@gtheocrwd/pulumi-crowdstrike
Version:
A Pulumi package for creating and managing Crowdstrike resources. Based on terraform-provider-crowdstrike: version v0.0.5
850 lines • 52.8 kB
TypeScript
import * as pulumi from "@pulumi/pulumi";
import * as inputs from "./types/input";
import * as outputs from "./types/output";
/**
* This resource allows you to manage CrowdStrike Falcon prevention policies for Windows hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.
*
* ## API Scopes
*
* The following API scopes are required:
*
* - Prevention policies | Read & Write
*
* ## Example Usage
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as crowdstrike from "@gtheocrwd/pulumi-crowdstrike";
*
* const example = new crowdstrike.PreventionPolicyWindows("example", {
* enabled: false,
* description: "Made with Pulumi",
* hostGroups: ["d6e3c1e1b3d0467da0fowc96a5e6ecb5"],
* ioaRuleGroups: ["ed334b3243bc4b6bb8e7d40a2ecd86fa"],
* adwareAndPup: {
* detection: "MODERATE",
* prevention: "CAUTIOUS",
* },
* cloudAntiMalwareMicrosoftOfficeFiles: {
* detection: "MODERATE",
* prevention: "DISABLED",
* },
* cloudAntiMalware: {
* detection: "MODERATE",
* prevention: "CAUTIOUS",
* },
* cloudAntiMalwareUserInitiated: {
* detection: "MODERATE",
* prevention: "CAUTIOUS",
* },
* sensorAntiMalware: {
* detection: "MODERATE",
* prevention: "CAUTIOUS",
* },
* sensorAntiMalwareUserInitiated: {
* detection: "MODERATE",
* prevention: "CAUTIOUS",
* },
* extendedUserModeData: {
* detection: "MODERATE",
* },
* usbInsertionTriggeredScan: false,
* applicationExploitationActivity: false,
* additionalUserModeData: false,
* notifyEndUsers: false,
* advancedRemediation: false,
* backupDeletion: false,
* biosDeepVisibility: false,
* chopperWebshell: false,
* codeInjection: false,
* credentialDumping: false,
* cryptowall: false,
* customBlocking: false,
* detectOnWrite: false,
* driveByDownload: false,
* driverLoadPrevention: false,
* interpreterOnly: false,
* engineFullVisibility: false,
* enhancedExploitationVisibility: false,
* enhancedMlForLargerFiles: false,
* fileEncryption: false,
* fileSystemAccess: false,
* forceAslr: false,
* forceDep: false,
* heapSprayPreallocation: false,
* nullPageAllocation: false,
* sehOverwriteProtection: false,
* hardwareEnhancedExploitDetection: false,
* httpDetections: false,
* redactHttpDetectionDetails: false,
* intelligenceSourcedThreats: false,
* javascriptViaRundll32: false,
* locky: false,
* memoryScanning: false,
* memoryScanningScanWithCpu: false,
* microsoftOfficeFileSuspiciousMacroRemoval: false,
* onWriteScriptFileVisibility: false,
* preventSuspiciousProcesses: false,
* quarantineAndSecurityCenterRegistration: false,
* quarantineOnRemovableMedia: false,
* quarantineOnWrite: false,
* scriptBasedExecutionMonitoring: false,
* sensorTamperingProtection: false,
* suspiciousRegistryOperations: false,
* suspiciousScriptsAndCommands: false,
* uploadUnknownExecutables: false,
* uploadUnknownDetectionRelatedExecutables: false,
* volumeShadowCopyAudit: false,
* volumeShadowCopyProtect: false,
* vulnerableDriverProtection: false,
* windowsLogonBypassStickyKeys: false,
* });
* export const preventionPolicyWindows = example;
* ```
*
* ## Import
*
* prevention policy can be imported by specifying the policy id.
*
* ```sh
* $ pulumi import crowdstrike:index/preventionPolicyWindows:PreventionPolicyWindows example 7fb858a949034a0cbca175f660f1e769
* ```
*/
export declare class PreventionPolicyWindows extends pulumi.CustomResource {
/**
* Get an existing PreventionPolicyWindows resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name: string, id: pulumi.Input<pulumi.ID>, state?: PreventionPolicyWindowsState, opts?: pulumi.CustomResourceOptions): PreventionPolicyWindows;
/**
* Returns true if the given object is an instance of PreventionPolicyWindows. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj: any): obj is PreventionPolicyWindows;
/**
* Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
*/
readonly additionalUserModeData: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
*/
readonly advancedRemediation: pulumi.Output<boolean>;
/**
* Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
*/
readonly adwareAndPup: pulumi.Output<outputs.PreventionPolicyWindowsAdwareAndPup>;
/**
* Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
*/
readonly applicationExploitationActivity: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
*/
readonly backupDeletion: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
*/
readonly biosDeepVisibility: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
*/
readonly chopperWebshell: pulumi.Output<boolean>;
/**
* Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
*/
readonly cloudAntiMalware: pulumi.Output<outputs.PreventionPolicyWindowsCloudAntiMalware>;
/**
* Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
*/
readonly cloudAntiMalwareMicrosoftOfficeFiles: pulumi.Output<outputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles>;
/**
* For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
*/
readonly cloudAntiMalwareUserInitiated: pulumi.Output<outputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated>;
/**
* Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.
*/
readonly codeInjection: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.
*/
readonly credentialDumping: pulumi.Output<boolean>;
/**
* Whether to enable the setting. A process associated with Cryptowall was blocked.
*/
readonly cryptowall: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
*/
readonly customBlocking: pulumi.Output<boolean>;
/**
* Description of the prevention policy.
*/
readonly description: pulumi.Output<string | undefined>;
/**
* Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
*/
readonly detectOnWrite: pulumi.Output<boolean>;
/**
* Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
*/
readonly driveByDownload: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
*/
readonly driverLoadPrevention: pulumi.Output<boolean>;
/**
* Enable the prevention policy.
*/
readonly enabled: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreterOnly to be enabled.
*/
readonly engineFullVisibility: pulumi.Output<boolean>;
/**
* Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
*/
readonly enhancedExploitationVisibility: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
*/
readonly enhancedMlForLargerFiles: pulumi.Output<boolean>;
/**
* Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
*/
readonly extendedUserModeData: pulumi.Output<outputs.PreventionPolicyWindowsExtendedUserModeData>;
/**
* Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
*/
readonly fileEncryption: pulumi.Output<boolean>;
/**
* Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
*/
readonly fileSystemAccess: pulumi.Output<boolean>;
/**
* Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
readonly forceAslr: pulumi.Output<boolean>;
/**
* Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.
*/
readonly forceDep: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
*/
readonly hardwareEnhancedExploitDetection: pulumi.Output<boolean>;
/**
* Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
readonly heapSprayPreallocation: pulumi.Output<boolean>;
/**
* Host Group ids to attach to the prevention policy.
*/
readonly hostGroups: pulumi.Output<string[] | undefined>;
/**
* Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
*/
readonly httpDetections: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
*/
readonly intelligenceSourcedThreats: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
*/
readonly interpreterOnly: pulumi.Output<boolean>;
/**
* IOA Rule Group to attach to the prevention policy.
*/
readonly ioaRuleGroups: pulumi.Output<string[] | undefined>;
/**
* Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
*/
readonly javascriptViaRundll32: pulumi.Output<boolean>;
readonly lastUpdated: pulumi.Output<string>;
/**
* Whether to enable the setting. A process determined to be associated with Locky was blocked.
*/
readonly locky: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
*/
readonly memoryScanning: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
*/
readonly memoryScanningScanWithCpu: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
*/
readonly microsoftOfficeFileSuspiciousMacroRemoval: pulumi.Output<boolean>;
/**
* Name of the prevention policy.
*/
readonly name: pulumi.Output<string>;
/**
* Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
*/
readonly notifyEndUsers: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
readonly nullPageAllocation: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
*/
readonly onWriteScriptFileVisibility: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
*/
readonly preventSuspiciousProcesses: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
*/
readonly quarantineAndSecurityCenterRegistration: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
*/
readonly quarantineOnRemovableMedia: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
*/
readonly quarantineOnWrite: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
*/
readonly redactHttpDetectionDetails: pulumi.Output<boolean>;
/**
* Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
*/
readonly scriptBasedExecutionMonitoring: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
readonly sehOverwriteProtection: pulumi.Output<boolean>;
/**
* For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
*/
readonly sensorAntiMalware: pulumi.Output<outputs.PreventionPolicyWindowsSensorAntiMalware>;
/**
* For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
*/
readonly sensorAntiMalwareUserInitiated: pulumi.Output<outputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiated>;
/**
* Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
*/
readonly sensorTamperingProtection: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
*/
readonly suspiciousRegistryOperations: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
*/
readonly suspiciousScriptsAndCommands: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
*/
readonly uploadUnknownDetectionRelatedExecutables: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
*/
readonly uploadUnknownExecutables: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
*/
readonly usbInsertionTriggeredScan: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
*/
readonly volumeShadowCopyAudit: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.
*/
readonly volumeShadowCopyProtect: pulumi.Output<boolean>;
/**
* Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.
*/
readonly vulnerableDriverProtection: pulumi.Output<boolean>;
/**
* Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
*/
readonly windowsLogonBypassStickyKeys: pulumi.Output<boolean>;
/**
* Create a PreventionPolicyWindows resource with the given unique name, arguments, and options.
*
* @param name The _unique_ name of the resource.
* @param args The arguments to use to populate this resource's properties.
* @param opts A bag of options that control this resource's behavior.
*/
constructor(name: string, args?: PreventionPolicyWindowsArgs, opts?: pulumi.CustomResourceOptions);
}
/**
* Input properties used for looking up and filtering PreventionPolicyWindows resources.
*/
export interface PreventionPolicyWindowsState {
/**
* Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
*/
additionalUserModeData?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
*/
advancedRemediation?: pulumi.Input<boolean>;
/**
* Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
*/
adwareAndPup?: pulumi.Input<inputs.PreventionPolicyWindowsAdwareAndPup>;
/**
* Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
*/
applicationExploitationActivity?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
*/
backupDeletion?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
*/
biosDeepVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
*/
chopperWebshell?: pulumi.Input<boolean>;
/**
* Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
*/
cloudAntiMalware?: pulumi.Input<inputs.PreventionPolicyWindowsCloudAntiMalware>;
/**
* Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
*/
cloudAntiMalwareMicrosoftOfficeFiles?: pulumi.Input<inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles>;
/**
* For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
*/
cloudAntiMalwareUserInitiated?: pulumi.Input<inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated>;
/**
* Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.
*/
codeInjection?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.
*/
credentialDumping?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process associated with Cryptowall was blocked.
*/
cryptowall?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
*/
customBlocking?: pulumi.Input<boolean>;
/**
* Description of the prevention policy.
*/
description?: pulumi.Input<string>;
/**
* Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
*/
detectOnWrite?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
*/
driveByDownload?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
*/
driverLoadPrevention?: pulumi.Input<boolean>;
/**
* Enable the prevention policy.
*/
enabled?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreterOnly to be enabled.
*/
engineFullVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
*/
enhancedExploitationVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
*/
enhancedMlForLargerFiles?: pulumi.Input<boolean>;
/**
* Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
*/
extendedUserModeData?: pulumi.Input<inputs.PreventionPolicyWindowsExtendedUserModeData>;
/**
* Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
*/
fileEncryption?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
*/
fileSystemAccess?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
forceAslr?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.
*/
forceDep?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
*/
hardwareEnhancedExploitDetection?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
heapSprayPreallocation?: pulumi.Input<boolean>;
/**
* Host Group ids to attach to the prevention policy.
*/
hostGroups?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
*/
httpDetections?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
*/
intelligenceSourcedThreats?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
*/
interpreterOnly?: pulumi.Input<boolean>;
/**
* IOA Rule Group to attach to the prevention policy.
*/
ioaRuleGroups?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
*/
javascriptViaRundll32?: pulumi.Input<boolean>;
lastUpdated?: pulumi.Input<string>;
/**
* Whether to enable the setting. A process determined to be associated with Locky was blocked.
*/
locky?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
*/
memoryScanning?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
*/
memoryScanningScanWithCpu?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
*/
microsoftOfficeFileSuspiciousMacroRemoval?: pulumi.Input<boolean>;
/**
* Name of the prevention policy.
*/
name?: pulumi.Input<string>;
/**
* Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
*/
notifyEndUsers?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
nullPageAllocation?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
*/
onWriteScriptFileVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
*/
preventSuspiciousProcesses?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
*/
quarantineAndSecurityCenterRegistration?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
*/
quarantineOnRemovableMedia?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
*/
quarantineOnWrite?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
*/
redactHttpDetectionDetails?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
*/
scriptBasedExecutionMonitoring?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
sehOverwriteProtection?: pulumi.Input<boolean>;
/**
* For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
*/
sensorAntiMalware?: pulumi.Input<inputs.PreventionPolicyWindowsSensorAntiMalware>;
/**
* For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
*/
sensorAntiMalwareUserInitiated?: pulumi.Input<inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiated>;
/**
* Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
*/
sensorTamperingProtection?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
*/
suspiciousRegistryOperations?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
*/
suspiciousScriptsAndCommands?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
*/
uploadUnknownDetectionRelatedExecutables?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
*/
uploadUnknownExecutables?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
*/
usbInsertionTriggeredScan?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
*/
volumeShadowCopyAudit?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volume*shadow*copy_audit.
*/
volumeShadowCopyProtect?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driver*load*prevention.
*/
vulnerableDriverProtection?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
*/
windowsLogonBypassStickyKeys?: pulumi.Input<boolean>;
}
/**
* The set of arguments for constructing a PreventionPolicyWindows resource.
*/
export interface PreventionPolicyWindowsArgs {
/**
* Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
*/
additionalUserModeData?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
*/
advancedRemediation?: pulumi.Input<boolean>;
/**
* Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
*/
adwareAndPup?: pulumi.Input<inputs.PreventionPolicyWindowsAdwareAndPup>;
/**
* Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
*/
applicationExploitationActivity?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
*/
backupDeletion?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
*/
biosDeepVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
*/
chopperWebshell?: pulumi.Input<boolean>;
/**
* Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
*/
cloudAntiMalware?: pulumi.Input<inputs.PreventionPolicyWindowsCloudAntiMalware>;
/**
* Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
*/
cloudAntiMalwareMicrosoftOfficeFiles?: pulumi.Input<inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles>;
/**
* For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
*/
cloudAntiMalwareUserInitiated?: pulumi.Input<inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated>;
/**
* Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additional*user*mode_data to be enabled.
*/
codeInjection?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additional*user*mode_data to be enabled.
*/
credentialDumping?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process associated with Cryptowall was blocked.
*/
cryptowall?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
*/
customBlocking?: pulumi.Input<boolean>;
/**
* Description of the prevention policy.
*/
description?: pulumi.Input<string>;
/**
* Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
*/
detectOnWrite?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
*/
driveByDownload?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
*/
driverLoadPrevention?: pulumi.Input<boolean>;
/**
* Enable the prevention policy.
*/
enabled?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreterOnly to be enabled.
*/
engineFullVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
*/
enhancedExploitationVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
*/
enhancedMlForLargerFiles?: pulumi.Input<boolean>;
/**
* Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
*/
extendedUserModeData?: pulumi.Input<inputs.PreventionPolicyWindowsExtendedUserModeData>;
/**
* Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
*/
fileEncryption?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
*/
fileSystemAccess?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
forceAslr?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additional*user*mode_data to be enabled.
*/
forceDep?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
*/
hardwareEnhancedExploitDetection?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
heapSprayPreallocation?: pulumi.Input<boolean>;
/**
* Host Group ids to attach to the prevention policy.
*/
hostGroups?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
*/
httpDetections?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
*/
intelligenceSourcedThreats?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
*/
interpreterOnly?: pulumi.Input<boolean>;
/**
* IOA Rule Group to attach to the prevention policy.
*/
ioaRuleGroups?: pulumi.Input<pulumi.Input<string>[]>;
/**
* Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
*/
javascriptViaRundll32?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. A process determined to be associated with Locky was blocked.
*/
locky?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
*/
memoryScanning?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
*/
memoryScanningScanWithCpu?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
*/
microsoftOfficeFileSuspiciousMacroRemoval?: pulumi.Input<boolean>;
/**
* Name of the prevention policy.
*/
name?: pulumi.Input<string>;
/**
* Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
*/
notifyEndUsers?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
nullPageAllocation?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
*/
onWriteScriptFileVisibility?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
*/
preventSuspiciousProcesses?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
*/
quarantineAndSecurityCenterRegistration?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
*/
quarantineOnRemovableMedia?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
*/
quarantineOnWrite?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
*/
redactHttpDetectionDetails?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
*/
scriptBasedExecutionMonitoring?: pulumi.Input<boolean>;
/**
* Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additional*user*mode_data to be enabled.
*/
sehOverwriteProtection?: pulumi.Input<boolean>;
/**
* For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
*/
sensorAntiMalware?: pulumi.Input<inputs.PreventionPolicyWindowsSensorAntiMalware>;
/**
* For offline and online hosts running on-demand scans initiated by end users, use sensor