prevention_policy_mac

This resource allows you to manage prevention policies for Mac hosts. Prevention policies allow you to manage what activity will trigger detections and preventions on your hosts.

API Scopes

The following API scopes are required:

• Prevention policies: READ
• Prevention policies: WRITE

Example Usage

terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}

provider "crowdstrike" {
  cloud = "us-2"
}


resource "crowdstrike_prevention_policy_mac" "example" {
  name            = "example_prevention_policy"
  enabled         = false
  description     = "made with terraform"
  host_groups     = []
  ioa_rule_groups = []
  cloud_adware_and_pup = {
    "detection"  = "MODERATE"
    "prevention" = "CAUTIOUS"
  }
  cloud_anti_malware = {
    "detection"  = "MODERATE"
    "prevention" = "CAUTIOUS"
  }
  sensor_anti_malware = {
    "detection"  = "MODERATE"
    "prevention" = "CAUTIOUS"
  }
  sensor_adware_and_pup = {
    "detection"  = "MODERATE"
    "prevention" = "CAUTIOUS"
  }
  notify_end_users                             = true
  custom_blocking                              = true
  detect_on_write                              = true
  intelligence_sourced_threats                 = true
  prevent_suspicious_processes                 = true
  quarantine                                   = true
  quarantine_on_write                          = true
  script_based_execution_monitoring            = true
  sensor_tampering_protection                  = true
  upload_unknown_executables                   = true
  upload_unknown_detection_related_executables = true
  xpcom_shell                                  = true
  kc_password_decoded                          = true
  hash_collector                               = true
  empyre_backdoor                              = true
  chopper_webshell                             = true
  suspicious_file_analysis                     = true
}

output "prevention_policy_mac" {
  value = crowdstrike_prevention_policy_mac.example
}

Schema

Required

• host_groups (Set of String) Host Group ids to attach to the prevention policy.
• ioa_rule_groups (Set of String) IOA Rule Group to attach to the prevention policy.
• name (String) Name of the prevention policy.

Optional

• chopper_webshell (Boolean) Whether to enable the setting. Execution of a command shell was blocked and is indicative of the system hosting a Chopper web page.
• cloud_adware_and_pup (Attributes) Use cloud-based machine learning informed by global analysis of executables to detect and prevent adware and potentially unwanted programs (PUP) for your online hosts. (see below for nested schema)
• cloud_anti_malware (Attributes) Use cloud-based machine learning informed by global analysis of executables to detect and prevent known malware for your online hosts. (see below for nested schema)
• custom_blocking (Boolean) Whether to enable the setting. Block processes matching hashes that you add to IOC Management with the action set to “Block” or “Block, hide detection”.
• description (String) Description of the prevention policy.
• detect_on_write (Boolean) Whether to enable the setting. Use machine learning to analyze suspicious files when they’re written to disk. To adjust detection sensitivity, change Anti-malware Detection levels in Sensor Machine Learning and Cloud Machine Learning.
• empyre_backdoor (Boolean) Whether to enable the setting. A process with behaviors indicative of the Empyre Backdoor was terminated.
• enabled (Boolean) Enable the prevention policy.
• enhanced_network_visibility (Boolean) Whether to enable the setting. Provides enhanced visibility into network activities and detections.
• hash_collector (Boolean) Whether to enable the setting. An attempt to dump a user’s hashed password was blocked.
• intelligence_sourced_threats (Boolean) Whether to enable the setting. Block processes that CrowdStrike Intelligence analysts classify as malicious. These are focused on static hash-based IOCs.
• kc_password_decoded (Boolean) Whether to enable the setting. An attempt to recover a plaintext password via the kcpassword file was blocked.
• notify_end_users (Boolean) Whether to enable the setting. Show a pop-up notification to the end user when the Falcon sensor blocks, kills, or quarantines. See these messages in Console.app by searching for Process: Falcon Notifications.
• prevent_suspicious_processes (Boolean) Whether to enable the setting. Block processes that CrowdStrike analysts classify as suspicious. These are focused on dynamic IOAs, such as malware, exploits and other threats.
• quarantine (Boolean) Whether to enable the setting. Quarantine executable files after they’re prevented by NGAV. When this is enabled, we recommend setting anti-malware prevention levels to Moderate or higher and not using other antivirus solutions.
• quarantine_on_write (Boolean) Whether to enable the setting. Use machine learning to quarantine suspicious files when they’re written to disk. To adjust quarantine sensitivity, change Anti-malware Prevention levels in Sensor Machine Learning and Cloud Machine Learning.
• retrospective_detections (Boolean) Whether to enable the setting. Use of tagged binaries to automatically create detections for behaviors which occurred within a lookback period.
• script_based_execution_monitoring (Boolean) Whether to enable the setting. Provides visibility into suspicious scripts, including shell and other scripting languages.
• sensor_adware_and_pup (Attributes) For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent adware and potentially unwanted programs (PUP). (see below for nested schema)
• sensor_anti_malware (Attributes) For offline and online hosts, use sensor-based machine learning to identify and analyze unknown executables as they run to detect and prevent malware. (see below for nested schema)
• sensor_tampering_protection (Boolean) Whether to enable the setting. Blocks attempts to tamper with the sensor. If disabled, the sensor still creates detections for tampering attempts but doesn’t block them. Disabling not recommended.
• suspicious_file_analysis (Boolean) Whether to enable the setting. Upload suspicious files for advanced threat analysis with QuickScan Pro.
• upload_unknown_detection_related_executables (Boolean) Whether to enable the setting. Upload all unknown detection-related executables for advanced analysis in the cloud.
• upload_unknown_executables (Boolean) Whether to enable the setting. Upload all unknown executables for advanced analysis in the cloud.
• xpcom_shell (Boolean) Whether to enable the setting. The execution of an XPCOM shell was blocked.

Read-Only

• id (String) Identifier for the prevention policy.
• last_updated (String) Timestamp of the last Terraform update of the resource.

Nested Schema for cloud_adware_and_pup

Required:

• detection (String) Machine learning level for detection.
• prevention (String) Machine learning level for prevention.

Nested Schema for cloud_anti_malware

Required:

• detection (String) Machine learning level for detection.
• prevention (String) Machine learning level for prevention.

Nested Schema for sensor_adware_and_pup

Required:

• detection (String) Machine learning level for detection.
• prevention (String) Machine learning level for prevention.

Nested Schema for sensor_anti_malware

Required:

• detection (String) Machine learning level for detection.
• prevention (String) Machine learning level for prevention.

Import

Import is supported using the following syntax:

# prevention policy can be imported by specifying the policy id.
terraform import crowdstrike_prevention_policy_mac.example 7fb858a949034a0cbca175f660f1e769