default_prevention_policy_mac
This resource allows you to manage the default prevention policy for Mac hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts. Destruction of this resource will not delete the default prevention policy or remove any configured settings.
API Scopes
Section titled “API Scopes”The following API scopes are required:
- Prevention policies: READ
- Prevention policies: WRITE
Example Usage
Section titled “Example Usage”terraform { required_providers { crowdstrike = { source = "registry.terraform.io/crowdstrike/crowdstrike" } }}
provider "crowdstrike" { cloud = "us-2"}
resource "crowdstrike_default_prevention_policy_mac" "default" { description = "managed by terraform" ioa_rule_groups = [] cloud_adware_and_pup = { "detection" = "MODERATE" "prevention" = "CAUTIOUS" } cloud_anti_malware = { "detection" = "MODERATE" "prevention" = "CAUTIOUS" } sensor_anti_malware = { "detection" = "MODERATE" "prevention" = "CAUTIOUS" } sensor_adware_and_pup = { "detection" = "MODERATE" "prevention" = "CAUTIOUS" } notify_end_users = true custom_blocking = true detect_on_write = true intelligence_sourced_threats = true prevent_suspicious_processes = true quarantine = true quarantine_on_write = true script_based_execution_monitoring = true sensor_tampering_protection = true upload_unknown_executables = true upload_unknown_detection_related_executables = true xpcom_shell = true kc_password_decoded = true hash_collector = true empyre_backdoor = true chopper_webshell = true suspicious_file_analysis = true}
output "default_prevention_policy_mac" { value = crowdstrike_default_prevention_policy_mac.default}Schema
Section titled “Schema”Required
Section titled “Required”ioa_rule_groups(Set of String) IOA Rule Group to attach to the prevention policy.
Optional
Section titled “Optional”chopper_webshell(Boolean) Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.cloud_adware_and_pup(Attributes) Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts. (see below for nested schema)cloud_anti_malware(Attributes) Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts. (see below for nested schema)custom_blocking(Boolean) Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to “Block” or “Block, hide detection”.description(String) Description of the prevention policy.detect_on_write(Boolean) Whether to enable the setting. Use machine learning to analyze suspicious files when they’re written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.empyre_backdoor(Boolean) Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.enhanced_network_visibility(Boolean) Whether to enable the setting. Provides enhanced visibility into network activities and detections.hash_collector(Boolean) Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.intelligence_sourced_threats(Boolean) Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.kc_password_decoded(Boolean) Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.notify_end_users(Boolean) Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.prevent_suspicious_processes(Boolean) Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.quarantine(Boolean) Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.quarantine_on_write(Boolean) Whether to enable the setting. Use machine learning to quarantine suspicious files when they’re written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.retrospective_detections(Boolean) Whether to enable the setting. Use of tagged binaries to automatically create detections for behaviors which occurred within a lookback period.script_based_execution_monitoring(Boolean) Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.sensor_adware_and_pup(Attributes) For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP). (see below for nested schema)sensor_anti_malware(Attributes) For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware. (see below for nested schema)sensor_tampering_protection(Boolean) Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.suspicious_file_analysis(Boolean) Whether to enable the setting. Upload suspicious files for advanced threat analysis with QuickScan Pro.upload_unknown_detection_related_executables(Boolean) Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.upload_unknown_executables(Boolean) Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.xpcom_shell(Boolean) Whether to enable the setting. The execution of an XPCOM shell was blocked.
Read-Only
Section titled “Read-Only”id(String) Identifier for the prevention policy.last_updated(String) Timestamp of the last Terraform update of the resource.
Nested Schema for cloud_adware_and_pup
Section titled “Nested Schema for cloud_adware_and_pup”Required:
detection(String) Machine learning level for detection.prevention(String) Machine learning level for prevention.
Nested Schema for cloud_anti_malware
Section titled “Nested Schema for cloud_anti_malware”Required:
detection(String) Machine learning level for detection.prevention(String) Machine learning level for prevention.
Nested Schema for sensor_adware_and_pup
Section titled “Nested Schema for sensor_adware_and_pup”Required:
detection(String) Machine learning level for detection.prevention(String) Machine learning level for prevention.
Nested Schema for sensor_anti_malware
Section titled “Nested Schema for sensor_anti_malware”Required:
detection(String) Machine learning level for detection.prevention(String) Machine learning level for prevention.
Import
Section titled “Import”Import is supported using the following syntax:
# The windows default prevention policy can be imported by specifying the id.terraform import crowdstrike_default_prevention_policy_windows.default 7fb858a949034a0cbca175f660f1e769