prevention_policy

CrowdStrike FalconPy CrowdStrike FalconPy CrowdStrike Subreddit

Prevention Policy examples

The examples in this folder focus on leveraging CrowdStrike's Prevention Policy API.

Clone Prevention Policy

This script will clone one or all prevention policies from one CID to another.

Running the program

In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Prevention Policy

READ, WRITE

Execution syntax

This sample leverages simple command-line arguments to implement functionality.

Basic usage

Clone all policies from one CID to another CID.

This sample supports Environment Authentication, meaning you can execute this program without providing credentials for the source CID if you have the values FALCON_CLIENT_ID and FALCON_CLIENT_SECRET defined in your environment.

Only clone a specific policy.

API debugging can be enabled using the -d argument.

Command-line help

Command-line help is available via the -h argument.

Example source code

The source code for this example can be found here.

Create Host Group and attach to prevention policy

This script will create a host group. If a list of prevention policy IDs are provided, the newly created host group is added to each policy in the list. This can assist with complex group creation that may be difficult to perform in the console.

[!NOTE] If you set custom and/or criteria using the API, editing the group in the Falcon console will remove this criteria upon save.

Running the program

In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Host Group

READ, WRITE

Prevention Policy

READ, WRITE

Execution syntax

This sample leverages simple command-line arguments to implement functionality.

Basic usage

Create a simple host group with no settings.

This sample supports Environment Authentication, meaning you can execute this program without providing credentials if you have the values FALCON_CLIENT_ID and FALCON_CLIENT_SECRET defined in your environment.

Attach the newly created group to two prevention policies.

Create a host group, setting all available parameters.

API debugging can be enabled using the -d argument.

Command-line help

Command-line help is available via the -h argument.

Example source code

The source code for this example can be found here.

Manage prevention policies with Prevention Policy Hawk

Prevention Policy Hawk demonstrates the Prevention Policy service collection by listing available prevention policies and allowing you to:

  • enable or disable the policy

  • remove the policy

  • edit the policy configuration

Running the program

In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Prevention Policy

READ, WRITE

Execution syntax

This example accepts the following input parameters.

Parameter
Purpose
Category

-h, --help

Show help message and exit

optional

-r, --show_settings

Display policy settings

display

-z, --verbose

Show all settings, including disabled

display

-e, --enable

Enable the policy

administration

-d, --disable

Disable the policy

administration

-x, --delete

Delete the policy

administration

-i POLICY_ID, --policy_id POLICY_ID

ID of a policy to update

update

-p POLICY_SEARCH_STRING, --policy_search_string POLICY_SEARCH_STRING

String to match against policy name.

update

-t POLICY_SETTING, --policy_setting POLICY_SETTING

Policy settings to modify (comma delimit).

update

-v POLICY_SETTING_VALUE, --policy_setting_value POLICY_SETTING_VALUE

Enabled / Disable the setting (True / False)

update

-m POLICY_SENSITIVITY, --policy_sensitivity POLICY_SENSITIVITY

Sensitivity setting for slider policies.

  • Disabled

  • Cautious

  • Moderate

  • Aggressive

  • Extra_Aggressive)

Case-insensitive Comma delimited strings accepted (detection,prevention)

update

-o SCOPE, --scope SCOPE

Sensitivity scope (detection / prevention / both)

update

-f FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID

Falcon Client ID

always required

-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET

Falcon Client Secret

always required

Examples

These examples demonstrate command line usage of this sample. Commands may be chained on the same command line as long as all actions make sense for the arguments provided.

Show command line help.

See output example.

Show a list of available prevention policies

Show policy configuration along with results

This is the default when there is only one record to display

Show policy configuration with all settings, including disabled settings

Search for a policy by name

Example result

Search for a policy by ID

Enable a policy

You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.

Disable a policy

You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.

Delete a policy

You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.

Enable a configuration setting

You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.

You may use the strings enable or true for the -v argument.

Example

Disable a configuration setting

You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.

You may use the strings disable or false for the -v argument.

Examples

Multiple settings may be specified at once using a comma delimited string.

Change a slider configuration setting

You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.

You may use any of the following strings for the -m argument:

  • disabled

  • cautious

  • moderate

  • aggressive

  • extra_aggressive

Examples

You may pass two sensitivities as a comma delimited string. The first value will be used for detection and the second value will be used for prevention.

Slider-style and boolean configuration settings may be change simultaneously as long as the necessary arguments are provided. Please note changes will be applied to each setting specified. (If you set one to enabled, all will be set to enabled.)

Command-line help

Command-line help is available using the -h or --help parameters.

Example source code

The source code for this example can be found here.

PreviousngsiemNextquarantine

Last updated

Was this helpful?