n\t\t\tNullPageAllocation: pulumi.Bool(true),\n\t\t\tSehOverwriteProtection: pulumi.Bool(true),\n\t\t\tHardwareEnhancedExploitDetection: pulumi.Bool(true),\n\t\t\tHttpDetections: pulumi.Bool(true),\n\t\t\tRedactHttpDetectionDetails: pulumi.Bool(true),\n\t\t\tIntelligenceSourcedThreats: pulumi.Bool(true),\n\t\t\tJavascriptViaRundll32: pulumi.Bool(true),\n\t\t\tLocky: pulumi.Bool(true),\n\t\t\tMemoryScanning: pulumi.Bool(true),\n\t\t\tMemoryScanningScanWithCpu: pulumi.Bool(true),\n\t\t\tMicrosoftOfficeFileSuspiciousMacroRemoval: pulumi.Bool(true),\n\t\t\tOnWriteScriptFileVisibility: pulumi.Bool(true),\n\t\t\tPreventSuspiciousProcesses: pulumi.Bool(true),\n\t\t\tQuarantineAndSecurityCenterRegistration: pulumi.Bool(true),\n\t\t\tQuarantineOnRemovableMedia: pulumi.Bool(true),\n\t\t\tQuarantineOnWrite: pulumi.Bool(true),\n\t\t\tScriptBasedExecutionMonitoring: pulumi.Bool(true),\n\t\t\tSensorTamperingProtection: pulumi.Bool(true),\n\t\t\tSuspiciousRegistryOperations: pulumi.Bool(true),\n\t\t\tSuspiciousScriptsAndCommands: pulumi.Bool(true),\n\t\t\tUploadUnknownExecutables: pulumi.Bool(true),\n\t\t\tUploadUnknownDetectionRelatedExecutables: pulumi.Bool(true),\n\t\t\tVolumeShadowCopyAudit: pulumi.Bool(true),\n\t\t\tVolumeShadowCopyProtect: pulumi.Bool(true),\n\t\t\tVulnerableDriverProtection: pulumi.Bool(true),\n\t\t\tWindowsLogonBypassStickyKeys: pulumi.Bool(true),\n\t\t\tFileSystemContainment: pulumi.Bool(true),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"preventionPolicyWindows\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.PreventionPolicyWindows;\nimport com.crowdstrike.crowdstrike.PreventionPolicyWindowsArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsAdwareAndPupArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsSensorAntiMalwareArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs;\nimport com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsExtendedUserModeDataArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new PreventionPolicyWindows(\"example\", PreventionPolicyWindowsArgs.builder()\n .enabled(true)\n .description(\"Made with Pulumi\")\n .hostGroups()\n .ioaRuleGroups()\n .adwareAndPup(PreventionPolicyWindowsAdwareAndPupArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .cloudAntiMalwareMicrosoftOfficeFiles(PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs.builder()\n .detection(\"MODERATE\")\n .prevention(\"DISABLED\")\n .build())\n .cloudAntiMalware(PreventionPolicyWindowsCloudAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .cloudAntiMalwareUserInitiated(PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalware(PreventionPolicyWindowsSensorAntiMalwareArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .sensorAntiMalwareUserInitiated(PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .extendedUserModeData(PreventionPolicyWindowsExtendedUserModeDataArgs.builder()\n%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))\n .usbInsertionTriggeredScan(true)\n .applicationExploitationActivity(true)\n .additionalUserModeData(true)\n .notifyEndUsers(true)\n .advancedRemediation(true)\n .backupDeletion(true)\n .biosDeepVisibility(true)\n .chopperWebshell(true)\n .codeInjection(true)\n .credentialDumping(true)\n .cryptowall(true)\n .customBlocking(true)\n .detectOnWrite(true)\n .driveByDownload(true)\n .driverLoadPrevention(true)\n .interpreterOnly(true)\n .engineFullVisibility(true)\n .enhancedExploitationVisibility(true)\n .enhancedDllLoadVisibility(true)\n .enhancedMlForLargerFiles(true)\n .fileEncryption(true)\n .fileSystemAccess(true)\n .forceAslr(true)\n .forceDep(true)\n .heapSprayPreallocation(true)\n .nullPageAllocation(true)\n .sehOverwriteProtection(true)\n .hardwareEnhancedExploitDetection(true)\n .httpDetections(true)\n .redactHttpDetectionDetails(true)\n .intelligenceSourcedThreats(true)\n .javascriptViaRundll32(true)\n .locky(true)\n .memoryScanning(true)\n .memoryScanningScanWithCpu(true)\n .microsoftOfficeFileSuspiciousMacroRemoval(true)\n .onWriteScriptFileVisibility(true)\n .preventSuspiciousProcesses(true)\n .quarantineAndSecurityCenterRegistration(true)\n .quarantineOnRemovableMedia(true)\n .quarantineOnWrite(true)\n .scriptBasedExecutionMonitoring(true)\n .sensorTamperingProtection(true)\n .suspiciousRegistryOperations(true)\n .suspiciousScriptsAndCommands(true)\n .uploadUnknownExecutables(true)\n .uploadUnknownDetectionRelatedExecutables(true)\n .volumeShadowCopyAudit(true)\n .volumeShadowCopyProtect(true)\n .vulnerableDriverProtection(true)\n .windowsLogonBypassStickyKeys(true)\n .fileSystemContainment(true)\n .build());\n\n ctx.export(\"preventionPolicyWindows\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:PreventionPolicyWindows\n properties:\n enabled: true\n description: Made with Pulumi\n hostGroups: []\n ioaRuleGroups: []\n adwareAndPup:\n detection: MODERATE\n prevention: CAUTIOUS\n cloudAntiMalwareMicrosoftOfficeFiles:\n detection: MODERATE\n prevention: DISABLED\n cloudAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n cloudAntiMalwareUserInitiated:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalware:\n detection: MODERATE\n prevention: CAUTIOUS\n sensorAntiMalwareUserInitiated:\n detection: MODERATE\n prevention: CAUTIOUS\n extendedUserModeData:\n detection: MODERATE\n usbInsertionTriggeredScan: true\n applicationExploitationActivity: true\n additionalUserModeData: true\n notifyEndUsers: true\n advancedRemediation: true\n backupDeletion: true\n biosDeepVisibility: true\n chopperWebshell: true\n codeInjection: true\n credentialDumping: true\n cryptowall: true\n customBlocking: true\n detectOnWrite: true\n driveByDownload: true\n driverLoadPrevention: true\n interpreterOnly: true\n engineFullVisibility: true\n enhancedExploitationVisibility: true\n enhancedDllLoadVisibility: true\n enhancedMlForLargerFiles: true\n fileEncryption: true\n fileSystemAccess: true\n forceAslr: true\n forceDep: true\n heapSprayPreallocation: true\n nullPageAllocation: true\n sehOverwriteProtection: true\n hardwareEnhancedExploitDetection: true\n httpDetections: true\n redactHttpDetectionDetails: true\n intelligenceSourcedThreats: true\n javascriptViaRundll32: true\n locky: true\n memoryScanning: true\n memoryScanningScanWithCpu: true\n microsoftOfficeFileSuspiciousMacroRemoval: true\n onWriteScriptFileVisibility: true\n preventSuspiciousProcesses: true\n quarantineAndSecurityCenterRegistration: true\n quarantineOnRemovableMedia: true\n quarantineOnWrite: true\n scriptBasedExecutionMonitoring: true\n sensorTamperingProtection: true\n suspiciousRegistryOperations: true\n suspiciousScriptsAndCommands: true\n uploadUnknownExecutables: true\n uploadUnknownDetectionRelatedExecutables: true\n volumeShadowCopyAudit: true\n volumeShadowCopyProtect: true\n vulnerableDriverProtection: true\n windowsLogonBypassStickyKeys: true\n fileSystemContainment: true\noutputs:\n preventionPolicyWindows: ${example}\n```\n\n\n## Import\n\nprevention policy can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/preventionPolicyWindows:PreventionPolicyWindows example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "additionalUserModeData": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "advancedRemediation": { "type": "boolean", "description": "Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.\n" }, "adwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsAdwareAndPup:PreventionPolicyWindowsAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "applicationExploitationActivity": { "type": "boolean", "description": "Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.\n" }, "backupDeletion": { "type": "boolean", "description": "Whether to enable the setting. Deletion of backups often indicative of ransomware activity.\n" }, "biosDeepVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.\n" }, "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalware:PreventionPolicyWindowsCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "cloudAntiMalwareMicrosoftOfficeFiles": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles", "description": "Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "cloudAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalwareUserInitiated:PreventionPolicyWindowsCloudAntiMalwareUserInitiated", "description": "For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.\n" }, "codeInjection": { "type": "boolean", "description": "Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.\n" }, "credentialDumping": { "type": "boolean", "description": "Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.\n" }, "cryptowall": { "type": "boolean", "description": "Whether to enable the setting. A process associated with Cryptowall was blocked.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "driveByDownload": { "type": "boolean", "description": "Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.\n" }, "driverLoadPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "engineFullVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.\n" }, "enhancedDllLoadVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.\n" }, "enhancedExploitationVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.\n" }, "enhancedMlForLargerFiles": { "type": "boolean", "description": "Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.\n" }, "extendedUserModeData": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsExtendedUserModeData:PreventionPolicyWindowsExtendedUserModeData", "description": "Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "fileEncryption": { "type": "boolean", "description": "Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.\n" }, "fileSystemAccess": { "type": "boolean", "description": "Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.\n" }, "fileSystemContainment": { "type": "boolean", "description": "Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode\n" }, "forceAslr": { "type": "boolean", "description": "Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "forceDep": { "type": "boolean", "description": "Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.\n" }, "hardwareEnhancedExploitDetection": { "type": "boolean", "description": "Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.\n" }, "heapSprayPreallocation": { "type": "boolean", "description": "Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "httpDetections": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "interpreterOnly": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "javascriptViaRundll32": { "type": "boolean", "description": "Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.\n" }, "lastUpdated": { "type": "string" }, "locky": { "type": "boolean", "description": "Whether to enable the setting. A process determined to be associated with Locky was blocked.\n" }, "memoryScanning": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.\n" }, "memoryScanningScanWithCpu": { "type": "boolean", "description": "Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.\n" }, "microsoftOfficeFileSuspiciousMacroRemoval": { "type": "boolean", "description": "Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.\n" }, "nullPageAllocation": { "type": "boolean", "description": "Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantineAndSecurityCenterRegistration": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.\n" }, "quarantineOnRemovableMedia": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "redactHttpDetectionDetails": { "type": "boolean", "description": "Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.\n" }, "sehOverwriteProtection": { "type": "boolean", "description": "Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsSensorAntiMalware:PreventionPolicyWindowsSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsSensorAntiMalwareUserInitiated:PreventionPolicyWindowsSensorAntiMalwareUserInitiated", "description": "For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "suspiciousRegistryOperations": { "type": "boolean", "description": "Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.\n" }, "suspiciousScriptsAndCommands": { "type": "boolean", "description": "Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "usbInsertionTriggeredScan": { "type": "boolean", "description": "Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.\n" }, "volumeShadowCopyAudit": { "type": "boolean", "description": "Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.\n" }, "volumeShadowCopyProtect": { "type": "boolean", "description": "Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.\n" }, "vulnerableDriverProtection": { "type": "boolean", "description": "Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.\n" }, "windowsLogonBypassStickyKeys": { "type": "boolean", "description": "Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.\n" } }, "type": "object", "required": [ "additionalUserModeData", "advancedRemediation", "adwareAndPup", "applicationExploitationActivity", "backupDeletion", "biosDeepVisibility", "chopperWebshell", "cloudAntiMalware", "cloudAntiMalwareMicrosoftOfficeFiles", "cloudAntiMalwareUserInitiated", "codeInjection", "credentialDumping", "cryptowall", "customBlocking", "detectOnWrite", "driveByDownload", "driverLoadPrevention", "enabled", "engineFullVisibility", "enhancedDllLoadVisibility", "enhancedExploitationVisibility", "enhancedMlForLargerFiles", "extendedUserModeData", "fileEncryption", "fileSystemAccess", "fileSystemContainment", "forceAslr", "forceDep", "hardwareEnhancedExploitDetection", "heapSprayPreallocation", "hostGroups", "httpDetections", "intelligenceSourcedThreats", "interpreterOnly", "ioaRuleGroups", "javascriptViaRundll32", "lastUpdated", "locky", "memoryScanning", "memoryScanningScanWithCpu", "microsoftOfficeFileSuspiciousMacroRemoval", "name", "notifyEndUsers", "nullPageAllocation", "onWriteScriptFileVisibility", "preventSuspiciousProcesses", "quarantineAndSecurityCenterRegistration", "quarantineOnRemovableMedia", "quarantineOnWrite", "redactHttpDetectionDetails", "scriptBasedExecutionMonitoring", "sehOverwriteProtection", "sensorAntiMalware", "sensorAntiMalwareUserInitiated", "sensorTamperingProtection", "suspiciousRegistryOperations", "suspiciousScriptsAndCommands", "uploadUnknownDetectionRelatedExecutables", "uploadUnknownExecutables", "usbInsertionTriggeredScan", "volumeShadowCopyAudit", "volumeShadowCopyProtect", "vulnerableDriverProtection", "windowsLogonBypassStickyKeys" ], "inputProperties": { "additionalUserModeData": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "advancedRemediation": { "type": "boolean", "description": "Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.\n" }, "adwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsAdwareAndPup:PreventionPolicyWindowsAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "applicationExploitationActivity": { "type": "boolean", "description": "Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.\n" }, "backupDeletion": { "type": "boolean", "description": "Whether to enable the setting. Deletion of backups often indicative of ransomware activity.\n" }, "biosDeepVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.\n" }, "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalware:PreventionPolicyWindowsCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "cloudAntiMalwareMicrosoftOfficeFiles": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles", "description": "Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "cloudAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalwareUserInitiated:PreventionPolicyWindowsCloudAntiMalwareUserInitiated", "description": "For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.\n" }, "codeInjection": { "type": "boolean", "description": "Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.\n" }, "credentialDumping": { "type": "boolean", "description": "Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.\n" }, "cryptowall": { "type": "boolean", "description": "Whether to enable the setting. A process associated with Cryptowall was blocked.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "driveByDownload": { "type": "boolean", "description": "Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.\n" }, "driverLoadPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "engineFullVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.\n" }, "enhancedDllLoadVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.\n" }, "enhancedExploitationVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.\n" }, "enhancedMlForLargerFiles": { "type": "boolean", "description": "Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.\n" }, "extendedUserModeData": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsExtendedUserModeData:PreventionPolicyWindowsExtendedUserModeData", "description": "Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "fileEncryption": { "type": "boolean", "description": "Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.\n" }, "fileSystemAccess": { "type": "boolean", "description": "Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.\n" }, "fileSystemContainment": { "type": "boolean", "description": "Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode\n" }, "forceAslr": { "type": "boolean", "description": "Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "forceDep": { "type": "boolean", "description": "Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.\n" }, "hardwareEnhancedExploitDetection": { "type": "boolean", "description": "Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.\n" }, "heapSprayPreallocation": { "type": "boolean", "description": "Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "httpDetections": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "interpreterOnly": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "javascriptViaRundll32": { "type": "boolean", "description": "Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.\n" }, "locky": { "type": "boolean", "description": "Whether to enable the setting. A process determined to be associated with Locky was blocked.\n" }, "memoryScanning": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.\n" }, "memoryScanningScanWithCpu": { "type": "boolean", "description": "Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.\n" }, "microsoftOfficeFileSuspiciousMacroRemoval": { "type": "boolean", "description": "Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.\n" }, "nullPageAllocation": { "type": "boolean", "description": "Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantineAndSecurityCenterRegistration": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.\n" }, "quarantineOnRemovableMedia": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "redactHttpDetectionDetails": { "type": "boolean", "description": "Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.\n" }, "sehOverwriteProtection": { "type": "boolean", "description": "Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsSensorAntiMalware:PreventionPolicyWindowsSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsSensorAntiMalwareUserInitiated:PreventionPolicyWindowsSensorAntiMalwareUserInitiated", "description": "For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "suspiciousRegistryOperations": { "type": "boolean", "description": "Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.\n" }, "suspiciousScriptsAndCommands": { "type": "boolean", "description": "Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "usbInsertionTriggeredScan": { "type": "boolean", "description": "Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.\n" }, "volumeShadowCopyAudit": { "type": "boolean", "description": "Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.\n" }, "volumeShadowCopyProtect": { "type": "boolean", "description": "Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.\n" }, "vulnerableDriverProtection": { "type": "boolean", "description": "Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.\n" }, "windowsLogonBypassStickyKeys": { "type": "boolean", "description": "Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.\n" } }, "requiredInputs": [ "hostGroups", "ioaRuleGroups" ], "stateInputs": { "description": "Input properties used for looking up and filtering PreventionPolicyWindows resources.\n", "properties": { "additionalUserModeData": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "advancedRemediation": { "type": "boolean", "description": "Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.\n" }, "adwareAndPup": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsAdwareAndPup:PreventionPolicyWindowsAdwareAndPup", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.\n" }, "applicationExploitationActivity": { "type": "boolean", "description": "Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.\n" }, "backupDeletion": { "type": "boolean", "description": "Whether to enable the setting. Deletion of backups often indicative of ransomware activity.\n" }, "biosDeepVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.\n" }, "chopperWebshell": { "type": "boolean", "description": "Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.\n" }, "cloudAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalware:PreventionPolicyWindowsCloudAntiMalware", "description": "Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.\n" }, "cloudAntiMalwareMicrosoftOfficeFiles": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles:PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles", "description": "Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "cloudAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsCloudAntiMalwareUserInitiated:PreventionPolicyWindowsCloudAntiMalwareUserInitiated", "description": "For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.\n" }, "codeInjection": { "type": "boolean", "description": "Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.\n" }, "credentialDumping": { "type": "boolean", "description": "Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.\n" }, "cryptowall": { "type": "boolean", "description": "Whether to enable the setting. A process associated with Cryptowall was blocked.\n" }, "customBlocking": { "type": "boolean", "description": "Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to \"Block\" or \"Block, hide detection\".\n" }, "description": { "type": "string", "description": "Description of the prevention policy.\n" }, "detectOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "driveByDownload": { "type": "boolean", "description": "Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.\n" }, "driverLoadPrevention": { "type": "boolean", "description": "Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.\n" }, "enabled": { "type": "boolean", "description": "Enable the prevention policy.\n" }, "engineFullVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.\n" }, "enhancedDllLoadVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.\n" }, "enhancedExploitationVisibility": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.\n" }, "enhancedMlForLargerFiles": { "type": "boolean", "description": "Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.\n" }, "extendedUserModeData": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsExtendedUserModeData:PreventionPolicyWindowsExtendedUserModeData", "description": "Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.\n" }, "fileEncryption": { "type": "boolean", "description": "Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.\n" }, "fileSystemAccess": { "type": "boolean", "description": "Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.\n" }, "fileSystemContainment": { "type": "boolean", "description": "Whether to enable the setting. File System Containment will be enabled, this will allow prevention capabilities to automatically contain file system activity. When disabled each user under active containment will be released and the File System Containment will enter a disabled mode\n" }, "forceAslr": { "type": "boolean", "description": "Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "forceDep": { "type": "boolean", "description": "Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.\n" }, "hardwareEnhancedExploitDetection": { "type": "boolean", "description": "Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.\n" }, "heapSprayPreallocation": { "type": "boolean", "description": "Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the prevention policy.\n" }, "httpDetections": { "type": "boolean", "description": "Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.\n" }, "intelligenceSourcedThreats": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.\n" }, "interpreterOnly": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.\n" }, "ioaRuleGroups": { "type": "array", "items": { "type": "string" }, "description": "IOA Rule Group to attach to the prevention policy.\n" }, "javascriptViaRundll32": { "type": "boolean", "description": "Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.\n" }, "lastUpdated": { "type": "string" }, "locky": { "type": "boolean", "description": "Whether to enable the setting. A process determined to be associated with Locky was blocked.\n" }, "memoryScanning": { "type": "boolean", "description": "Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.\n" }, "memoryScanningScanWithCpu": { "type": "boolean", "description": "Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.\n" }, "microsoftOfficeFileSuspiciousMacroRemoval": { "type": "boolean", "description": "Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host\n" }, "name": { "type": "string", "description": "Name of the prevention policy.\n" }, "notifyEndUsers": { "type": "boolean", "description": "Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.\n" }, "nullPageAllocation": { "type": "boolean", "description": "Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "onWriteScriptFileVisibility": { "type": "boolean", "description": "Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.\n" }, "preventSuspiciousProcesses": { "type": "boolean", "description": "Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.\n" }, "quarantineAndSecurityCenterRegistration": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.\n" }, "quarantineOnRemovableMedia": { "type": "boolean", "description": "Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.\n" }, "quarantineOnWrite": { "type": "boolean", "description": "Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.\n" }, "redactHttpDetectionDetails": { "type": "boolean", "description": "Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.\n" }, "scriptBasedExecutionMonitoring": { "type": "boolean", "description": "Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.\n" }, "sehOverwriteProtection": { "type": "boolean", "description": "Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.\n" }, "sensorAntiMalware": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsSensorAntiMalware:PreventionPolicyWindowsSensorAntiMalware", "description": "For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.\n" }, "sensorAntiMalwareUserInitiated": { "$ref": "#/types/crowdstrike:index%2FPreventionPolicyWindowsSensorAntiMalwareUserInitiated:PreventionPolicyWindowsSensorAntiMalwareUserInitiated", "description": "For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.\n" }, "sensorTamperingProtection": { "type": "boolean", "description": "Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.\n" }, "suspiciousRegistryOperations": { "type": "boolean", "description": "Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.\n" }, "suspiciousScriptsAndCommands": { "type": "boolean", "description": "Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.\n" }, "uploadUnknownDetectionRelatedExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.\n" }, "uploadUnknownExecutables": { "type": "boolean", "description": "Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.\n" }, "usbInsertionTriggeredScan": { "type": "boolean", "description": "Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.\n" }, "volumeShadowCopyAudit": { "type": "boolean", "description": "Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.\n" }, "volumeShadowCopyProtect": { "type": "boolean", "description": "Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.\n" }, "vulnerableDriverProtection": { "type": "boolean", "description": "Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.\n" }, "windowsLogonBypassStickyKeys": { "type": "boolean", "description": "Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.\n" } }, "type": "object" } }, "crowdstrike:index/sensorUpdatePolicy:SensorUpdatePolicy": { "description": "This resource allows management of sensor update policies in the CrowdStrike Falcon platform. Sensor update policies allow you to control the update process across a set of hosts.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Sensor update policies | Read & Write\n\n\n## Example Usage\n\n\n```yaml\nresources:\n example:\n type: crowdstrike:SensorUpdatePolicy\n properties:\n enabled: false\n description: Made with Pulumi\n platformName: Windows\n build: ${all.windows.n1.build}\n uninstallProtection: false\n hostGroups:\n - host_group_id\n schedule:\n enabled: true\n timezone: Etc/UTC\n time_blocks:\n - days:\n - sunday\n - wednesday\n startTime: 12:40\n endTime: 16:40\nvariables:\n all:\n fn::invoke:\n function: crowdstrike:getSensorUpdatePolicyBuilds\n arguments: {}\noutputs:\n sensorPolicy: ${example}\n```\n\n\n## Import\n\nsensor update policies can be imported by specifying the policy id.\n\n```sh\n$ pulumi import crowdstrike:index/sensorUpdatePolicy:SensorUpdatePolicy example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "build": { "type": "string", "description": "Sensor build to use for the sensor update policy.\n" }, "buildArm64": { "type": "string", "description": "Sensor arm64 build to use for the sensor update policy (Linux only). Required if platform_name is Linux.\n" }, "description": { "type": "string", "description": "Description of the sensor update policy.\n" }, "enabled": { "type": "boolean", "description": "Enable the sensor update policy.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the sensor update policy.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the sensor update policy.\n" }, "platformName": { "type": "string", "description": "Platform for the sensor update policy to manage. (Windows, Mac, Linux)\n" }, "schedule": { "$ref": "#/types/crowdstrike:index%2FSensorUpdatePolicySchedule:SensorUpdatePolicySchedule", "description": "Prohibit sensor updates during a set of time blocks.\n" }, "uninstallProtection": { "type": "boolean", "description": "Enable uninstall protection. Windows and Mac only.\n" } }, "type": "object", "required": [ "build", "enabled", "lastUpdated", "name", "platformName", "schedule", "uninstallProtection" ], "inputProperties": { "build": { "type": "string", "description": "Sensor build to use for the sensor update policy.\n" }, "buildArm64": { "type": "string", "description": "Sensor arm64 build to use for the sensor update policy (Linux only). Required if platform_name is Linux.\n" }, "description": { "type": "string", "description": "Description of the sensor update policy.\n" }, "enabled": { "type": "boolean", "description": "Enable the sensor update policy.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the sensor update policy.\n" }, "name": { "type": "string", "description": "Name of the sensor update policy.\n" }, "platformName": { "type": "string", "description": "Platform for the sensor update policy to manage. (Windows, Mac, Linux)\n" }, "schedule": { "$ref": "#/types/crowdstrike:index%2FSensorUpdatePolicySchedule:SensorUpdatePolicySchedule", "description": "Prohibit sensor updates during a set of time blocks.\n" }, "uninstallProtection": { "type": "boolean", "description": "Enable uninstall protection. Windows and Mac only.\n" } }, "requiredInputs": [ "build", "platformName", "schedule" ], "stateInputs": { "description": "Input properties used for looking up and filtering SensorUpdatePolicy resources.\n", "properties": { "build": { "type": "string", "description": "Sensor build to use for the sensor update policy.\n" }, "buildArm64": { "type": "string", "description": "Sensor arm64 build to use for the sensor update policy (Linux only). Required if platform_name is Linux.\n" }, "description": { "type": "string", "description": "Description of the sensor update policy.\n" }, "enabled": { "type": "boolean", "description": "Enable the sensor update policy.\n" }, "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the sensor update policy.\n" }, "lastUpdated": { "type": "string" }, "name": { "type": "string", "description": "Name of the sensor update policy.\n" }, "platformName": { "type": "string", "description": "Platform for the sensor update policy to manage. (Windows, Mac, Linux)\n" }, "schedule": { "$ref": "#/types/crowdstrike:index%2FSensorUpdatePolicySchedule:SensorUpdatePolicySchedule", "description": "Prohibit sensor updates during a set of time blocks.\n" }, "uninstallProtection": { "type": "boolean", "description": "Enable uninstall protection. Windows and Mac only.\n" } }, "type": "object" } }, "crowdstrike:index/sensorUpdatePolicyHostGroupAttachment:SensorUpdatePolicyHostGroupAttachment": { "description": "This resource allows managing the host groups attached to a sensor update policy. This resource takes exclusive ownership over the host groups assigned to a sensor update policy. If you want to fully create or manage a sensor update policy please use the `sensor_update_policy` resource.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Sensor update policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.SensorUpdatePolicyHostGroupAttachment(\"example\", {\n idProperty: \"34ef8e65eb1b4642861e389da3f7e82f\",\n hostGroups: [\"ff1ca3nfr7899j1abf61c0448db28be5\"],\n});\nexport const sensorUpdatePolicyHostGroupAttachment = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.SensorUpdatePolicyHostGroupAttachment(\"example\",\n id_property=\"34ef8e65eb1b4642861e389da3f7e82f\",\n host_groups=[\"ff1ca3nfr7899j1abf61c0448db28be5\"])\npulumi.export(\"sensorUpdatePolicyHostGroupAttachment\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.SensorUpdatePolicyHostGroupAttachment(\"example\", new()\n {\n IdProperty = \"34ef8e65eb1b4642861e389da3f7e82f\",\n HostGroups = new[]\n {\n \"ff1ca3nfr7899j1abf61c0448db28be5\",\n },\n });\n\n return new Dictionary\n {\n [\"sensorUpdatePolicyHostGroupAttachment\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewSensorUpdatePolicyHostGroupAttachment(ctx, \"example\", &crowdstrike.SensorUpdatePolicyHostGroupAttachmentArgs{\n\t\t\tIdProperty: pulumi.String(\"34ef8e65eb1b4642861e389da3f7e82f\"),\n\t\t\tHostGroups: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"ff1ca3nfr7899j1abf61c0448db28be5\"),\n\t\t\t},\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"sensorUpdatePolicyHostGroupAttachment\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.SensorUpdatePolicyHostGroupAttachment;\nimport com.crowdstrike.crowdstrike.SensorUpdatePolicyHostGroupAttachmentArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SensorUpdatePolicyHostGroupAttachment(\"example\", SensorUpdatePolicyHostGroupAttachmentArgs.builder()\n .idProperty(\"34ef8e65eb1b4642861e389da3f7e82f\")\n .hostGroups(\"ff1ca3nfr7899j1abf61c0448db28be5\")\n .build());\n\n ctx.export(\"sensorUpdatePolicyHostGroupAttachment\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:SensorUpdatePolicyHostGroupAttachment\n properties:\n idProperty: 34ef8e65eb1b4642861e389da3f7e82f\n hostGroups:\n - ff1ca3nfr7899j1abf61c0448db28be5\noutputs:\n sensorUpdatePolicyHostGroupAttachment: ${example}\n```\n\n\n## Import\n\nSensor Update Policy Host Group Attachment can be imported by specifying the id.\n\n```sh\n$ pulumi import crowdstrike:index/sensorUpdatePolicyHostGroupAttachment:SensorUpdatePolicyHostGroupAttachment example 7fb858a949034a0cbca175f660f1e769\n```\n\n", "properties": { "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the sensor update policy.\n" }, "idProperty": { "type": "string", "description": "The sensor update policy id you want to attach to.\n" }, "lastUpdated": { "type": "string" } }, "type": "object", "required": [ "idProperty", "lastUpdated" ], "inputProperties": { "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the sensor update policy.\n" }, "idProperty": { "type": "string", "description": "The sensor update policy id you want to attach to.\n" } }, "requiredInputs": [ "idProperty" ], "stateInputs": { "description": "Input properties used for looking up and filtering SensorUpdatePolicyHostGroupAttachment resources.\n", "properties": { "hostGroups": { "type": "array", "items": { "type": "string" }, "description": "Host Group ids to attach to the sensor update policy.\n" }, "idProperty": { "type": "string", "description": "The sensor update policy id you want to attach to.\n" }, "lastUpdated": { "type": "string" } }, "type": "object" } }, "crowdstrike:index/sensorUpdatePolicyPrecedence:SensorUpdatePolicyPrecedence": { "description": "This resource allows you to set the precedence of Sensor Update Policies based on the order of IDs.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Sensor update policies | Read & Write\n\n\n## Example Usage\n\n\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@crowdstrike/pulumi\";\n\nconst example = new crowdstrike.SensorUpdatePolicyPrecedence(\"example\", {\n ids: [\n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\",\n ],\n platformName: \"linux\",\n enforcement: \"dynamic\",\n});\nexport const sensorUpdatePolicyPrecedence = example;\n```\n```python\nimport pulumi\nimport crowdstrike_pulumi as crowdstrike\n\nexample = crowdstrike.SensorUpdatePolicyPrecedence(\"example\",\n ids=[\n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\",\n ],\n platform_name=\"linux\",\n enforcement=\"dynamic\")\npulumi.export(\"sensorUpdatePolicyPrecedence\", example)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = CrowdStrike.Crowdstrike;\n\nreturn await Deployment.RunAsync(() => \n{\n var example = new Crowdstrike.SensorUpdatePolicyPrecedence(\"example\", new()\n {\n Ids = new[]\n {\n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\",\n },\n PlatformName = \"linux\",\n Enforcement = \"dynamic\",\n });\n\n return new Dictionary\n {\n [\"sensorUpdatePolicyPrecedence\"] = example,\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\texample, err := crowdstrike.NewSensorUpdatePolicyPrecedence(ctx, \"example\", &crowdstrike.SensorUpdatePolicyPrecedenceArgs{\n\t\t\tIds: pulumi.StringArray{\n\t\t\t\tpulumi.String(\"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\"),\n\t\t\t\tpulumi.String(\"2asia54xti93bg0jbr5hfpqqbhxbyeoa\"),\n\t\t\t\tpulumi.String(\"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\"),\n\t\t\t},\n\t\t\tPlatformName: pulumi.String(\"linux\"),\n\t\t\tEnforcement: pulumi.String(\"dynamic\"),\n\t\t})\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"sensorUpdatePolicyPrecedence\", example)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.crowdstrike.crowdstrike.SensorUpdatePolicyPrecedence;\nimport com.crowdstrike.crowdstrike.SensorUpdatePolicyPrecedenceArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n var example = new SensorUpdatePolicyPrecedence(\"example\", SensorUpdatePolicyPrecedenceArgs.builder()\n .ids( \n \"a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\",\n \"2asia54xti93bg0jbr5hfpqqbhxbyeoa\",\n \"xuzq8hs1uyc2s7zdar3fli0shiyl22vc\")\n .platformName(\"linux\")\n .enforcement(\"dynamic\")\n .build());\n\n ctx.export(\"sensorUpdatePolicyPrecedence\", example);\n }\n}\n```\n```yaml\nresources:\n example:\n type: crowdstrike:SensorUpdatePolicyPrecedence\n properties:\n ids:\n - a1j09y3yq0wnrpb5o6jlij9e4f40k6lq\n - 2asia54xti93bg0jbr5hfpqqbhxbyeoa\n - xuzq8hs1uyc2s7zdar3fli0shiyl22vc\n platformName: linux\n enforcement: dynamic\noutputs:\n sensorUpdatePolicyPrecedence: ${example}\n```\n\n", "properties": { "enforcement": { "type": "string", "description": "The enforcement type for this resource. `strict` requires all non-default sensor update policy ids for platform to be provided. `dynamic` will ensure the provided policies have precedence over others. When using dynamic, policy ids not included in `ids` will retain their current ordering after the managed ids.\n" }, "ids": { "type": "array", "items": { "type": "string" }, "description": "The policy ids in order. The first ID specified will have the highest precedence and the last ID specified will have the lowest.\n" }, "lastUpdated": { "type": "string" }, "platformName": { "type": "string", "description": "That platform of the sensor update policies. (Windows, Mac, Linux)\n" } }, "type": "object", "required": [ "enforcement", "ids", "lastUpdated", "platformName" ], "inputProperties": { "enforcement": { "type": "string", "description": "The enforcement type for this resource. `strict` requires all non-default sensor update policy ids for platform to be provided. `dynamic` will ensure the provided policies have precedence over others. When using dynamic, policy ids not included in `ids` will retain their current ordering after the managed ids.\n" }, "ids": { "type": "array", "items": { "type": "string" }, "description": "The policy ids in order. The first ID specified will have the highest precedence and the last ID specified will have the lowest.\n" }, "platformName": { "type": "string", "description": "That platform of the sensor update policies. (Windows, Mac, Linux)\n" } }, "requiredInputs": [ "enforcement", "ids", "platformName" ], "stateInputs": { "description": "Input properties used for looking up and filtering SensorUpdatePolicyPrecedence resources.\n", "properties": { "enforcement": { "type": "string", "description": "The enforcement type for this resource. `strict` requires all non-default sensor update policy ids for platform to be provided. `dynamic` will ensure the provided policies have precedence over others. When using dynamic, policy ids not included in `ids` will retain their current ordering after the managed ids.\n" }, "ids": { "type": "array", "items": { "type": "string" }, "description": "The policy ids in order. The first ID specified will have the highest precedence and the last ID specified will have the lowest.\n" }, "lastUpdated": { "type": "string" }, "platformName": { "type": "string", "description": "That platform of the sensor update policies. (Windows, Mac, Linux)\n" } }, "type": "object" } } }, "functions": { "crowdstrike:index/getCloudAwsAccount:getCloudAwsAccount": { "description": "This data source provides information about AWS accounts in Falcon.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Cloud security AWS registration | Read \u0026 Write\n- CSPM registration | Read \u0026 Write\n\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@pulumi/crowdstrike\";\n\nconst all = crowdstrike.getCloudAwsAccount({});\nconst specific = crowdstrike.getCloudAwsAccount({\n accountId: \"123456789012\",\n});\nconst org = crowdstrike.getCloudAwsAccount({\n organizationId: \"o-123456789012\",\n});\n```\n```python\nimport pulumi\nimport pulumi_crowdstrike as crowdstrike\n\nall = crowdstrike.get_cloud_aws_account()\nspecific = crowdstrike.get_cloud_aws_account(account_id=\"123456789012\")\norg = crowdstrike.get_cloud_aws_account(organization_id=\"o-123456789012\")\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = Pulumi.Crowdstrike;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var all = Crowdstrike.GetCloudAwsAccount.Invoke();\n\n var specific = Crowdstrike.GetCloudAwsAccount.Invoke(new()\n {\n AccountId = \"123456789012\",\n });\n\n var org = Crowdstrike.GetCloudAwsAccount.Invoke(new()\n {\n OrganizationId = \"o-123456789012\",\n });\n\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\t_, err := crowdstrike.LookupCloudAwsAccount(ctx, \u0026crowdstrike.LookupCloudAwsAccountArgs{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = crowdstrike.LookupCloudAwsAccount(ctx, \u0026crowdstrike.LookupCloudAwsAccountArgs{\n\t\t\tAccountId: pulumi.StringRef(\"123456789012\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\t_, err = crowdstrike.LookupCloudAwsAccount(ctx, \u0026crowdstrike.LookupCloudAwsAccountArgs{\n\t\t\tOrganizationId: pulumi.StringRef(\"o-123456789012\"),\n\t\t}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.crowdstrike.CrowdstrikeFunctions;\nimport com.pulumi.crowdstrike.inputs.GetCloudAwsAccountArgs;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var all = CrowdstrikeFunctions.getCloudAwsAccount(GetCloudAwsAccountArgs.builder()\n .build());\n\n final var specific = CrowdstrikeFunctions.getCloudAwsAccount(GetCloudAwsAccountArgs.builder()\n .accountId(\"123456789012\")\n .build());\n\n final var org = CrowdstrikeFunctions.getCloudAwsAccount(GetCloudAwsAccountArgs.builder()\n .organizationId(\"o-123456789012\")\n .build());\n\n }\n}\n```\n```yaml\nvariables:\n all:\n fn::invoke:\n function: crowdstrike:getCloudAwsAccount\n arguments: {}\n specific:\n fn::invoke:\n function: crowdstrike:getCloudAwsAccount\n arguments:\n accountId: '123456789012'\n org:\n fn::invoke:\n function: crowdstrike:getCloudAwsAccount\n arguments:\n organizationId: o-123456789012\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "inputs": { "description": "A collection of arguments for invoking getCloudAwsAccount.\n", "properties": { "accountId": { "type": "string", "description": "Filter the results to a specific AWS Account ID. When specified, returns details for the matching AWS account. Can be used together with organization_id filter for OR matching\n" }, "organizationId": { "type": "string", "description": "Filter the results to accounts within a specific AWS Organization. When specified, returns all AWS accounts associated with this organization ID. Can be used together with account_id filter for OR matching\n" } }, "type": "object" }, "outputs": { "description": "A collection of values returned by getCloudAwsAccount.\n", "properties": { "accountId": { "description": "Filter the results to a specific AWS Account ID. When specified, returns details for the matching AWS account. Can be used together with organization_id filter for OR matching\n", "type": "string" }, "accounts": { "description": "The list of AWS accounts\n", "items": { "$ref": "#/types/crowdstrike:index%2FgetCloudAwsAccountAccount:getCloudAwsAccountAccount" }, "type": "array" }, "id": { "description": "The provider-assigned unique ID for this managed resource.\n", "type": "string" }, "organizationId": { "description": "Filter the results to accounts within a specific AWS Organization. When specified, returns all AWS accounts associated with this organization ID. Can be used together with account_id filter for OR matching\n", "type": "string" } }, "required": [ "accounts", "id" ], "type": "object" } }, "crowdstrike:index/getSensorUpdatePolicyBuilds:getSensorUpdatePolicyBuilds": { "description": "This data source provides information about the latest sensor builds for each platform.\n\n## API Scopes\n\nThe following API scopes are required:\n\n- Sensor update policies | Write\n\n\n## Example Usage\n\n\u003c!--Start PulumiCodeChooser --\u003e\n```typescript\nimport * as pulumi from \"@pulumi/pulumi\";\nimport * as crowdstrike from \"@pulumi/crowdstrike\";\n\nconst builds = crowdstrike.getSensorUpdatePolicyBuilds({});\nexport const latestWindowsBuild = builds.then(builds =\u003e builds.windows?.latest);\nexport const n1LinuxBuild = builds.then(builds =\u003e builds.linux?.n1);\nexport const n2MacBuild = builds.then(builds =\u003e builds.mac?.n2);\nexport const latestLinuxArm64Build = builds.then(builds =\u003e builds.linuxArm64?.latest);\n```\n```python\nimport pulumi\nimport pulumi_crowdstrike as crowdstrike\n\nbuilds = crowdstrike.get_sensor_update_policy_builds()\npulumi.export(\"latestWindowsBuild\", builds.windows.latest)\npulumi.export(\"n1LinuxBuild\", builds.linux.n1)\npulumi.export(\"n2MacBuild\", builds.mac.n2)\npulumi.export(\"latestLinuxArm64Build\", builds.linux_arm64.latest)\n```\n```csharp\nusing System.Collections.Generic;\nusing System.Linq;\nusing Pulumi;\nusing Crowdstrike = Pulumi.Crowdstrike;\n\nreturn await Deployment.RunAsync(() =\u003e \n{\n var builds = Crowdstrike.GetSensorUpdatePolicyBuilds.Invoke();\n\n return new Dictionary\u003cstring, object?\u003e\n {\n [\"latestWindowsBuild\"] = builds.Apply(getSensorUpdatePolicyBuildsResult =\u003e getSensorUpdatePolicyBuildsResult.Windows?.Latest),\n [\"n1LinuxBuild\"] = builds.Apply(getSensorUpdatePolicyBuildsResult =\u003e getSensorUpdatePolicyBuildsResult.Linux?.N1),\n [\"n2MacBuild\"] = builds.Apply(getSensorUpdatePolicyBuildsResult =\u003e getSensorUpdatePolicyBuildsResult.Mac?.N2),\n [\"latestLinuxArm64Build\"] = builds.Apply(getSensorUpdatePolicyBuildsResult =\u003e getSensorUpdatePolicyBuildsResult.LinuxArm64?.Latest),\n };\n});\n```\n```go\npackage main\n\nimport (\n\t\"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike\"\n\t\"github.com/pulumi/pulumi/sdk/v3/go/pulumi\"\n)\n\nfunc main() {\n\tpulumi.Run(func(ctx *pulumi.Context) error {\n\t\tbuilds, err := crowdstrike.GetSensorUpdatePolicyBuilds(ctx, map[string]interface{}{}, nil)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tctx.Export(\"latestWindowsBuild\", builds.Windows.Latest)\n\t\tctx.Export(\"n1LinuxBuild\", builds.Linux.N1)\n\t\tctx.Export(\"n2MacBuild\", builds.Mac.N2)\n\t\tctx.Export(\"latestLinuxArm64Build\", builds.LinuxArm64.Latest)\n\t\treturn nil\n\t})\n}\n```\n```java\npackage generated_program;\n\nimport com.pulumi.Context;\nimport com.pulumi.Pulumi;\nimport com.pulumi.core.Output;\nimport com.pulumi.crowdstrike.CrowdstrikeFunctions;\nimport java.util.List;\nimport java.util.ArrayList;\nimport java.util.Map;\nimport java.io.File;\nimport java.nio.file.Files;\nimport java.nio.file.Paths;\n\npublic class App {\n public static void main(String[] args) {\n Pulumi.run(App::stack);\n }\n\n public static void stack(Context ctx) {\n final var builds = CrowdstrikeFunctions.getSensorUpdatePolicyBuilds(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference);\n\n ctx.export(\"latestWindowsBuild\", builds.windows().latest());\n ctx.export(\"n1LinuxBuild\", builds.linux().n1());\n ctx.export(\"n2MacBuild\", builds.mac().n2());\n ctx.export(\"latestLinuxArm64Build\", builds.linuxArm64().latest());\n }\n}\n```\n```yaml\nvariables:\n builds:\n fn::invoke:\n function: crowdstrike:getSensorUpdatePolicyBuilds\n arguments: {}\noutputs:\n latestWindowsBuild: ${builds.windows.latest}\n n1LinuxBuild: ${builds.linux.n1}\n n2MacBuild: ${builds.mac.n2}\n latestLinuxArm64Build: ${builds.linuxArm64.latest}\n```\n\u003c!--End PulumiCodeChooser --\u003e\n", "outputs": { "description": "A collection of values returned by getSensorUpdatePolicyBuilds.\n", "properties": { "id": { "description": "Placeholder identifier.\n", "type": "string" }, "linux": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinux:getSensorUpdatePolicyBuildsLinux", "description": "Builds for the Linux platform.\n" }, "linuxArm64": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsLinuxArm64:getSensorUpdatePolicyBuildsLinuxArm64", "description": "Builds for the Linux platform (arm64).\n" }, "mac": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsMac:getSensorUpdatePolicyBuildsMac", "description": "Builds for the Mac platform.\n" }, "windows": { "$ref": "#/types/crowdstrike:index%2FgetSensorUpdatePolicyBuildsWindows:getSensorUpdatePolicyBuildsWindows", "description": "Builds for the Windows platform.\n" } }, "required": [ "id", "linux", "linuxArm64", "mac", "windows" ], "type": "object" } } } }