prevention_policy
Prevention Policy examples
The examples in this folder focus on leveraging CrowdStrike's Prevention Policy API.
Clone Prevention Policy
This script will clone one or all prevention policies from one CID to another.
Running the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
Prevention Policy
READ, WRITE
Execution syntax
This sample leverages simple command-line arguments to implement functionality.
Basic usage
Clone all policies from one CID to another CID.
python3 clone_prev_policy.py --source_id $FALCON_CLIENT_ID_SOURCE --source_secret $FALCON_CLIENT_SECRET_SOURCE --dest_id $FALCON_CLIENT_ID_DESTINATION --dest_secret $FALCON_CLIENT_SECRET_DESTINATIONThis sample supports Environment Authentication, meaning you can execute this program without providing credentials for the source CID if you have the values
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETdefined in your environment.
python3 clone_prev_policy.py --dest_id $FALCON_CLIENT_ID_DESTINATION --dest_secret $FALCON_CLIENT_SECRET_DESTINATIONOnly clone a specific policy.
python3 clone_prev_policy.py --source_id $FALCON_CLIENT_ID_SOURCE --source_secret $FALCON_CLIENT_SECRET_SOURCE --dest_id $FALCON_CLIENT_ID_DESTINATION --dest_secret $FALCON_CLIENT_SECRET_DESTINATION -n POLICY_NAMEAPI debugging can be enabled using the
-dargument.
python3 clone_prev_policy.py -dCommand-line help
Command-line help is available via the -h argument.
usage: clone_prev_policy.py [-h] [-d] [-n POLICY_NAME] [--source_id SOURCE_ID] [--source_secret SOURCE_SECRET] --dest_id DEST_ID
--dest_secret DEST_SECRET
Prevention Policy cloner.
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy
`-------' `-------'
ββββ¬ββββββ¬ β¬ββββββββ¬ββ¬ββββββ βββββββ¬ β¬ββββ¬ β¬
β ββββ¬βββ€ ββββββ€ βββ β ββ ββββ β βββ ββ ββ ββ¬β
β© β΄βββββ ββ ββββββ β΄ β΄ββββββ β© ββββ΄βββ΄βββ β΄
_..._ .-'''-.
.-'_..._''. .---. ' _ \
.' .' '.\| | / /` '. \ _..._ __.....__
/ .' | |. | \ ' .' '. .-'' '.
. ' | || ' | '. .-. . / .-''"'-. `. .-,.--.
| | | |\ \ / / | ' ' |/ /________\ \| .-. |
| | | | `. ` ..' / | | | || || | | |
. ' | | '-...-'` | | | |\ .-------------'| | | |
\ '. .| | | | | | \ '-.____...---.| | '-
'. `._____.-'/| | | | | | `. .' | |
`-.______ / '---' | | | | `''-...... -' | |
` | | | | |_|
'--' '--'
This script will clone one or all prevention policies from one CID to another.
Developed by Don-Swanson-Adobe
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable API debugging
-n POLICY_NAME, --policy_name POLICY_NAME
Limit cloning to a specific policy
Required arguments:
--source_id SOURCE_ID
CrowdStrike Falcon API key (Source CID)
--source_secret SOURCE_SECRET
CrowdStrike Falcon API secret (Source CID)
--dest_id DEST_ID CrowdStrike Falcon API key (Destination CID)
--dest_secret DEST_SECRET
CrowdStrike Falcon API secret (Destination CID)Example source code
The source code for this example can be found here.
Create Host Group and attach to prevention policy
This script will create a host group. If a list of prevention policy IDs are provided, the newly created host group is added to each policy in the list. This can assist with complex group creation that may be difficult to perform in the console.
[!NOTE] If you set custom and/or criteria using the API, editing the group in the Falcon console will remove this criteria upon save.
Running the program
In order to run this demonstration, you you will need access to CrowdStrike API keys with the following scopes:
Host Group
READ, WRITE
Prevention Policy
READ, WRITE
Execution syntax
This sample leverages simple command-line arguments to implement functionality.
Basic usage
Create a simple host group with no settings.
python3 create_attached_group.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n GROUP_NAMEThis sample supports Environment Authentication, meaning you can execute this program without providing credentials if you have the values
FALCON_CLIENT_IDandFALCON_CLIENT_SECRETdefined in your environment.
python3 create_attached_group.py -n GROUP_NAMEAttach the newly created group to two prevention policies.
python3 create_attached_group.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n GROUP_NAME -p POLICY_ID_1,POLICY_ID_2Create a host group, setting all available parameters.
python3 create_attached_group.py -k $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -n GROUP_NAME -p POLICY_ID_1,POLICY_ID_2 -e GROUP_DESCRIPTION -t GROUP_TYPE -a ASSIGNMENT_RULEAPI debugging can be enabled using the
-dargument.
python3 create_attached_group.py -dCommand-line help
Command-line help is available via the -h argument.
usage: create_attached_group.py [-h] [-d] [-c CHILD] -n GROUP_NAME [-e GROUP_DESCRIPTION] [-t {dynamic,static}]
[-a ASSIGNMENT_RULE] [-p POLICIES] [-k CLIENT_ID] [-s CLIENT_SECRET]
Create Host Groups (and add them to Prevention Policies).
_______ __ _______ __ __ __
| _ .----.-----.--.--.--.--| | _ | |_.----|__| |--.-----.
|. 1___| _| _ | | | | _ | 1___| _| _| | <| -__|
|. |___|__| |_____|________|_____|____ |____|__| |__|__|__|_____|
|: 1 | |: 1 |
|::.. . | |::.. . | FalconPy
`-------' `-------'
__ __ . ___
| | __. ____ _/_ .' \ .___ __. , . \,___,
|___| .' \ ( | | / \ .' \ | | | \
| | | | `--. | | _ | ' | | | | | |
/ / `._.' \___.' \__/ `.___| / `._.' `._/| |`---'
\
.----------------.
| .--------------. |
| | _ | |
| | | | | |
| | ___| |___ | |
| | |___ ___| | |
| | | | | |
| | |_| | |
| | | |
| '--------------' |
'----------------'
.___ .
/ \ .___ ___ _ __ ___ , __ _/_ ` __. , __
|,_-' / \ .' ` | / .' ` |' `. | | .' \ |' `.
| | ' |----' ` / |----' | | | | | | | |
/ / `.___, \/ `.___, / | \__/ / `._.' / |
.___ .
/ \ __. | ` ___ ` ___ ____
|,_-' .' \ | | .' ` | .' ` (
| | | | | | | |----' `--.
/ `._.' /\__ / `._.' / `.___, \___.'
This script will create a host group. If a list of prevention policy IDs
are provided, the newly created host group is added to each policy in the
list. This can assist with complex group creation that may be difficult
to perform in the console.
Please note: If you use custom and/or criteria here, editing the group in
the Falcon console will remove this criteria upon save.
Developed by Don-Swanson-Adobe
Dynamic Host group examples with custom and/or criteria
AND Example (Product is Windows AND Type is Server):
"platform_name:'Windows'+product_type_desc:'Server'"
OR Example (OS is Win Server 2008 R2 OR OS is Windows 7):
"os_version:'Windows Server 2008 R2',os_version:'Windows 7'"
OR Example (OS is Win Server 2008 R2 OR OS is Windows 7)
"(os_version:'Windows Server 2008 R2',os_version:'Windows 7')"
Mixed Use Example (Must Have a DEV Sensor Tag and a T1 or T2 Sensor Tag)
"(tags:'SensorGroupingTags/DEV'+tags:'SensorGroupingTags/T1),(tags:'SensorGroupingTags/DEV'+tags:'SensorGroupingTags/T2')"
"tags:'SensorGroupingTags/DEV'+(tags:'SensorGroupingTags/T1',tags:'SensorGroupingTags/T2')"
optional arguments:
-h, --help show this help message and exit
-d, --debug Enable API debugging
-c CHILD, --child CHILD
List exclusions in a specific child CID (MSSP parents only)
Group arguments:
-n GROUP_NAME, --group_name GROUP_NAME
Name to use for newly created Host Group
-e GROUP_DESCRIPTION, --group_description GROUP_DESCRIPTION
Description to use for newly created Host Group
-t {dynamic,static}, --group_type {dynamic,static}
Type of Host Group to create (dynamic or static, defaults to dynamic)
-a ASSIGNMENT_RULE, --assignment_rule ASSIGNMENT_RULE
Assignment rule for the newly created Host Group (enclose in double quotes)
-p POLICIES, --policies POLICIES
Prevention Policies IDs to assign this Host Group to (comma delimit)
Required arguments:
-k CLIENT_ID, --client_id CLIENT_ID
CrowdStrike Falcon API key
-s CLIENT_SECRET, --client_secret CLIENT_SECRET
CrowdStrike Falcon API secretExample source code
The source code for this example can be found here.
Manage prevention policies with Prevention Policy Hawk
Prevention Policy Hawk demonstrates the Prevention Policy service collection by listing available prevention policies and allowing you to:
enable or disable the policy
remove the policy
edit the policy configuration
Running the program
In order to run this demonstration, you will need access to CrowdStrike API keys with the following scopes:
Prevention Policy
READ, WRITE
Execution syntax
This example accepts the following input parameters.
-h, --help
Show help message and exit
optional
-r, --show_settings
Display policy settings
display
-z, --verbose
Show all settings, including disabled
display
-e, --enable
Enable the policy
administration
-d, --disable
Disable the policy
administration
-x, --delete
Delete the policy
administration
-i POLICY_ID,
--policy_id POLICY_ID
ID of a policy to update
update
-p POLICY_SEARCH_STRING,
--policy_search_string POLICY_SEARCH_STRING
String to match against policy name.
update
-t POLICY_SETTING,
--policy_setting POLICY_SETTING
Policy settings to modify (comma delimit).
update
-v POLICY_SETTING_VALUE,
--policy_setting_value POLICY_SETTING_VALUE
Enabled / Disable the setting (True / False)
update
-m POLICY_SENSITIVITY,
--policy_sensitivity POLICY_SENSITIVITY
Sensitivity setting for slider policies.
Disabled
Cautious
Moderate
Aggressive
Extra_Aggressive)
Case-insensitive Comma delimited strings accepted (detection,prevention)
update
-o SCOPE,
--scope SCOPE
Sensitivity scope (detection / prevention / both)
update
-f FALCON_CLIENT_ID,
--falcon_client_id FALCON_CLIENT_ID
Falcon Client ID
always required
-s FALCON_CLIENT_SECRET,
--falcon_client_secret FALCON_CLIENT_SECRET
Falcon Client Secret
always required
Examples
These examples demonstrate command line usage of this sample. Commands may be chained on the same command line as long as all actions make sense for the arguments provided.
Show command line help.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -hShow a list of available prevention policies
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRETShow policy configuration along with results
This is the default when there is only one record to display
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -rShow policy configuration with all settings, including disabled settings
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -r -zSearch for a policy by name
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p SEARCH_STRINGExample result
ββββββββββββββββββββββββββββββββββββ€βββββββββββββ€ββββββββββββ€βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Policy β Platform β Enabled β Policy configuration β
ββββββββββββββββββββββββββββββββββββͺβββββββββββββͺββββββββββββͺβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ‘
β falconpy-unit-test-l8zsfkxiu9 β Windows β False β Enhanced Visibility β
β POLICY_ID β β β Additional User Mode Data [AdditionalUserModeData] (Enabled) β
β FalconPy Unit Test l8zsfkxiu9 β β β Redact HTTP Detection Details [RedactHTTPDetectionDetails] (Enabled) β
β β β β β
β β β β Cloud Machine Learning β
β β β β Adware & PUP [AdwarePUP] (Detection is moderate, Prevention is moderate) β
β β β β β
β β β β Sensor Machine Learning β
β β β β Sensor Anti-malware [OnSensorMLSlider] (Detection is extra aggressive, Prevention is moderate) β
β β β β β
β β β β On Write β
β β β β Detect on Write [DetectOnWrite] (Enabled) β
β β β β β
β β β β Quarantine β
β β β β Quarantine & Security Center Registration [NextGenAV] (Enabled) β
β β β β β
β β β β Execution Blocking β
β β β β Intelligence-Sourced Threats [IntelPrevention] (Enabled) β
β β β β β
β β β β Exploit Mitigation β
β β β β NULL Page Allocation [NullPageAllocation] (Enabled) β
β β β β β
β β β β Exploitation Behavior β
β β β β Code Injection [ProcessHollowing] (Enabled) β
β β β β β
β β β β Lateral Movement and Credential Access β
β β β β Windows Logon Bypass ("Sticky Keys") [WindowsLogonBypassStickyKeys] (Enabled) β
β β β β β
β β β β Remediation β
β β β β Advanced Remediation [AutomatedRemediation] (Enabled) β
ββββββββββββββββββββββββββββββββββββ§βββββββββββββ§ββββββββββββ§βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββSearch for a policy by ID
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -i POLICY_IDEnable a policy
You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET [-i POLICY_ID | -p SEARCH_STRING] -eDisable a policy
You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET [-i POLICY_ID | -p SEARCH_STRING] -dDelete a policy
You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET [-i POLICY_ID | -p SEARCH_STRING] -xEnable a configuration setting
You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.
You may use the strings
enableortruefor the-vargument.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET [-i POLICY_ID | -p SEARCH_STRING] -t SETTING_NAME -v SETTING_VALUEExample
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p my_policy -t DriveByDownload -v enableDisable a configuration setting
You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.
You may use the strings
disableorfalsefor the-vargument.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET [-i POLICY_ID | -p SEARCH_STRING] -t SETTING_NAME -v SETTING_VALUEExamples
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p my_policy -t DriveByDownload -v disableMultiple settings may be specified at once using a comma delimited string.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p my_policy -t DriveByDownload,AdditionalUserModeData -v enableChange a slider configuration setting
You may specify a policy by ID or by using a search string. For multiple matches, the first match is returned.
You may use any of the following strings for the
-margument:
disabledcautiousmoderateaggressiveextra_aggressive
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET [-i POLICY_ID | -p SEARCH_STRING] -t SETTING_NAME -m SETTING_VALUEExamples
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p my_policy -t AdwarePIP -m moderateYou may pass two sensitivities as a comma delimited string. The first value will be used for detection and the second value will be used for prevention.
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p my_policy -t AdwarePIP -m aggressive,moderateSlider-style and boolean configuration settings may be change simultaneously as long as the necessary arguments are provided. Please note changes will be applied to each setting specified. (If you set one to enabled, all will be set to enabled.)
python3 prevention_policy_hawk.py -f $FALCON_CLIENT_ID -s $FALCON_CLIENT_SECRET -p my_policy -t DriveByDownload,AdwarePIP -t enable -m aggressive,moderateCommand-line help
Command-line help is available using the -h or --help parameters.
% python3 prevention_policy_hawk.py -h
usage: prevention_policy_hawk.py [-h] [-r] [-z] [-e] [-d] [-x] [-i POLICY_ID] [-p POLICY_SEARCH_STRING] [-t POLICY_SETTING] [-v POLICY_SETTING_VALUE] [-m POLICY_SENSITIVITY]
[-o SCOPE] -f FALCON_CLIENT_ID -s FALCON_CLIENT_SECRET
CrowdStrike Falcon Prevention Policy Maintenance utility.
CrowdStrike's
_______ __ __
| _ .----.-----.--.--.-----.-----| |_|__.-----.-----.
|. 1 | _| -__| | | -__| | _| | _ | |
|. ____|__| |_____|\___/|_____|__|__|____|__|_____|__|__|
|: |
|::.| _______ __ __
`---' | _ .-----| |__.----.--.--. . .
|. 1 | _ | | | __| | | . . . .
|. ____|_____|__|__|____|___ | . | | .
|: | |_____| . | | .
|::.| . .
`---' ___ ___ _________ . | (\.|\/|./) | . ___ ____
| | | | / _ \ . (\ |||||| /) . | | / /
| |___| | | /_\ | | (\ |/ \| /) | | |/ /
| | | | (\ | | /) | /
| ___ | | ___ | (\ / \ / \ /) | \
| | | | | | | | \ / | |\ \
|___| |___| |___| |___| \____/\/\____/ |___| \___\
|0\/0|
\/\/ FalconPy v1.0
\/
Creation date: 2022.02.11 Modification: 2022.05.11
jhseceng@CrowdStrike jshcodes@CrowdStrike
jshcodes@CrowdStrike
Leverages the FalconPy API SDK to update prevention policies within CrowdStrike Falcon.
This solution requires the FalconPy SDK. This project
can be accessed here: https://github.com/CrowdStrike/falconpy
optional arguments:
-h, --help show this help message and exit
optional display arguments:
-r, --show_settings Display policy settings
-z, --verbose Show all settings, including disabled
optional management arguments:
-e, --enable Enable the policy
-d, --disable Disable the policy
-x, --delete Delete the policy
-debug, --debug Enable API debugging
optional update arguments:
-i POLICY_ID, --policy_id POLICY_ID
ID of a policy to update
-p POLICY_SEARCH_STRING, --policy_search_string POLICY_SEARCH_STRING
String to match against policy name
-t POLICY_SETTING, --policy_setting POLICY_SETTING
Policy settings to modify (Comma delimit)
-v POLICY_SETTING_VALUE, --policy_setting_value POLICY_SETTING_VALUE
Enabled / Disable the setting (True / False)
-m POLICY_SENSITIVITY, --policy_sensitivity POLICY_SENSITIVITY
Sensitivity setting for slider policies.
(Disabled, Cautious, Moderate, Aggressive, Extra_Aggressive)
Case-insensitive, comma delimited strings accepted (detection,prevention)
-o SCOPE, --scope SCOPE
Sensitivity scope (detection / prevention / both).
required arguments:
-f FALCON_CLIENT_ID, --falcon_client_id FALCON_CLIENT_ID
Falcon Client ID
-s FALCON_CLIENT_SECRET, --falcon_client_secret FALCON_CLIENT_SECRET
Falcon Client Secret
Example source code
The source code for this example can be found here.
Last updated
Was this helpful?