Docs Home Pulumi IaC Pulumi ESC Pulumi Cloud Packages Tutorials
  1. Packages
  2. CrowdStrike
  3. API Docs
  4. PreventionPolicyWindows
CrowdStrike v0.0.10 published on Monday, Mar 3, 2025 by CrowdStrike
crowdstrike/pulumi-crowdstrike

crowdstrike.PreventionPolicyWindows

Explore with Pulumi AI

crowdstrike logo
CrowdStrike v0.0.10 published on Monday, Mar 3, 2025 by CrowdStrike
crowdstrike/pulumi-crowdstrike

    This resource allows you to manage CrowdStrike Falcon prevention policies for Windows hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.

    API Scopes

    The following API scopes are required:

    • Prevention policies | Read & Write

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
import * as crowdstrike from "@crowdstrike/pulumi";

const example = new crowdstrike.PreventionPolicyWindows("example", {
    enabled: true,
    description: "Made with Pulumi",
    hostGroups: [],
    ioaRuleGroups: [],
    adwareAndPup: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    cloudAntiMalwareMicrosoftOfficeFiles: {
        detection: "MODERATE",
        prevention: "DISABLED",
    },
    cloudAntiMalware: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    cloudAntiMalwareUserInitiated: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    sensorAntiMalware: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    sensorAntiMalwareUserInitiated: {
        detection: "MODERATE",
        prevention: "CAUTIOUS",
    },
    extendedUserModeData: {
        detection: "MODERATE",
    },
    usbInsertionTriggeredScan: true,
    applicationExploitationActivity: true,
    additionalUserModeData: true,
    notifyEndUsers: true,
    advancedRemediation: true,
    backupDeletion: true,
    biosDeepVisibility: true,
    chopperWebshell: true,
    codeInjection: true,
    credentialDumping: true,
    cryptowall: true,
    customBlocking: true,
    detectOnWrite: true,
    driveByDownload: true,
    driverLoadPrevention: true,
    interpreterOnly: true,
    engineFullVisibility: true,
    enhancedExploitationVisibility: true,
    enhancedDllLoadVisibility: true,
    enhancedMlForLargerFiles: true,
    fileEncryption: true,
    fileSystemAccess: true,
    forceAslr: true,
    forceDep: true,
    heapSprayPreallocation: true,
    nullPageAllocation: true,
    sehOverwriteProtection: true,
    hardwareEnhancedExploitDetection: true,
    httpDetections: true,
    redactHttpDetectionDetails: true,
    intelligenceSourcedThreats: true,
    javascriptViaRundll32: true,
    locky: true,
    memoryScanning: true,
    memoryScanningScanWithCpu: true,
    microsoftOfficeFileSuspiciousMacroRemoval: true,
    onWriteScriptFileVisibility: true,
    preventSuspiciousProcesses: true,
    quarantineAndSecurityCenterRegistration: true,
    quarantineOnRemovableMedia: true,
    quarantineOnWrite: true,
    scriptBasedExecutionMonitoring: true,
    sensorTamperingProtection: true,
    suspiciousRegistryOperations: true,
    suspiciousScriptsAndCommands: true,
    uploadUnknownExecutables: true,
    uploadUnknownDetectionRelatedExecutables: true,
    volumeShadowCopyAudit: true,
    volumeShadowCopyProtect: true,
    vulnerableDriverProtection: true,
    windowsLogonBypassStickyKeys: true,
});
export const preventionPolicyWindows = example;

    import pulumi
import crowdstrike_pulumi as crowdstrike

example = crowdstrike.PreventionPolicyWindows("example",
    enabled=True,
    description="Made with Pulumi",
    host_groups=[],
    ioa_rule_groups=[],
    adware_and_pup={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    cloud_anti_malware_microsoft_office_files={
        "detection": "MODERATE",
        "prevention": "DISABLED",
    },
    cloud_anti_malware={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    cloud_anti_malware_user_initiated={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    sensor_anti_malware={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    sensor_anti_malware_user_initiated={
        "detection": "MODERATE",
        "prevention": "CAUTIOUS",
    },
    extended_user_mode_data={
        "detection": "MODERATE",
    },
    usb_insertion_triggered_scan=True,
    application_exploitation_activity=True,
    additional_user_mode_data=True,
    notify_end_users=True,
    advanced_remediation=True,
    backup_deletion=True,
    bios_deep_visibility=True,
    chopper_webshell=True,
    code_injection=True,
    credential_dumping=True,
    cryptowall=True,
    custom_blocking=True,
    detect_on_write=True,
    drive_by_download=True,
    driver_load_prevention=True,
    interpreter_only=True,
    engine_full_visibility=True,
    enhanced_exploitation_visibility=True,
    enhanced_dll_load_visibility=True,
    enhanced_ml_for_larger_files=True,
    file_encryption=True,
    file_system_access=True,
    force_aslr=True,
    force_dep=True,
    heap_spray_preallocation=True,
    null_page_allocation=True,
    seh_overwrite_protection=True,
    hardware_enhanced_exploit_detection=True,
    http_detections=True,
    redact_http_detection_details=True,
    intelligence_sourced_threats=True,
    javascript_via_rundll32=True,
    locky=True,
    memory_scanning=True,
    memory_scanning_scan_with_cpu=True,
    microsoft_office_file_suspicious_macro_removal=True,
    on_write_script_file_visibility=True,
    prevent_suspicious_processes=True,
    quarantine_and_security_center_registration=True,
    quarantine_on_removable_media=True,
    quarantine_on_write=True,
    script_based_execution_monitoring=True,
    sensor_tampering_protection=True,
    suspicious_registry_operations=True,
    suspicious_scripts_and_commands=True,
    upload_unknown_executables=True,
    upload_unknown_detection_related_executables=True,
    volume_shadow_copy_audit=True,
    volume_shadow_copy_protect=True,
    vulnerable_driver_protection=True,
    windows_logon_bypass_sticky_keys=True)
pulumi.export("preventionPolicyWindows", example)

    package main

import (
	"github.com/crowdstrike/pulumi-crowdstrike/sdk/go/crowdstrike"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := crowdstrike.NewPreventionPolicyWindows(ctx, "example", &crowdstrike.PreventionPolicyWindowsArgs{
			Enabled:       pulumi.Bool(true),
			Description:   pulumi.String("Made with Pulumi"),
			HostGroups:    pulumi.StringArray{},
			IoaRuleGroups: pulumi.StringArray{},
			AdwareAndPup: &crowdstrike.PreventionPolicyWindowsAdwareAndPupArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			CloudAntiMalwareMicrosoftOfficeFiles: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("DISABLED"),
			},
			CloudAntiMalware: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			CloudAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			SensorAntiMalware: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			SensorAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs{
				Detection:  pulumi.String("MODERATE"),
				Prevention: pulumi.String("CAUTIOUS"),
			},
			ExtendedUserModeData: &crowdstrike.PreventionPolicyWindowsExtendedUserModeDataArgs{
				Detection: pulumi.String("MODERATE"),
			},
			UsbInsertionTriggeredScan:                 pulumi.Bool(true),
			ApplicationExploitationActivity:           pulumi.Bool(true),
			AdditionalUserModeData:                    pulumi.Bool(true),
			NotifyEndUsers:                            pulumi.Bool(true),
			AdvancedRemediation:                       pulumi.Bool(true),
			BackupDeletion:                            pulumi.Bool(true),
			BiosDeepVisibility:                        pulumi.Bool(true),
			ChopperWebshell:                           pulumi.Bool(true),
			CodeInjection:                             pulumi.Bool(true),
			CredentialDumping:                         pulumi.Bool(true),
			Cryptowall:                                pulumi.Bool(true),
			CustomBlocking:                            pulumi.Bool(true),
			DetectOnWrite:                             pulumi.Bool(true),
			DriveByDownload:                           pulumi.Bool(true),
			DriverLoadPrevention:                      pulumi.Bool(true),
			InterpreterOnly:                           pulumi.Bool(true),
			EngineFullVisibility:                      pulumi.Bool(true),
			EnhancedExploitationVisibility:            pulumi.Bool(true),
			EnhancedDllLoadVisibility:                 pulumi.Bool(true),
			EnhancedMlForLargerFiles:                  pulumi.Bool(true),
			FileEncryption:                            pulumi.Bool(true),
			FileSystemAccess:                          pulumi.Bool(true),
			ForceAslr:                                 pulumi.Bool(true),
			ForceDep:                                  pulumi.Bool(true),
			HeapSprayPreallocation:                    pulumi.Bool(true),
			NullPageAllocation:                        pulumi.Bool(true),
			SehOverwriteProtection:                    pulumi.Bool(true),
			HardwareEnhancedExploitDetection:          pulumi.Bool(true),
			HttpDetections:                            pulumi.Bool(true),
			RedactHttpDetectionDetails:                pulumi.Bool(true),
			IntelligenceSourcedThreats:                pulumi.Bool(true),
			JavascriptViaRundll32:                     pulumi.Bool(true),
			Locky:                                     pulumi.Bool(true),
			MemoryScanning:                            pulumi.Bool(true),
			MemoryScanningScanWithCpu:                 pulumi.Bool(true),
			MicrosoftOfficeFileSuspiciousMacroRemoval: pulumi.Bool(true),
			OnWriteScriptFileVisibility:               pulumi.Bool(true),
			PreventSuspiciousProcesses:                pulumi.Bool(true),
			QuarantineAndSecurityCenterRegistration:   pulumi.Bool(true),
			QuarantineOnRemovableMedia:                pulumi.Bool(true),
			QuarantineOnWrite:                         pulumi.Bool(true),
			ScriptBasedExecutionMonitoring:            pulumi.Bool(true),
			SensorTamperingProtection:                 pulumi.Bool(true),
			SuspiciousRegistryOperations:              pulumi.Bool(true),
			SuspiciousScriptsAndCommands:              pulumi.Bool(true),
			UploadUnknownExecutables:                  pulumi.Bool(true),
			UploadUnknownDetectionRelatedExecutables:  pulumi.Bool(true),
			VolumeShadowCopyAudit:                     pulumi.Bool(true),
			VolumeShadowCopyProtect:                   pulumi.Bool(true),
			VulnerableDriverProtection:                pulumi.Bool(true),
			WindowsLogonBypassStickyKeys:              pulumi.Bool(true),
		})
		if err != nil {
			return err
		}
		ctx.Export("preventionPolicyWindows", example)
		return nil
	})
}

    using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Crowdstrike = CrowdStrike.Crowdstrike;

return await Deployment.RunAsync(() => 
{
    var example = new Crowdstrike.PreventionPolicyWindows("example", new()
    {
        Enabled = true,
        Description = "Made with Pulumi",
        HostGroups = new[] {},
        IoaRuleGroups = new[] {},
        AdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPupArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        CloudAntiMalwareMicrosoftOfficeFiles = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
        {
            Detection = "MODERATE",
            Prevention = "DISABLED",
        },
        CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        CloudAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        SensorAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
        {
            Detection = "MODERATE",
            Prevention = "CAUTIOUS",
        },
        ExtendedUserModeData = new Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeDataArgs
        {
            Detection = "MODERATE",
        },
        UsbInsertionTriggeredScan = true,
        ApplicationExploitationActivity = true,
        AdditionalUserModeData = true,
        NotifyEndUsers = true,
        AdvancedRemediation = true,
        BackupDeletion = true,
        BiosDeepVisibility = true,
        ChopperWebshell = true,
        CodeInjection = true,
        CredentialDumping = true,
        Cryptowall = true,
        CustomBlocking = true,
        DetectOnWrite = true,
        DriveByDownload = true,
        DriverLoadPrevention = true,
        InterpreterOnly = true,
        EngineFullVisibility = true,
        EnhancedExploitationVisibility = true,
        EnhancedDllLoadVisibility = true,
        EnhancedMlForLargerFiles = true,
        FileEncryption = true,
        FileSystemAccess = true,
        ForceAslr = true,
        ForceDep = true,
        HeapSprayPreallocation = true,
        NullPageAllocation = true,
        SehOverwriteProtection = true,
        HardwareEnhancedExploitDetection = true,
        HttpDetections = true,
        RedactHttpDetectionDetails = true,
        IntelligenceSourcedThreats = true,
        JavascriptViaRundll32 = true,
        Locky = true,
        MemoryScanning = true,
        MemoryScanningScanWithCpu = true,
        MicrosoftOfficeFileSuspiciousMacroRemoval = true,
        OnWriteScriptFileVisibility = true,
        PreventSuspiciousProcesses = true,
        QuarantineAndSecurityCenterRegistration = true,
        QuarantineOnRemovableMedia = true,
        QuarantineOnWrite = true,
        ScriptBasedExecutionMonitoring = true,
        SensorTamperingProtection = true,
        SuspiciousRegistryOperations = true,
        SuspiciousScriptsAndCommands = true,
        UploadUnknownExecutables = true,
        UploadUnknownDetectionRelatedExecutables = true,
        VolumeShadowCopyAudit = true,
        VolumeShadowCopyProtect = true,
        VulnerableDriverProtection = true,
        WindowsLogonBypassStickyKeys = true,
    });

    return new Dictionary<string, object?>
    {
        ["preventionPolicyWindows"] = example,
    };
});

    package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.crowdstrike.PreventionPolicyWindows;
import com.pulumi.crowdstrike.PreventionPolicyWindowsArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsAdwareAndPupArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsSensorAntiMalwareArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs;
import com.pulumi.crowdstrike.inputs.PreventionPolicyWindowsExtendedUserModeDataArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new PreventionPolicyWindows("example", PreventionPolicyWindowsArgs.builder()
            .enabled(true)
            .description("Made with Pulumi")
            .hostGroups()
            .ioaRuleGroups()
            .adwareAndPup(PreventionPolicyWindowsAdwareAndPupArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                .cloudAntiMalwareMicrosoftOfficeFiles(PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs.builder()
                    .detection("MODERATE")
                    .prevention("DISABLED")
                    .build())
                .cloudAntiMalware(PreventionPolicyWindowsCloudAntiMalwareArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                    .cloudAntiMalwareUserInitiated(PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                        .sensorAntiMalware(PreventionPolicyWindowsSensorAntiMalwareArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                            .sensorAntiMalwareUserInitiated(PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                                .extendedUserModeData(PreventionPolicyWindowsExtendedUserModeDataArgs.builder()
%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression))
                                    .usbInsertionTriggeredScan(true)
                                    .applicationExploitationActivity(true)
                                    .additionalUserModeData(true)
                                    .notifyEndUsers(true)
                                    .advancedRemediation(true)
                                    .backupDeletion(true)
                                    .biosDeepVisibility(true)
                                    .chopperWebshell(true)
                                    .codeInjection(true)
                                    .credentialDumping(true)
                                    .cryptowall(true)
                                    .customBlocking(true)
                                    .detectOnWrite(true)
                                    .driveByDownload(true)
                                    .driverLoadPrevention(true)
                                    .interpreterOnly(true)
                                    .engineFullVisibility(true)
                                    .enhancedExploitationVisibility(true)
                                    .enhancedDllLoadVisibility(true)
                                    .enhancedMlForLargerFiles(true)
                                    .fileEncryption(true)
                                    .fileSystemAccess(true)
                                    .forceAslr(true)
                                    .forceDep(true)
                                    .heapSprayPreallocation(true)
                                    .nullPageAllocation(true)
                                    .sehOverwriteProtection(true)
                                    .hardwareEnhancedExploitDetection(true)
                                    .httpDetections(true)
                                    .redactHttpDetectionDetails(true)
                                    .intelligenceSourcedThreats(true)
                                    .javascriptViaRundll32(true)
                                    .locky(true)
                                    .memoryScanning(true)
                                    .memoryScanningScanWithCpu(true)
                                    .microsoftOfficeFileSuspiciousMacroRemoval(true)
                                    .onWriteScriptFileVisibility(true)
                                    .preventSuspiciousProcesses(true)
                                    .quarantineAndSecurityCenterRegistration(true)
                                    .quarantineOnRemovableMedia(true)
                                    .quarantineOnWrite(true)
                                    .scriptBasedExecutionMonitoring(true)
                                    .sensorTamperingProtection(true)
                                    .suspiciousRegistryOperations(true)
                                    .suspiciousScriptsAndCommands(true)
                                    .uploadUnknownExecutables(true)
                                    .uploadUnknownDetectionRelatedExecutables(true)
                                    .volumeShadowCopyAudit(true)
                                    .volumeShadowCopyProtect(true)
                                    .vulnerableDriverProtection(true)
                                    .windowsLogonBypassStickyKeys(true)
                                    .build());

                                ctx.export("preventionPolicyWindows", example);
                            }
}

    resources:
  example:
    type: crowdstrike:PreventionPolicyWindows
    properties:
      enabled: true
      description: Made with Pulumi
      hostGroups: []
      ioaRuleGroups: []
      adwareAndPup:
        detection: MODERATE
        prevention: CAUTIOUS
      cloudAntiMalwareMicrosoftOfficeFiles:
        detection: MODERATE
        prevention: DISABLED
      cloudAntiMalware:
        detection: MODERATE
        prevention: CAUTIOUS
      cloudAntiMalwareUserInitiated:
        detection: MODERATE
        prevention: CAUTIOUS
      sensorAntiMalware:
        detection: MODERATE
        prevention: CAUTIOUS
      sensorAntiMalwareUserInitiated:
        detection: MODERATE
        prevention: CAUTIOUS
      extendedUserModeData:
        detection: MODERATE
      usbInsertionTriggeredScan: true
      applicationExploitationActivity: true
      additionalUserModeData: true
      notifyEndUsers: true
      advancedRemediation: true
      backupDeletion: true
      biosDeepVisibility: true
      chopperWebshell: true
      codeInjection: true
      credentialDumping: true
      cryptowall: true
      customBlocking: true
      detectOnWrite: true
      driveByDownload: true
      driverLoadPrevention: true
      interpreterOnly: true
      engineFullVisibility: true
      enhancedExploitationVisibility: true
      enhancedDllLoadVisibility: true
      enhancedMlForLargerFiles: true
      fileEncryption: true
      fileSystemAccess: true
      forceAslr: true
      forceDep: true
      heapSprayPreallocation: true
      nullPageAllocation: true
      sehOverwriteProtection: true
      hardwareEnhancedExploitDetection: true
      httpDetections: true
      redactHttpDetectionDetails: true
      intelligenceSourcedThreats: true
      javascriptViaRundll32: true
      locky: true
      memoryScanning: true
      memoryScanningScanWithCpu: true
      microsoftOfficeFileSuspiciousMacroRemoval: true
      onWriteScriptFileVisibility: true
      preventSuspiciousProcesses: true
      quarantineAndSecurityCenterRegistration: true
      quarantineOnRemovableMedia: true
      quarantineOnWrite: true
      scriptBasedExecutionMonitoring: true
      sensorTamperingProtection: true
      suspiciousRegistryOperations: true
      suspiciousScriptsAndCommands: true
      uploadUnknownExecutables: true
      uploadUnknownDetectionRelatedExecutables: true
      volumeShadowCopyAudit: true
      volumeShadowCopyProtect: true
      vulnerableDriverProtection: true
      windowsLogonBypassStickyKeys: true
outputs:
  preventionPolicyWindows: ${example}

    Create PreventionPolicyWindows Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new PreventionPolicyWindows(name: string, args: PreventionPolicyWindowsArgs, opts?: CustomResourceOptions);
    @overload
def PreventionPolicyWindows(resource_name: str,
                            args: PreventionPolicyWindowsArgs,
                            opts: Optional[ResourceOptions] = None)

@overload
def PreventionPolicyWindows(resource_name: str,
                            opts: Optional[ResourceOptions] = None,
                            host_groups: Optional[Sequence[str]] = None,
                            ioa_rule_groups: Optional[Sequence[str]] = None,
                            heap_spray_preallocation: Optional[bool] = None,
                            volume_shadow_copy_protect: Optional[bool] = None,
                            backup_deletion: Optional[bool] = None,
                            bios_deep_visibility: Optional[bool] = None,
                            chopper_webshell: Optional[bool] = None,
                            cloud_anti_malware: Optional[PreventionPolicyWindowsCloudAntiMalwareArgs] = None,
                            cloud_anti_malware_microsoft_office_files: Optional[PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs] = None,
                            intelligence_sourced_threats: Optional[bool] = None,
                            code_injection: Optional[bool] = None,
                            credential_dumping: Optional[bool] = None,
                            cryptowall: Optional[bool] = None,
                            custom_blocking: Optional[bool] = None,
                            description: Optional[str] = None,
                            detect_on_write: Optional[bool] = None,
                            drive_by_download: Optional[bool] = None,
                            driver_load_prevention: Optional[bool] = None,
                            enabled: Optional[bool] = None,
                            engine_full_visibility: Optional[bool] = None,
                            enhanced_dll_load_visibility: Optional[bool] = None,
                            enhanced_exploitation_visibility: Optional[bool] = None,
                            enhanced_ml_for_larger_files: Optional[bool] = None,
                            extended_user_mode_data: Optional[PreventionPolicyWindowsExtendedUserModeDataArgs] = None,
                            file_encryption: Optional[bool] = None,
                            file_system_access: Optional[bool] = None,
                            force_aslr: Optional[bool] = None,
                            force_dep: Optional[bool] = None,
                            hardware_enhanced_exploit_detection: Optional[bool] = None,
                            additional_user_mode_data: Optional[bool] = None,
                            adware_and_pup: Optional[PreventionPolicyWindowsAdwareAndPupArgs] = None,
                            http_detections: Optional[bool] = None,
                            advanced_remediation: Optional[bool] = None,
                            application_exploitation_activity: Optional[bool] = None,
                            cloud_anti_malware_user_initiated: Optional[PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs] = None,
                            javascript_via_rundll32: Optional[bool] = None,
                            locky: Optional[bool] = None,
                            memory_scanning: Optional[bool] = None,
                            memory_scanning_scan_with_cpu: Optional[bool] = None,
                            microsoft_office_file_suspicious_macro_removal: Optional[bool] = None,
                            name: Optional[str] = None,
                            notify_end_users: Optional[bool] = None,
                            null_page_allocation: Optional[bool] = None,
                            on_write_script_file_visibility: Optional[bool] = None,
                            prevent_suspicious_processes: Optional[bool] = None,
                            quarantine_and_security_center_registration: Optional[bool] = None,
                            quarantine_on_removable_media: Optional[bool] = None,
                            quarantine_on_write: Optional[bool] = None,
                            redact_http_detection_details: Optional[bool] = None,
                            script_based_execution_monitoring: Optional[bool] = None,
                            seh_overwrite_protection: Optional[bool] = None,
                            sensor_anti_malware: Optional[PreventionPolicyWindowsSensorAntiMalwareArgs] = None,
                            sensor_anti_malware_user_initiated: Optional[PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs] = None,
                            sensor_tampering_protection: Optional[bool] = None,
                            suspicious_registry_operations: Optional[bool] = None,
                            suspicious_scripts_and_commands: Optional[bool] = None,
                            upload_unknown_detection_related_executables: Optional[bool] = None,
                            upload_unknown_executables: Optional[bool] = None,
                            usb_insertion_triggered_scan: Optional[bool] = None,
                            volume_shadow_copy_audit: Optional[bool] = None,
                            interpreter_only: Optional[bool] = None,
                            vulnerable_driver_protection: Optional[bool] = None,
                            windows_logon_bypass_sticky_keys: Optional[bool] = None)
    func NewPreventionPolicyWindows(ctx *Context, name string, args PreventionPolicyWindowsArgs, opts ...ResourceOption) (*PreventionPolicyWindows, error)
    public PreventionPolicyWindows(string name, PreventionPolicyWindowsArgs args, CustomResourceOptions? opts = null)
    public PreventionPolicyWindows(String name, PreventionPolicyWindowsArgs args)
public PreventionPolicyWindows(String name, PreventionPolicyWindowsArgs args, CustomResourceOptions options)

    type: crowdstrike:PreventionPolicyWindows
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args PreventionPolicyWindowsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args PreventionPolicyWindowsArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args PreventionPolicyWindowsArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args PreventionPolicyWindowsArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args PreventionPolicyWindowsArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var preventionPolicyWindowsResource = new Crowdstrike.PreventionPolicyWindows("preventionPolicyWindowsResource", new()
{
    HostGroups = new[]
    {
        "string",
    },
    IoaRuleGroups = new[]
    {
        "string",
    },
    HeapSprayPreallocation = false,
    VolumeShadowCopyProtect = false,
    BackupDeletion = false,
    BiosDeepVisibility = false,
    ChopperWebshell = false,
    CloudAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    CloudAntiMalwareMicrosoftOfficeFiles = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    IntelligenceSourcedThreats = false,
    CodeInjection = false,
    CredentialDumping = false,
    Cryptowall = false,
    CustomBlocking = false,
    Description = "string",
    DetectOnWrite = false,
    DriveByDownload = false,
    DriverLoadPrevention = false,
    Enabled = false,
    EngineFullVisibility = false,
    EnhancedDllLoadVisibility = false,
    EnhancedExploitationVisibility = false,
    EnhancedMlForLargerFiles = false,
    ExtendedUserModeData = new Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeDataArgs
    {
        Detection = "string",
    },
    FileEncryption = false,
    FileSystemAccess = false,
    ForceAslr = false,
    ForceDep = false,
    HardwareEnhancedExploitDetection = false,
    AdditionalUserModeData = false,
    AdwareAndPup = new Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPupArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    HttpDetections = false,
    AdvancedRemediation = false,
    ApplicationExploitationActivity = false,
    CloudAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    JavascriptViaRundll32 = false,
    Locky = false,
    MemoryScanning = false,
    MemoryScanningScanWithCpu = false,
    MicrosoftOfficeFileSuspiciousMacroRemoval = false,
    Name = "string",
    NotifyEndUsers = false,
    NullPageAllocation = false,
    OnWriteScriptFileVisibility = false,
    PreventSuspiciousProcesses = false,
    QuarantineAndSecurityCenterRegistration = false,
    QuarantineOnRemovableMedia = false,
    QuarantineOnWrite = false,
    RedactHttpDetectionDetails = false,
    ScriptBasedExecutionMonitoring = false,
    SehOverwriteProtection = false,
    SensorAntiMalware = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    SensorAntiMalwareUserInitiated = new Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
    {
        Detection = "string",
        Prevention = "string",
    },
    SensorTamperingProtection = false,
    SuspiciousRegistryOperations = false,
    SuspiciousScriptsAndCommands = false,
    UploadUnknownDetectionRelatedExecutables = false,
    UploadUnknownExecutables = false,
    UsbInsertionTriggeredScan = false,
    VolumeShadowCopyAudit = false,
    InterpreterOnly = false,
    VulnerableDriverProtection = false,
    WindowsLogonBypassStickyKeys = false,
});

    example, err := crowdstrike.NewPreventionPolicyWindows(ctx, "preventionPolicyWindowsResource", &crowdstrike.PreventionPolicyWindowsArgs{
	HostGroups: pulumi.StringArray{
		pulumi.String("string"),
	},
	IoaRuleGroups: pulumi.StringArray{
		pulumi.String("string"),
	},
	HeapSprayPreallocation:  pulumi.Bool(false),
	VolumeShadowCopyProtect: pulumi.Bool(false),
	BackupDeletion:          pulumi.Bool(false),
	BiosDeepVisibility:      pulumi.Bool(false),
	ChopperWebshell:         pulumi.Bool(false),
	CloudAntiMalware: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	CloudAntiMalwareMicrosoftOfficeFiles: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	IntelligenceSourcedThreats:     pulumi.Bool(false),
	CodeInjection:                  pulumi.Bool(false),
	CredentialDumping:              pulumi.Bool(false),
	Cryptowall:                     pulumi.Bool(false),
	CustomBlocking:                 pulumi.Bool(false),
	Description:                    pulumi.String("string"),
	DetectOnWrite:                  pulumi.Bool(false),
	DriveByDownload:                pulumi.Bool(false),
	DriverLoadPrevention:           pulumi.Bool(false),
	Enabled:                        pulumi.Bool(false),
	EngineFullVisibility:           pulumi.Bool(false),
	EnhancedDllLoadVisibility:      pulumi.Bool(false),
	EnhancedExploitationVisibility: pulumi.Bool(false),
	EnhancedMlForLargerFiles:       pulumi.Bool(false),
	ExtendedUserModeData: &crowdstrike.PreventionPolicyWindowsExtendedUserModeDataArgs{
		Detection: pulumi.String("string"),
	},
	FileEncryption:                   pulumi.Bool(false),
	FileSystemAccess:                 pulumi.Bool(false),
	ForceAslr:                        pulumi.Bool(false),
	ForceDep:                         pulumi.Bool(false),
	HardwareEnhancedExploitDetection: pulumi.Bool(false),
	AdditionalUserModeData:           pulumi.Bool(false),
	AdwareAndPup: &crowdstrike.PreventionPolicyWindowsAdwareAndPupArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	HttpDetections:                  pulumi.Bool(false),
	AdvancedRemediation:             pulumi.Bool(false),
	ApplicationExploitationActivity: pulumi.Bool(false),
	CloudAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	JavascriptViaRundll32:     pulumi.Bool(false),
	Locky:                     pulumi.Bool(false),
	MemoryScanning:            pulumi.Bool(false),
	MemoryScanningScanWithCpu: pulumi.Bool(false),
	MicrosoftOfficeFileSuspiciousMacroRemoval: pulumi.Bool(false),
	Name:                                    pulumi.String("string"),
	NotifyEndUsers:                          pulumi.Bool(false),
	NullPageAllocation:                      pulumi.Bool(false),
	OnWriteScriptFileVisibility:             pulumi.Bool(false),
	PreventSuspiciousProcesses:              pulumi.Bool(false),
	QuarantineAndSecurityCenterRegistration: pulumi.Bool(false),
	QuarantineOnRemovableMedia:              pulumi.Bool(false),
	QuarantineOnWrite:                       pulumi.Bool(false),
	RedactHttpDetectionDetails:              pulumi.Bool(false),
	ScriptBasedExecutionMonitoring:          pulumi.Bool(false),
	SehOverwriteProtection:                  pulumi.Bool(false),
	SensorAntiMalware: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	SensorAntiMalwareUserInitiated: &crowdstrike.PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs{
		Detection:  pulumi.String("string"),
		Prevention: pulumi.String("string"),
	},
	SensorTamperingProtection:                pulumi.Bool(false),
	SuspiciousRegistryOperations:             pulumi.Bool(false),
	SuspiciousScriptsAndCommands:             pulumi.Bool(false),
	UploadUnknownDetectionRelatedExecutables: pulumi.Bool(false),
	UploadUnknownExecutables:                 pulumi.Bool(false),
	UsbInsertionTriggeredScan:                pulumi.Bool(false),
	VolumeShadowCopyAudit:                    pulumi.Bool(false),
	InterpreterOnly:                          pulumi.Bool(false),
	VulnerableDriverProtection:               pulumi.Bool(false),
	WindowsLogonBypassStickyKeys:             pulumi.Bool(false),
})

    var preventionPolicyWindowsResource = new PreventionPolicyWindows("preventionPolicyWindowsResource", PreventionPolicyWindowsArgs.builder()
    .hostGroups("string")
    .ioaRuleGroups("string")
    .heapSprayPreallocation(false)
    .volumeShadowCopyProtect(false)
    .backupDeletion(false)
    .biosDeepVisibility(false)
    .chopperWebshell(false)
    .cloudAntiMalware(PreventionPolicyWindowsCloudAntiMalwareArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .cloudAntiMalwareMicrosoftOfficeFiles(PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .intelligenceSourcedThreats(false)
    .codeInjection(false)
    .credentialDumping(false)
    .cryptowall(false)
    .customBlocking(false)
    .description("string")
    .detectOnWrite(false)
    .driveByDownload(false)
    .driverLoadPrevention(false)
    .enabled(false)
    .engineFullVisibility(false)
    .enhancedDllLoadVisibility(false)
    .enhancedExploitationVisibility(false)
    .enhancedMlForLargerFiles(false)
    .extendedUserModeData(PreventionPolicyWindowsExtendedUserModeDataArgs.builder()
        .detection("string")
        .build())
    .fileEncryption(false)
    .fileSystemAccess(false)
    .forceAslr(false)
    .forceDep(false)
    .hardwareEnhancedExploitDetection(false)
    .additionalUserModeData(false)
    .adwareAndPup(PreventionPolicyWindowsAdwareAndPupArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .httpDetections(false)
    .advancedRemediation(false)
    .applicationExploitationActivity(false)
    .cloudAntiMalwareUserInitiated(PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .javascriptViaRundll32(false)
    .locky(false)
    .memoryScanning(false)
    .memoryScanningScanWithCpu(false)
    .microsoftOfficeFileSuspiciousMacroRemoval(false)
    .name("string")
    .notifyEndUsers(false)
    .nullPageAllocation(false)
    .onWriteScriptFileVisibility(false)
    .preventSuspiciousProcesses(false)
    .quarantineAndSecurityCenterRegistration(false)
    .quarantineOnRemovableMedia(false)
    .quarantineOnWrite(false)
    .redactHttpDetectionDetails(false)
    .scriptBasedExecutionMonitoring(false)
    .sehOverwriteProtection(false)
    .sensorAntiMalware(PreventionPolicyWindowsSensorAntiMalwareArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .sensorAntiMalwareUserInitiated(PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs.builder()
        .detection("string")
        .prevention("string")
        .build())
    .sensorTamperingProtection(false)
    .suspiciousRegistryOperations(false)
    .suspiciousScriptsAndCommands(false)
    .uploadUnknownDetectionRelatedExecutables(false)
    .uploadUnknownExecutables(false)
    .usbInsertionTriggeredScan(false)
    .volumeShadowCopyAudit(false)
    .interpreterOnly(false)
    .vulnerableDriverProtection(false)
    .windowsLogonBypassStickyKeys(false)
    .build());

    prevention_policy_windows_resource = crowdstrike.PreventionPolicyWindows("preventionPolicyWindowsResource",
    host_groups=["string"],
    ioa_rule_groups=["string"],
    heap_spray_preallocation=False,
    volume_shadow_copy_protect=False,
    backup_deletion=False,
    bios_deep_visibility=False,
    chopper_webshell=False,
    cloud_anti_malware={
        "detection": "string",
        "prevention": "string",
    },
    cloud_anti_malware_microsoft_office_files={
        "detection": "string",
        "prevention": "string",
    },
    intelligence_sourced_threats=False,
    code_injection=False,
    credential_dumping=False,
    cryptowall=False,
    custom_blocking=False,
    description="string",
    detect_on_write=False,
    drive_by_download=False,
    driver_load_prevention=False,
    enabled=False,
    engine_full_visibility=False,
    enhanced_dll_load_visibility=False,
    enhanced_exploitation_visibility=False,
    enhanced_ml_for_larger_files=False,
    extended_user_mode_data={
        "detection": "string",
    },
    file_encryption=False,
    file_system_access=False,
    force_aslr=False,
    force_dep=False,
    hardware_enhanced_exploit_detection=False,
    additional_user_mode_data=False,
    adware_and_pup={
        "detection": "string",
        "prevention": "string",
    },
    http_detections=False,
    advanced_remediation=False,
    application_exploitation_activity=False,
    cloud_anti_malware_user_initiated={
        "detection": "string",
        "prevention": "string",
    },
    javascript_via_rundll32=False,
    locky=False,
    memory_scanning=False,
    memory_scanning_scan_with_cpu=False,
    microsoft_office_file_suspicious_macro_removal=False,
    name="string",
    notify_end_users=False,
    null_page_allocation=False,
    on_write_script_file_visibility=False,
    prevent_suspicious_processes=False,
    quarantine_and_security_center_registration=False,
    quarantine_on_removable_media=False,
    quarantine_on_write=False,
    redact_http_detection_details=False,
    script_based_execution_monitoring=False,
    seh_overwrite_protection=False,
    sensor_anti_malware={
        "detection": "string",
        "prevention": "string",
    },
    sensor_anti_malware_user_initiated={
        "detection": "string",
        "prevention": "string",
    },
    sensor_tampering_protection=False,
    suspicious_registry_operations=False,
    suspicious_scripts_and_commands=False,
    upload_unknown_detection_related_executables=False,
    upload_unknown_executables=False,
    usb_insertion_triggered_scan=False,
    volume_shadow_copy_audit=False,
    interpreter_only=False,
    vulnerable_driver_protection=False,
    windows_logon_bypass_sticky_keys=False)

    const preventionPolicyWindowsResource = new crowdstrike.PreventionPolicyWindows("preventionPolicyWindowsResource", {
    hostGroups: ["string"],
    ioaRuleGroups: ["string"],
    heapSprayPreallocation: false,
    volumeShadowCopyProtect: false,
    backupDeletion: false,
    biosDeepVisibility: false,
    chopperWebshell: false,
    cloudAntiMalware: {
        detection: "string",
        prevention: "string",
    },
    cloudAntiMalwareMicrosoftOfficeFiles: {
        detection: "string",
        prevention: "string",
    },
    intelligenceSourcedThreats: false,
    codeInjection: false,
    credentialDumping: false,
    cryptowall: false,
    customBlocking: false,
    description: "string",
    detectOnWrite: false,
    driveByDownload: false,
    driverLoadPrevention: false,
    enabled: false,
    engineFullVisibility: false,
    enhancedDllLoadVisibility: false,
    enhancedExploitationVisibility: false,
    enhancedMlForLargerFiles: false,
    extendedUserModeData: {
        detection: "string",
    },
    fileEncryption: false,
    fileSystemAccess: false,
    forceAslr: false,
    forceDep: false,
    hardwareEnhancedExploitDetection: false,
    additionalUserModeData: false,
    adwareAndPup: {
        detection: "string",
        prevention: "string",
    },
    httpDetections: false,
    advancedRemediation: false,
    applicationExploitationActivity: false,
    cloudAntiMalwareUserInitiated: {
        detection: "string",
        prevention: "string",
    },
    javascriptViaRundll32: false,
    locky: false,
    memoryScanning: false,
    memoryScanningScanWithCpu: false,
    microsoftOfficeFileSuspiciousMacroRemoval: false,
    name: "string",
    notifyEndUsers: false,
    nullPageAllocation: false,
    onWriteScriptFileVisibility: false,
    preventSuspiciousProcesses: false,
    quarantineAndSecurityCenterRegistration: false,
    quarantineOnRemovableMedia: false,
    quarantineOnWrite: false,
    redactHttpDetectionDetails: false,
    scriptBasedExecutionMonitoring: false,
    sehOverwriteProtection: false,
    sensorAntiMalware: {
        detection: "string",
        prevention: "string",
    },
    sensorAntiMalwareUserInitiated: {
        detection: "string",
        prevention: "string",
    },
    sensorTamperingProtection: false,
    suspiciousRegistryOperations: false,
    suspiciousScriptsAndCommands: false,
    uploadUnknownDetectionRelatedExecutables: false,
    uploadUnknownExecutables: false,
    usbInsertionTriggeredScan: false,
    volumeShadowCopyAudit: false,
    interpreterOnly: false,
    vulnerableDriverProtection: false,
    windowsLogonBypassStickyKeys: false,
});

    type: crowdstrike:PreventionPolicyWindows
properties:
    additionalUserModeData: false
    advancedRemediation: false
    adwareAndPup:
        detection: string
        prevention: string
    applicationExploitationActivity: false
    backupDeletion: false
    biosDeepVisibility: false
    chopperWebshell: false
    cloudAntiMalware:
        detection: string
        prevention: string
    cloudAntiMalwareMicrosoftOfficeFiles:
        detection: string
        prevention: string
    cloudAntiMalwareUserInitiated:
        detection: string
        prevention: string
    codeInjection: false
    credentialDumping: false
    cryptowall: false
    customBlocking: false
    description: string
    detectOnWrite: false
    driveByDownload: false
    driverLoadPrevention: false
    enabled: false
    engineFullVisibility: false
    enhancedDllLoadVisibility: false
    enhancedExploitationVisibility: false
    enhancedMlForLargerFiles: false
    extendedUserModeData:
        detection: string
    fileEncryption: false
    fileSystemAccess: false
    forceAslr: false
    forceDep: false
    hardwareEnhancedExploitDetection: false
    heapSprayPreallocation: false
    hostGroups:
        - string
    httpDetections: false
    intelligenceSourcedThreats: false
    interpreterOnly: false
    ioaRuleGroups:
        - string
    javascriptViaRundll32: false
    locky: false
    memoryScanning: false
    memoryScanningScanWithCpu: false
    microsoftOfficeFileSuspiciousMacroRemoval: false
    name: string
    notifyEndUsers: false
    nullPageAllocation: false
    onWriteScriptFileVisibility: false
    preventSuspiciousProcesses: false
    quarantineAndSecurityCenterRegistration: false
    quarantineOnRemovableMedia: false
    quarantineOnWrite: false
    redactHttpDetectionDetails: false
    scriptBasedExecutionMonitoring: false
    sehOverwriteProtection: false
    sensorAntiMalware:
        detection: string
        prevention: string
    sensorAntiMalwareUserInitiated:
        detection: string
        prevention: string
    sensorTamperingProtection: false
    suspiciousRegistryOperations: false
    suspiciousScriptsAndCommands: false
    uploadUnknownDetectionRelatedExecutables: false
    uploadUnknownExecutables: false
    usbInsertionTriggeredScan: false
    volumeShadowCopyAudit: false
    volumeShadowCopyProtect: false
    vulnerableDriverProtection: false
    windowsLogonBypassStickyKeys: false

    PreventionPolicyWindows Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The PreventionPolicyWindows resource accepts the following input properties:

    HostGroups List<string>
    Host Group ids to attach to the prevention policy.
    IoaRuleGroups List<string>
    IOA Rule Group to attach to the prevention policy.
    AdditionalUserModeData bool
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    AdvancedRemediation bool
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    AdwareAndPup CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPup
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    ApplicationExploitationActivity bool
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    BackupDeletion bool
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    BiosDeepVisibility bool
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    ChopperWebshell bool
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    CloudAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalware
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    CloudAntiMalwareMicrosoftOfficeFiles CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    CloudAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    CodeInjection bool
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    CredentialDumping bool
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    Cryptowall bool
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    CustomBlocking bool
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    Description string
    Description of the prevention policy.
    DetectOnWrite bool
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    DriveByDownload bool
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    DriverLoadPrevention bool
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    Enabled bool
    Enable the prevention policy.
    EngineFullVisibility bool
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    EnhancedDllLoadVisibility bool
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    EnhancedExploitationVisibility bool
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    EnhancedMlForLargerFiles bool
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    ExtendedUserModeData CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeData
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    FileEncryption bool
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    FileSystemAccess bool
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    ForceAslr bool
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    ForceDep bool
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    HardwareEnhancedExploitDetection bool
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    HeapSprayPreallocation bool
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    HttpDetections bool
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    IntelligenceSourcedThreats bool
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    InterpreterOnly bool
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    JavascriptViaRundll32 bool
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    Locky bool
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    MemoryScanning bool
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    MemoryScanningScanWithCpu bool
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    MicrosoftOfficeFileSuspiciousMacroRemoval bool
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    Name string
    Name of the prevention policy.
    NotifyEndUsers bool
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    NullPageAllocation bool
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    OnWriteScriptFileVisibility bool
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    PreventSuspiciousProcesses bool
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    QuarantineAndSecurityCenterRegistration bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    QuarantineOnRemovableMedia bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    QuarantineOnWrite bool
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    RedactHttpDetectionDetails bool
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    ScriptBasedExecutionMonitoring bool
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    SehOverwriteProtection bool
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    SensorAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalware
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    SensorAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiated
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    SensorTamperingProtection bool
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    SuspiciousRegistryOperations bool
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    SuspiciousScriptsAndCommands bool
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    UploadUnknownDetectionRelatedExecutables bool
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    UploadUnknownExecutables bool
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    UsbInsertionTriggeredScan bool
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    VolumeShadowCopyAudit bool
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    VolumeShadowCopyProtect bool
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    VulnerableDriverProtection bool
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    WindowsLogonBypassStickyKeys bool
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    HostGroups []string
    Host Group ids to attach to the prevention policy.
    IoaRuleGroups []string
    IOA Rule Group to attach to the prevention policy.
    AdditionalUserModeData bool
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    AdvancedRemediation bool
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    AdwareAndPup PreventionPolicyWindowsAdwareAndPupArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    ApplicationExploitationActivity bool
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    BackupDeletion bool
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    BiosDeepVisibility bool
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    ChopperWebshell bool
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    CloudAntiMalware PreventionPolicyWindowsCloudAntiMalwareArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    CloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    CloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    CodeInjection bool
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    CredentialDumping bool
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    Cryptowall bool
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    CustomBlocking bool
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    Description string
    Description of the prevention policy.
    DetectOnWrite bool
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    DriveByDownload bool
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    DriverLoadPrevention bool
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    Enabled bool
    Enable the prevention policy.
    EngineFullVisibility bool
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    EnhancedDllLoadVisibility bool
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    EnhancedExploitationVisibility bool
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    EnhancedMlForLargerFiles bool
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    ExtendedUserModeData PreventionPolicyWindowsExtendedUserModeDataArgs
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    FileEncryption bool
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    FileSystemAccess bool
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    ForceAslr bool
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    ForceDep bool
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    HardwareEnhancedExploitDetection bool
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    HeapSprayPreallocation bool
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    HttpDetections bool
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    IntelligenceSourcedThreats bool
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    InterpreterOnly bool
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    JavascriptViaRundll32 bool
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    Locky bool
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    MemoryScanning bool
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    MemoryScanningScanWithCpu bool
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    MicrosoftOfficeFileSuspiciousMacroRemoval bool
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    Name string
    Name of the prevention policy.
    NotifyEndUsers bool
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    NullPageAllocation bool
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    OnWriteScriptFileVisibility bool
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    PreventSuspiciousProcesses bool
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    QuarantineAndSecurityCenterRegistration bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    QuarantineOnRemovableMedia bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    QuarantineOnWrite bool
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    RedactHttpDetectionDetails bool
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    ScriptBasedExecutionMonitoring bool
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    SehOverwriteProtection bool
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    SensorAntiMalware PreventionPolicyWindowsSensorAntiMalwareArgs
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    SensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    SensorTamperingProtection bool
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    SuspiciousRegistryOperations bool
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    SuspiciousScriptsAndCommands bool
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    UploadUnknownDetectionRelatedExecutables bool
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    UploadUnknownExecutables bool
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    UsbInsertionTriggeredScan bool
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    VolumeShadowCopyAudit bool
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    VolumeShadowCopyProtect bool
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    VulnerableDriverProtection bool
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    WindowsLogonBypassStickyKeys bool
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    hostGroups List<String>
    Host Group ids to attach to the prevention policy.
    ioaRuleGroups List<String>
    IOA Rule Group to attach to the prevention policy.
    additionalUserModeData Boolean
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advancedRemediation Boolean
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adwareAndPup PreventionPolicyWindowsAdwareAndPup
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    applicationExploitationActivity Boolean
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backupDeletion Boolean
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    biosDeepVisibility Boolean
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopperWebshell Boolean
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    codeInjection Boolean
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credentialDumping Boolean
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall Boolean
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    customBlocking Boolean
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description String
    Description of the prevention policy.
    detectOnWrite Boolean
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    driveByDownload Boolean
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driverLoadPrevention Boolean
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled Boolean
    Enable the prevention policy.
    engineFullVisibility Boolean
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhancedDllLoadVisibility Boolean
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhancedExploitationVisibility Boolean
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhancedMlForLargerFiles Boolean
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    fileEncryption Boolean
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    fileSystemAccess Boolean
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    forceAslr Boolean
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    forceDep Boolean
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardwareEnhancedExploitDetection Boolean
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heapSprayPreallocation Boolean
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    httpDetections Boolean
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligenceSourcedThreats Boolean
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreterOnly Boolean
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    javascriptViaRundll32 Boolean
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    locky Boolean
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memoryScanning Boolean
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memoryScanningScanWithCpu Boolean
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoftOfficeFileSuspiciousMacroRemoval Boolean
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name String
    Name of the prevention policy.
    notifyEndUsers Boolean
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    nullPageAllocation Boolean
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    onWriteScriptFileVisibility Boolean
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    preventSuspiciousProcesses Boolean
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantineAndSecurityCenterRegistration Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantineOnRemovableMedia Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantineOnWrite Boolean
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redactHttpDetectionDetails Boolean
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    scriptBasedExecutionMonitoring Boolean
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    sehOverwriteProtection Boolean
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensorTamperingProtection Boolean
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspiciousRegistryOperations Boolean
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspiciousScriptsAndCommands Boolean
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    uploadUnknownDetectionRelatedExecutables Boolean
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    uploadUnknownExecutables Boolean
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usbInsertionTriggeredScan Boolean
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volumeShadowCopyAudit Boolean
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volumeShadowCopyProtect Boolean
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerableDriverProtection Boolean
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windowsLogonBypassStickyKeys Boolean
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    hostGroups string[]
    Host Group ids to attach to the prevention policy.
    ioaRuleGroups string[]
    IOA Rule Group to attach to the prevention policy.
    additionalUserModeData boolean
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advancedRemediation boolean
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adwareAndPup PreventionPolicyWindowsAdwareAndPup
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    applicationExploitationActivity boolean
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backupDeletion boolean
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    biosDeepVisibility boolean
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopperWebshell boolean
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    codeInjection boolean
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credentialDumping boolean
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall boolean
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    customBlocking boolean
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description string
    Description of the prevention policy.
    detectOnWrite boolean
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    driveByDownload boolean
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driverLoadPrevention boolean
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled boolean
    Enable the prevention policy.
    engineFullVisibility boolean
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhancedDllLoadVisibility boolean
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhancedExploitationVisibility boolean
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhancedMlForLargerFiles boolean
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    fileEncryption boolean
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    fileSystemAccess boolean
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    forceAslr boolean
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    forceDep boolean
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardwareEnhancedExploitDetection boolean
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heapSprayPreallocation boolean
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    httpDetections boolean
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligenceSourcedThreats boolean
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreterOnly boolean
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    javascriptViaRundll32 boolean
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    locky boolean
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memoryScanning boolean
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memoryScanningScanWithCpu boolean
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoftOfficeFileSuspiciousMacroRemoval boolean
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name string
    Name of the prevention policy.
    notifyEndUsers boolean
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    nullPageAllocation boolean
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    onWriteScriptFileVisibility boolean
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    preventSuspiciousProcesses boolean
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantineAndSecurityCenterRegistration boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantineOnRemovableMedia boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantineOnWrite boolean
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redactHttpDetectionDetails boolean
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    scriptBasedExecutionMonitoring boolean
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    sehOverwriteProtection boolean
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensorTamperingProtection boolean
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspiciousRegistryOperations boolean
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspiciousScriptsAndCommands boolean
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    uploadUnknownDetectionRelatedExecutables boolean
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    uploadUnknownExecutables boolean
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usbInsertionTriggeredScan boolean
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volumeShadowCopyAudit boolean
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volumeShadowCopyProtect boolean
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerableDriverProtection boolean
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windowsLogonBypassStickyKeys boolean
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    host_groups Sequence[str]
    Host Group ids to attach to the prevention policy.
    ioa_rule_groups Sequence[str]
    IOA Rule Group to attach to the prevention policy.
    additional_user_mode_data bool
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advanced_remediation bool
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adware_and_pup PreventionPolicyWindowsAdwareAndPupArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    application_exploitation_activity bool
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backup_deletion bool
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    bios_deep_visibility bool
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopper_webshell bool
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloud_anti_malware PreventionPolicyWindowsCloudAntiMalwareArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloud_anti_malware_microsoft_office_files PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloud_anti_malware_user_initiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    code_injection bool
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credential_dumping bool
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall bool
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    custom_blocking bool
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description str
    Description of the prevention policy.
    detect_on_write bool
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    drive_by_download bool
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driver_load_prevention bool
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled bool
    Enable the prevention policy.
    engine_full_visibility bool
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhanced_dll_load_visibility bool
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhanced_exploitation_visibility bool
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhanced_ml_for_larger_files bool
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extended_user_mode_data PreventionPolicyWindowsExtendedUserModeDataArgs
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    file_encryption bool
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    file_system_access bool
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    force_aslr bool
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    force_dep bool
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardware_enhanced_exploit_detection bool
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heap_spray_preallocation bool
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    http_detections bool
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligence_sourced_threats bool
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreter_only bool
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    javascript_via_rundll32 bool
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    locky bool
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memory_scanning bool
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memory_scanning_scan_with_cpu bool
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoft_office_file_suspicious_macro_removal bool
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name str
    Name of the prevention policy.
    notify_end_users bool
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    null_page_allocation bool
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    on_write_script_file_visibility bool
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    prevent_suspicious_processes bool
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantine_and_security_center_registration bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantine_on_removable_media bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantine_on_write bool
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redact_http_detection_details bool
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    script_based_execution_monitoring bool
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    seh_overwrite_protection bool
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensor_anti_malware PreventionPolicyWindowsSensorAntiMalwareArgs
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensor_anti_malware_user_initiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensor_tampering_protection bool
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspicious_registry_operations bool
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspicious_scripts_and_commands bool
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    upload_unknown_detection_related_executables bool
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    upload_unknown_executables bool
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usb_insertion_triggered_scan bool
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volume_shadow_copy_audit bool
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volume_shadow_copy_protect bool
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerable_driver_protection bool
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windows_logon_bypass_sticky_keys bool
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    hostGroups List<String>
    Host Group ids to attach to the prevention policy.
    ioaRuleGroups List<String>
    IOA Rule Group to attach to the prevention policy.
    additionalUserModeData Boolean
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advancedRemediation Boolean
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adwareAndPup Property Map
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    applicationExploitationActivity Boolean
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backupDeletion Boolean
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    biosDeepVisibility Boolean
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopperWebshell Boolean
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloudAntiMalware Property Map
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloudAntiMalwareMicrosoftOfficeFiles Property Map
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloudAntiMalwareUserInitiated Property Map
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    codeInjection Boolean
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credentialDumping Boolean
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall Boolean
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    customBlocking Boolean
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description String
    Description of the prevention policy.
    detectOnWrite Boolean
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    driveByDownload Boolean
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driverLoadPrevention Boolean
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled Boolean
    Enable the prevention policy.
    engineFullVisibility Boolean
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhancedDllLoadVisibility Boolean
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhancedExploitationVisibility Boolean
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhancedMlForLargerFiles Boolean
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extendedUserModeData Property Map
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    fileEncryption Boolean
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    fileSystemAccess Boolean
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    forceAslr Boolean
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    forceDep Boolean
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardwareEnhancedExploitDetection Boolean
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heapSprayPreallocation Boolean
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    httpDetections Boolean
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligenceSourcedThreats Boolean
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreterOnly Boolean
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    javascriptViaRundll32 Boolean
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    locky Boolean
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memoryScanning Boolean
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memoryScanningScanWithCpu Boolean
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoftOfficeFileSuspiciousMacroRemoval Boolean
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name String
    Name of the prevention policy.
    notifyEndUsers Boolean
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    nullPageAllocation Boolean
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    onWriteScriptFileVisibility Boolean
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    preventSuspiciousProcesses Boolean
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantineAndSecurityCenterRegistration Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantineOnRemovableMedia Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantineOnWrite Boolean
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redactHttpDetectionDetails Boolean
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    scriptBasedExecutionMonitoring Boolean
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    sehOverwriteProtection Boolean
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensorAntiMalware Property Map
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensorAntiMalwareUserInitiated Property Map
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensorTamperingProtection Boolean
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspiciousRegistryOperations Boolean
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspiciousScriptsAndCommands Boolean
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    uploadUnknownDetectionRelatedExecutables Boolean
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    uploadUnknownExecutables Boolean
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usbInsertionTriggeredScan Boolean
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volumeShadowCopyAudit Boolean
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volumeShadowCopyProtect Boolean
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerableDriverProtection Boolean
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windowsLogonBypassStickyKeys Boolean
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the PreventionPolicyWindows resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    LastUpdated string
    Id string
    The provider-assigned unique ID for this managed resource.
    LastUpdated string
    id String
    The provider-assigned unique ID for this managed resource.
    lastUpdated String
    id string
    The provider-assigned unique ID for this managed resource.
    lastUpdated string
    id str
    The provider-assigned unique ID for this managed resource.
    last_updated str
    id String
    The provider-assigned unique ID for this managed resource.
    lastUpdated String

    Look up Existing PreventionPolicyWindows Resource

    Get an existing PreventionPolicyWindows resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: PreventionPolicyWindowsState, opts?: CustomResourceOptions): PreventionPolicyWindows
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        additional_user_mode_data: Optional[bool] = None,
        advanced_remediation: Optional[bool] = None,
        adware_and_pup: Optional[PreventionPolicyWindowsAdwareAndPupArgs] = None,
        application_exploitation_activity: Optional[bool] = None,
        backup_deletion: Optional[bool] = None,
        bios_deep_visibility: Optional[bool] = None,
        chopper_webshell: Optional[bool] = None,
        cloud_anti_malware: Optional[PreventionPolicyWindowsCloudAntiMalwareArgs] = None,
        cloud_anti_malware_microsoft_office_files: Optional[PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs] = None,
        cloud_anti_malware_user_initiated: Optional[PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs] = None,
        code_injection: Optional[bool] = None,
        credential_dumping: Optional[bool] = None,
        cryptowall: Optional[bool] = None,
        custom_blocking: Optional[bool] = None,
        description: Optional[str] = None,
        detect_on_write: Optional[bool] = None,
        drive_by_download: Optional[bool] = None,
        driver_load_prevention: Optional[bool] = None,
        enabled: Optional[bool] = None,
        engine_full_visibility: Optional[bool] = None,
        enhanced_dll_load_visibility: Optional[bool] = None,
        enhanced_exploitation_visibility: Optional[bool] = None,
        enhanced_ml_for_larger_files: Optional[bool] = None,
        extended_user_mode_data: Optional[PreventionPolicyWindowsExtendedUserModeDataArgs] = None,
        file_encryption: Optional[bool] = None,
        file_system_access: Optional[bool] = None,
        force_aslr: Optional[bool] = None,
        force_dep: Optional[bool] = None,
        hardware_enhanced_exploit_detection: Optional[bool] = None,
        heap_spray_preallocation: Optional[bool] = None,
        host_groups: Optional[Sequence[str]] = None,
        http_detections: Optional[bool] = None,
        intelligence_sourced_threats: Optional[bool] = None,
        interpreter_only: Optional[bool] = None,
        ioa_rule_groups: Optional[Sequence[str]] = None,
        javascript_via_rundll32: Optional[bool] = None,
        last_updated: Optional[str] = None,
        locky: Optional[bool] = None,
        memory_scanning: Optional[bool] = None,
        memory_scanning_scan_with_cpu: Optional[bool] = None,
        microsoft_office_file_suspicious_macro_removal: Optional[bool] = None,
        name: Optional[str] = None,
        notify_end_users: Optional[bool] = None,
        null_page_allocation: Optional[bool] = None,
        on_write_script_file_visibility: Optional[bool] = None,
        prevent_suspicious_processes: Optional[bool] = None,
        quarantine_and_security_center_registration: Optional[bool] = None,
        quarantine_on_removable_media: Optional[bool] = None,
        quarantine_on_write: Optional[bool] = None,
        redact_http_detection_details: Optional[bool] = None,
        script_based_execution_monitoring: Optional[bool] = None,
        seh_overwrite_protection: Optional[bool] = None,
        sensor_anti_malware: Optional[PreventionPolicyWindowsSensorAntiMalwareArgs] = None,
        sensor_anti_malware_user_initiated: Optional[PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs] = None,
        sensor_tampering_protection: Optional[bool] = None,
        suspicious_registry_operations: Optional[bool] = None,
        suspicious_scripts_and_commands: Optional[bool] = None,
        upload_unknown_detection_related_executables: Optional[bool] = None,
        upload_unknown_executables: Optional[bool] = None,
        usb_insertion_triggered_scan: Optional[bool] = None,
        volume_shadow_copy_audit: Optional[bool] = None,
        volume_shadow_copy_protect: Optional[bool] = None,
        vulnerable_driver_protection: Optional[bool] = None,
        windows_logon_bypass_sticky_keys: Optional[bool] = None) -> PreventionPolicyWindows
    func GetPreventionPolicyWindows(ctx *Context, name string, id IDInput, state *PreventionPolicyWindowsState, opts ...ResourceOption) (*PreventionPolicyWindows, error)
    public static PreventionPolicyWindows Get(string name, Input<string> id, PreventionPolicyWindowsState? state, CustomResourceOptions? opts = null)
    public static PreventionPolicyWindows get(String name, Output<String> id, PreventionPolicyWindowsState state, CustomResourceOptions options)
    resources:  _:    type: crowdstrike:PreventionPolicyWindows    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AdditionalUserModeData bool
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    AdvancedRemediation bool
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    AdwareAndPup CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsAdwareAndPup
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    ApplicationExploitationActivity bool
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    BackupDeletion bool
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    BiosDeepVisibility bool
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    ChopperWebshell bool
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    CloudAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalware
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    CloudAntiMalwareMicrosoftOfficeFiles CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    CloudAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsCloudAntiMalwareUserInitiated
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    CodeInjection bool
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    CredentialDumping bool
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    Cryptowall bool
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    CustomBlocking bool
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    Description string
    Description of the prevention policy.
    DetectOnWrite bool
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    DriveByDownload bool
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    DriverLoadPrevention bool
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    Enabled bool
    Enable the prevention policy.
    EngineFullVisibility bool
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    EnhancedDllLoadVisibility bool
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    EnhancedExploitationVisibility bool
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    EnhancedMlForLargerFiles bool
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    ExtendedUserModeData CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsExtendedUserModeData
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    FileEncryption bool
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    FileSystemAccess bool
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    ForceAslr bool
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    ForceDep bool
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    HardwareEnhancedExploitDetection bool
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    HeapSprayPreallocation bool
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    HostGroups List<string>
    Host Group ids to attach to the prevention policy.
    HttpDetections bool
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    IntelligenceSourcedThreats bool
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    InterpreterOnly bool
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    IoaRuleGroups List<string>
    IOA Rule Group to attach to the prevention policy.
    JavascriptViaRundll32 bool
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    LastUpdated string
    Locky bool
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    MemoryScanning bool
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    MemoryScanningScanWithCpu bool
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    MicrosoftOfficeFileSuspiciousMacroRemoval bool
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    Name string
    Name of the prevention policy.
    NotifyEndUsers bool
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    NullPageAllocation bool
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    OnWriteScriptFileVisibility bool
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    PreventSuspiciousProcesses bool
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    QuarantineAndSecurityCenterRegistration bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    QuarantineOnRemovableMedia bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    QuarantineOnWrite bool
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    RedactHttpDetectionDetails bool
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    ScriptBasedExecutionMonitoring bool
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    SehOverwriteProtection bool
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    SensorAntiMalware CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalware
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    SensorAntiMalwareUserInitiated CrowdStrike.Crowdstrike.Inputs.PreventionPolicyWindowsSensorAntiMalwareUserInitiated
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    SensorTamperingProtection bool
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    SuspiciousRegistryOperations bool
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    SuspiciousScriptsAndCommands bool
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    UploadUnknownDetectionRelatedExecutables bool
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    UploadUnknownExecutables bool
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    UsbInsertionTriggeredScan bool
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    VolumeShadowCopyAudit bool
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    VolumeShadowCopyProtect bool
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    VulnerableDriverProtection bool
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    WindowsLogonBypassStickyKeys bool
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    AdditionalUserModeData bool
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    AdvancedRemediation bool
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    AdwareAndPup PreventionPolicyWindowsAdwareAndPupArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    ApplicationExploitationActivity bool
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    BackupDeletion bool
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    BiosDeepVisibility bool
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    ChopperWebshell bool
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    CloudAntiMalware PreventionPolicyWindowsCloudAntiMalwareArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    CloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    CloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    CodeInjection bool
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    CredentialDumping bool
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    Cryptowall bool
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    CustomBlocking bool
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    Description string
    Description of the prevention policy.
    DetectOnWrite bool
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    DriveByDownload bool
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    DriverLoadPrevention bool
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    Enabled bool
    Enable the prevention policy.
    EngineFullVisibility bool
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    EnhancedDllLoadVisibility bool
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    EnhancedExploitationVisibility bool
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    EnhancedMlForLargerFiles bool
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    ExtendedUserModeData PreventionPolicyWindowsExtendedUserModeDataArgs
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    FileEncryption bool
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    FileSystemAccess bool
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    ForceAslr bool
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    ForceDep bool
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    HardwareEnhancedExploitDetection bool
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    HeapSprayPreallocation bool
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    HostGroups []string
    Host Group ids to attach to the prevention policy.
    HttpDetections bool
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    IntelligenceSourcedThreats bool
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    InterpreterOnly bool
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    IoaRuleGroups []string
    IOA Rule Group to attach to the prevention policy.
    JavascriptViaRundll32 bool
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    LastUpdated string
    Locky bool
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    MemoryScanning bool
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    MemoryScanningScanWithCpu bool
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    MicrosoftOfficeFileSuspiciousMacroRemoval bool
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    Name string
    Name of the prevention policy.
    NotifyEndUsers bool
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    NullPageAllocation bool
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    OnWriteScriptFileVisibility bool
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    PreventSuspiciousProcesses bool
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    QuarantineAndSecurityCenterRegistration bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    QuarantineOnRemovableMedia bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    QuarantineOnWrite bool
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    RedactHttpDetectionDetails bool
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    ScriptBasedExecutionMonitoring bool
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    SehOverwriteProtection bool
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    SensorAntiMalware PreventionPolicyWindowsSensorAntiMalwareArgs
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    SensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    SensorTamperingProtection bool
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    SuspiciousRegistryOperations bool
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    SuspiciousScriptsAndCommands bool
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    UploadUnknownDetectionRelatedExecutables bool
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    UploadUnknownExecutables bool
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    UsbInsertionTriggeredScan bool
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    VolumeShadowCopyAudit bool
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    VolumeShadowCopyProtect bool
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    VulnerableDriverProtection bool
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    WindowsLogonBypassStickyKeys bool
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    additionalUserModeData Boolean
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advancedRemediation Boolean
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adwareAndPup PreventionPolicyWindowsAdwareAndPup
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    applicationExploitationActivity Boolean
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backupDeletion Boolean
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    biosDeepVisibility Boolean
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopperWebshell Boolean
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    codeInjection Boolean
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credentialDumping Boolean
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall Boolean
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    customBlocking Boolean
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description String
    Description of the prevention policy.
    detectOnWrite Boolean
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    driveByDownload Boolean
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driverLoadPrevention Boolean
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled Boolean
    Enable the prevention policy.
    engineFullVisibility Boolean
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhancedDllLoadVisibility Boolean
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhancedExploitationVisibility Boolean
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhancedMlForLargerFiles Boolean
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    fileEncryption Boolean
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    fileSystemAccess Boolean
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    forceAslr Boolean
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    forceDep Boolean
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardwareEnhancedExploitDetection Boolean
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heapSprayPreallocation Boolean
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    hostGroups List<String>
    Host Group ids to attach to the prevention policy.
    httpDetections Boolean
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligenceSourcedThreats Boolean
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreterOnly Boolean
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    ioaRuleGroups List<String>
    IOA Rule Group to attach to the prevention policy.
    javascriptViaRundll32 Boolean
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    lastUpdated String
    locky Boolean
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memoryScanning Boolean
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memoryScanningScanWithCpu Boolean
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoftOfficeFileSuspiciousMacroRemoval Boolean
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name String
    Name of the prevention policy.
    notifyEndUsers Boolean
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    nullPageAllocation Boolean
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    onWriteScriptFileVisibility Boolean
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    preventSuspiciousProcesses Boolean
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantineAndSecurityCenterRegistration Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantineOnRemovableMedia Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantineOnWrite Boolean
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redactHttpDetectionDetails Boolean
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    scriptBasedExecutionMonitoring Boolean
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    sehOverwriteProtection Boolean
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensorTamperingProtection Boolean
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspiciousRegistryOperations Boolean
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspiciousScriptsAndCommands Boolean
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    uploadUnknownDetectionRelatedExecutables Boolean
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    uploadUnknownExecutables Boolean
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usbInsertionTriggeredScan Boolean
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volumeShadowCopyAudit Boolean
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volumeShadowCopyProtect Boolean
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerableDriverProtection Boolean
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windowsLogonBypassStickyKeys Boolean
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    additionalUserModeData boolean
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advancedRemediation boolean
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adwareAndPup PreventionPolicyWindowsAdwareAndPup
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    applicationExploitationActivity boolean
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backupDeletion boolean
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    biosDeepVisibility boolean
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopperWebshell boolean
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloudAntiMalware PreventionPolicyWindowsCloudAntiMalware
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloudAntiMalwareMicrosoftOfficeFiles PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloudAntiMalwareUserInitiated PreventionPolicyWindowsCloudAntiMalwareUserInitiated
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    codeInjection boolean
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credentialDumping boolean
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall boolean
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    customBlocking boolean
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description string
    Description of the prevention policy.
    detectOnWrite boolean
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    driveByDownload boolean
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driverLoadPrevention boolean
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled boolean
    Enable the prevention policy.
    engineFullVisibility boolean
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhancedDllLoadVisibility boolean
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhancedExploitationVisibility boolean
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhancedMlForLargerFiles boolean
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extendedUserModeData PreventionPolicyWindowsExtendedUserModeData
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    fileEncryption boolean
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    fileSystemAccess boolean
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    forceAslr boolean
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    forceDep boolean
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardwareEnhancedExploitDetection boolean
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heapSprayPreallocation boolean
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    hostGroups string[]
    Host Group ids to attach to the prevention policy.
    httpDetections boolean
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligenceSourcedThreats boolean
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreterOnly boolean
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    ioaRuleGroups string[]
    IOA Rule Group to attach to the prevention policy.
    javascriptViaRundll32 boolean
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    lastUpdated string
    locky boolean
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memoryScanning boolean
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memoryScanningScanWithCpu boolean
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoftOfficeFileSuspiciousMacroRemoval boolean
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name string
    Name of the prevention policy.
    notifyEndUsers boolean
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    nullPageAllocation boolean
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    onWriteScriptFileVisibility boolean
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    preventSuspiciousProcesses boolean
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantineAndSecurityCenterRegistration boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantineOnRemovableMedia boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantineOnWrite boolean
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redactHttpDetectionDetails boolean
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    scriptBasedExecutionMonitoring boolean
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    sehOverwriteProtection boolean
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensorAntiMalware PreventionPolicyWindowsSensorAntiMalware
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensorAntiMalwareUserInitiated PreventionPolicyWindowsSensorAntiMalwareUserInitiated
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensorTamperingProtection boolean
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspiciousRegistryOperations boolean
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspiciousScriptsAndCommands boolean
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    uploadUnknownDetectionRelatedExecutables boolean
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    uploadUnknownExecutables boolean
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usbInsertionTriggeredScan boolean
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volumeShadowCopyAudit boolean
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volumeShadowCopyProtect boolean
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerableDriverProtection boolean
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windowsLogonBypassStickyKeys boolean
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    additional_user_mode_data bool
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advanced_remediation bool
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adware_and_pup PreventionPolicyWindowsAdwareAndPupArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    application_exploitation_activity bool
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backup_deletion bool
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    bios_deep_visibility bool
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopper_webshell bool
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloud_anti_malware PreventionPolicyWindowsCloudAntiMalwareArgs
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloud_anti_malware_microsoft_office_files PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloud_anti_malware_user_initiated PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    code_injection bool
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credential_dumping bool
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall bool
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    custom_blocking bool
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description str
    Description of the prevention policy.
    detect_on_write bool
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    drive_by_download bool
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driver_load_prevention bool
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled bool
    Enable the prevention policy.
    engine_full_visibility bool
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhanced_dll_load_visibility bool
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhanced_exploitation_visibility bool
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhanced_ml_for_larger_files bool
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extended_user_mode_data PreventionPolicyWindowsExtendedUserModeDataArgs
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    file_encryption bool
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    file_system_access bool
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    force_aslr bool
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    force_dep bool
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardware_enhanced_exploit_detection bool
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heap_spray_preallocation bool
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    host_groups Sequence[str]
    Host Group ids to attach to the prevention policy.
    http_detections bool
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligence_sourced_threats bool
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreter_only bool
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    ioa_rule_groups Sequence[str]
    IOA Rule Group to attach to the prevention policy.
    javascript_via_rundll32 bool
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    last_updated str
    locky bool
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memory_scanning bool
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memory_scanning_scan_with_cpu bool
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoft_office_file_suspicious_macro_removal bool
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name str
    Name of the prevention policy.
    notify_end_users bool
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    null_page_allocation bool
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    on_write_script_file_visibility bool
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    prevent_suspicious_processes bool
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantine_and_security_center_registration bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantine_on_removable_media bool
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantine_on_write bool
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redact_http_detection_details bool
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    script_based_execution_monitoring bool
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    seh_overwrite_protection bool
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensor_anti_malware PreventionPolicyWindowsSensorAntiMalwareArgs
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensor_anti_malware_user_initiated PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensor_tampering_protection bool
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspicious_registry_operations bool
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspicious_scripts_and_commands bool
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    upload_unknown_detection_related_executables bool
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    upload_unknown_executables bool
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usb_insertion_triggered_scan bool
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volume_shadow_copy_audit bool
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volume_shadow_copy_protect bool
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerable_driver_protection bool
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windows_logon_bypass_sticky_keys bool
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.
    additionalUserModeData Boolean
    Whether to enable the setting. Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    advancedRemediation Boolean
    Whether to enable the setting. Perform advanced remediation for IOA detections to kill processes, quarantine files, remove scheduled tasks, and clear and delete ASEP registry values.
    adwareAndPup Property Map
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts.
    applicationExploitationActivity Boolean
    Whether to enable the setting. Creation of a process, such as a command prompt, from an exploited browser or browser flash plugin was blocked.
    backupDeletion Boolean
    Whether to enable the setting. Deletion of backups often indicative of ransomware activity.
    biosDeepVisibility Boolean
    Whether to enable the setting. Provides visibility into BIOS. Detects suspicious and unexpected images. Recommend testing to monitor system startup performance before full deployment.
    chopperWebshell Boolean
    Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
    cloudAntiMalware Property Map
    Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts.
    cloudAntiMalwareMicrosoftOfficeFiles Property Map
    Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    cloudAntiMalwareUserInitiated Property Map
    For online hosts running on-demand scans initiated by end users, use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware.
    codeInjection Boolean
    Whether to enable the setting. Kill processes that unexpectedly injected code into another process. Requires additionalusermode_data to be enabled.
    credentialDumping Boolean
    Whether to enable the setting. Kill suspicious processes determined to be stealing logins and passwords. Requires additionalusermode_data to be enabled.
    cryptowall Boolean
    Whether to enable the setting. A process associated with Cryptowall was blocked.
    customBlocking Boolean
    Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to "Block" or "Block, hide detection".
    description String
    Description of the prevention policy.
    detectOnWrite Boolean
    Whether to enable the setting. Use machine learning to analyze suspicious files when they're written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
    driveByDownload Boolean
    Whether to enable the setting. A suspicious file written by a browser attempted to execute and was blocked.
    driverLoadPrevention Boolean
    Whether to enable the setting. Block the loading of kernel drivers that CrowdStrike analysts have identified as malicious. Available on Windows 10 and Windows Server 2016 and later.
    enabled Boolean
    Enable the prevention policy.
    engineFullVisibility Boolean
    Whether to enable the setting. Provides visibility into malicious System Management Automation engine usage by any application. Requires interpreter_only to be enabled.
    enhancedDllLoadVisibility Boolean
    Whether to enable the setting. For hosts running Windows Server, increases sensor visibility of loaded DLLs. Improves detection coverage and telemetry, but may cause a small performance impact. Recommend testing with critical applications before full deployment.
    enhancedExploitationVisibility Boolean
    Whether to enable the setting. For hosts running Windows 10 1809 and Server 2019 and later, provides additional visibility into common exploitation techniques used to weaken or circumvent application security.
    enhancedMlForLargerFiles Boolean
    Whether to enable the setting. Expand ML file size coverage. Existing ML level settings apply.
    extendedUserModeData Property Map
    Allows the sensor to get more data from a user-mode component it loads into all eligible processes, which augments online machine learning and turns on additional detections. Recommend testing with critical applications before full deployment.
    fileEncryption Boolean
    Whether to enable the setting. A process that created a file with a known ransomware extension was terminated.
    fileSystemAccess Boolean
    Whether to enable the setting. A process associated with a high volume of file system operations typical of ransomware behavior was terminated.
    forceAslr Boolean
    Whether to enable the setting. An Address Space Layout Randomization (ASLR) bypass attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    forceDep Boolean
    Whether to enable the setting. A process that had Force Data Execution Prevention (Force DEP) applied tried to execute non-executable memory and was blocked. Requires additionalusermode_data to be enabled.
    hardwareEnhancedExploitDetection Boolean
    Whether to enable the setting. Provides additional visibility into application exploits by using CPU hardware features that detect suspicious control flows. Available only for hosts running Windows 10 (RS4) or Windows Server 2016 Version 1803 or later and Skylake or later CPU.
    heapSprayPreallocation Boolean
    Whether to enable the setting. A heap spray attempt was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    hostGroups List<String>
    Host Group ids to attach to the prevention policy.
    httpDetections Boolean
    Whether to enable the setting. Allows the sensor to monitor unencrypted HTTP traffic and certain encrypted HTTPS traffic on the sensor for malicious patterns and generate detection events on non-Server systems.
    intelligenceSourcedThreats Boolean
    Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
    interpreterOnly Boolean
    Whether to enable the setting. Provides visibility into malicious PowerShell interpreter usage. For hosts running Windows 10, Script-Based Execution Monitoring may be used instead.
    ioaRuleGroups List<String>
    IOA Rule Group to attach to the prevention policy.
    javascriptViaRundll32 Boolean
    Whether to enable the setting. JavaScript executing from a command line via rundll32.exe was prevented.
    lastUpdated String
    locky Boolean
    Whether to enable the setting. A process determined to be associated with Locky was blocked.
    memoryScanning Boolean
    Whether to enable the setting. Provides visibility into in-memory attacks by scanning for suspicious artifacts on hosts with the following: an integrated GPU and supporting OS libraries, Windows 10 v1607 (RS1) or later, and a Skylake or newer Intel CPU.
    memoryScanningScanWithCpu Boolean
    Whether to enable the setting. Allows memory scanning to use the CPU or virtual CPU when an integrated GPU is not available. All Intel processors supported, requires Windows 8.1/2012 R2 or later.
    microsoftOfficeFileSuspiciousMacroRemoval Boolean
    Whether to enable the setting. Identifies potentially malicious macros in Microsoft Office files and, if prevention is enabled, either quarantines the file or removes the malicious macros before releasing the file back to the host
    name String
    Name of the prevention policy.
    notifyEndUsers Boolean
    Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. These messages also show up in the Windows Event Viewer under Applications and Service Logs.
    nullPageAllocation Boolean
    Whether to enable the setting. Allocating memory to the NULL (0) memory page was detected and blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    onWriteScriptFileVisibility Boolean
    Whether to enable the setting. Provides improved visibility into various script files being written to disk in addition to clouding a portion of their content.
    preventSuspiciousProcesses Boolean
    Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
    quarantineAndSecurityCenterRegistration Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions. CrowdStrike Falcon registers with Windows Security Center, disabling Windows Defender.
    quarantineOnRemovableMedia Boolean
    Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV.
    quarantineOnWrite Boolean
    Whether to enable the setting. Use machine learning to quarantine suspicious files when they're written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
    redactHttpDetectionDetails Boolean
    Whether to enable the setting. Remove certain information from HTTP Detection events, including URL, raw HTTP header and POST bodies if they were present. This does not affect the generation of HTTP Detections, only additional details that would be included and may include personal information (depending on the malware in question). When disabled, the information is used to improve the response to detection events. Has no effect unless HTTP Detections is also enabled.
    scriptBasedExecutionMonitoring Boolean
    Whether to enable the setting. For hosts running Windows 10 and Servers 2016 and later, provides visibility into suspicious scripts and VBA macros in Office documents. Requires Quarantine & Security Center Registration toggle to be enabled.
    sehOverwriteProtection Boolean
    Whether to enable the setting. Overwriting a Structured Exception Handler (SEH) was detected and may have been blocked. This may have been part of an attempted exploit. Requires additionalusermode_data to be enabled.
    sensorAntiMalware Property Map
    For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware.
    sensorAntiMalwareUserInitiated Property Map
    For offline and online hosts running on-demand scans initiated by end users, use sensor-based machine learning to identify and analyze unknown executables to detect and prevent malware.
    sensorTamperingProtection Boolean
    Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
    suspiciousRegistryOperations Boolean
    Whether to enable the setting. Block registry operations that CrowdStrike analysts classify as suspicious. Focuses on dynamic IOAs, such as ASEPs and security config changes. The associated process may be killed.
    suspiciousScriptsAndCommands Boolean
    Whether to enable the setting. Block execution of scripts and commands that CrowdStrike analysts classify as suspicious. Requires Interpreter-Only and/or Script-Based Execution Monitoring.
    uploadUnknownDetectionRelatedExecutables Boolean
    Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
    uploadUnknownExecutables Boolean
    Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
    usbInsertionTriggeredScan Boolean
    Whether to enable the setting. Start an on-demand scan when an end user inserts a USB device. To adjust detection sensitivity, change Anti-malware Detection levels in On-Demand Scans Machine Learning.
    volumeShadowCopyAudit Boolean
    Whether to enable the setting. Create an alert when a suspicious process deletes volume shadow copies. Recommended: Use audit mode with a test group to try allowlisting trusted software before turning on Protect.
    volumeShadowCopyProtect Boolean
    Whether to enable the setting. Prevent suspicious processes from deleting volume shadow copies. Requires volumeshadowcopy_audit.
    vulnerableDriverProtection Boolean
    Whether to enable the setting. Quarantine and block the loading of newly written kernel drivers that CrowdStrike analysts have identified as vulnerable. Available on Windows 10 and Windows 2016 and later. Requires driverloadprevention.
    windowsLogonBypassStickyKeys Boolean
    Whether to enable the setting. A command line process associated with Windows logon bypass was prevented from executing.

    Supporting Types

    PreventionPolicyWindowsAdwareAndPup, PreventionPolicyWindowsAdwareAndPupArgs

    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.
    detection string
    Machine learning level for detection.
    prevention string
    Machine learning level for prevention.
    detection str
    Machine learning level for detection.
    prevention str
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.

    PreventionPolicyWindowsCloudAntiMalware, PreventionPolicyWindowsCloudAntiMalwareArgs

    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.
    detection string
    Machine learning level for detection.
    prevention string
    Machine learning level for prevention.
    detection str
    Machine learning level for detection.
    prevention str
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.

    PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFiles, PreventionPolicyWindowsCloudAntiMalwareMicrosoftOfficeFilesArgs

    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.
    detection string
    Machine learning level for detection.
    prevention string
    Machine learning level for prevention.
    detection str
    Machine learning level for detection.
    prevention str
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.

    PreventionPolicyWindowsCloudAntiMalwareUserInitiated, PreventionPolicyWindowsCloudAntiMalwareUserInitiatedArgs

    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.
    detection string
    Machine learning level for detection.
    prevention string
    Machine learning level for prevention.
    detection str
    Machine learning level for detection.
    prevention str
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.

    PreventionPolicyWindowsExtendedUserModeData, PreventionPolicyWindowsExtendedUserModeDataArgs

    Detection string
    Machine learning level for detection.
    Detection string
    Machine learning level for detection.
    detection String
    Machine learning level for detection.
    detection string
    Machine learning level for detection.
    detection str
    Machine learning level for detection.
    detection String
    Machine learning level for detection.

    PreventionPolicyWindowsSensorAntiMalware, PreventionPolicyWindowsSensorAntiMalwareArgs

    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.
    detection string
    Machine learning level for detection.
    prevention string
    Machine learning level for prevention.
    detection str
    Machine learning level for detection.
    prevention str
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.

    PreventionPolicyWindowsSensorAntiMalwareUserInitiated, PreventionPolicyWindowsSensorAntiMalwareUserInitiatedArgs

    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    Detection string
    Machine learning level for detection.
    Prevention string
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.
    detection string
    Machine learning level for detection.
    prevention string
    Machine learning level for prevention.
    detection str
    Machine learning level for detection.
    prevention str
    Machine learning level for prevention.
    detection String
    Machine learning level for detection.
    prevention String
    Machine learning level for prevention.

    Import

    prevention policy can be imported by specifying the policy id.

    $ pulumi import crowdstrike:index/preventionPolicyWindows:PreventionPolicyWindows example 7fb858a949034a0cbca175f660f1e769

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    crowdstrike crowdstrike/pulumi-crowdstrike
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the crowdstrike Terraform Provider.
    crowdstrike logo
    CrowdStrike v0.0.10 published on Monday, Mar 3, 2025 by CrowdStrike
    crowdstrike/pulumi-crowdstrike