-
Notifications
You must be signed in to change notification settings - Fork 72
Edit FalconDeviceControlPolicy
bk-cs edited this page Oct 1, 2024
·
23 revisions
Modify Falcon Device Control policies
Requires 'Device control policies: Write'.
Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
---|---|---|---|---|---|---|---|
InputObject | Object[] | One or more policies to modify in a single request | X | ||||
Id | String | Policy identifier | |||||
Name | String | Policy name | |||||
Description | String | Policy description | |||||
Setting | Object | Policy settings | |||||
Default | Switch | Modify the default Windows Device Control policy | |||||
Blocked | String | Custom notification for blocked events | |||||
UseBlocked | Boolean | Enable custom notification for blocked events | |||||
Restricted | String | Custom notification for restricted events | |||||
UseRestricted | Boolean | Enable custom notification for restricted events |
Edit-FalconDeviceControlPolicy [-Id] <String> [[-Name] <String>] [[-Description] <String>] [[-Setting] <Object>] [-WhatIf] [-Confirm] [<CommonParameters>]
Edit-FalconDeviceControlPolicy -InputObject <Object[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Edit-FalconDeviceControlPolicy -Default [[-Blocked] <String>] [[-UseBlocked] <Boolean>] [[-Restricted] <String>] [[-UseRestricted] <Boolean>] [-WhatIf] [-Confirm] [<CommonParameters>]
PATCH /policy/entities/default-device-control/v1
PATCH /policy/entities/device-control/v1
updateDeviceControlPolicies
updateDefaultDeviceControlPolicies
$Setting = @{
enforcement_mode = 'MONITOR_ENFORCE'
end_user_notifications = 'NOTIFY_USER'
classes = @(
@{
id = 'AUDIO_VIDEO'
action = 'BLOCK_ALL'
exceptions = @(
@{
combined_id = '1133_2092_7A4F8BD0'
action = 'FULL_ACCESS'
expiration_time = '2023-01-01T00:00:00Z'
}
)
},
@{
id = 'MASS_STORAGE'
action = 'BLOCK_ALL'
exceptions = @(
@{
vendor_id = '59f'
vendor_name = 'LaCie'
product_id = '10c4'
product_name = 'HDD'
action = 'BLOCK_EXECUTE'
},
@{
vendor_id_decimal = '3010'
vendor_name = 'Seagate'
action = 'FULL_ACCESS'
}
)
}
)
}
Edit-FalconDeviceControlPolicy -Id <id> -Setting $Setting
$Setting = @{
classes = @(
@{
id = 'ANY'
exceptions = @(
@{
action = 'BLOCK_ALL'
combined_id = '1_2_345'
},
@{
action = 'BLOCK_ALL'
vendor_id_decimal = '6'
vendor_name = 'Example Vendor'
product_id_decimal = '7'
product_name = 'Example Product'
serial_number = '891'
}
)
},
@{
id = 'IMAGING'
action = 'BLOCK_ALL'
exceptions = @(
@{
action = 'FULL_ACCESS'
combined_id = '5_4_321'
},
@{
action = 'FULL_ACCESS'
vendor_id_decimal = '20'
vendor_name = 'Example Vendor 2'
product_id_decimal = '30'
product_name = 'Example Product 2'
},
)
},
@{
id = 'MASS_STORAGE'
action = 'BLOCK_ALL'
exceptions = @(
@{
action = 'FULL_ACCESS'
combined_id = '5_4_321'
},
@{
action = 'FULL_ACCESS'
vendor_id_decimal = '30'
vendor_name = 'Example Vendor 3'
},
)
}
)
}
Edit-FalconDeviceControlPolicy -Id <id> -Setting $Setting
See Add a list of combined_id exceptions to a Device Control policy.
$Setting = @{ delete_exceptions = @('id', 'id') }
Edit-FalconDeviceControlPolicy -Id <id> -Setting $Setting
NOTE: The required id
values can be found under the settings.classes.exceptions
sub-object. Classes can be filtered by their relevant id
values to find the specific exceptions for that class type.
$Policy = Get-FalconDeviceControlPolicy -Id <id>
$Policy.settings.classes.Where({ $_.id -eq 'MASS_STORAGE' }).exceptions
See Create CSVs containing Device Control policy details and exceptions.
2024-09-03: PSFalcon v2.2.7
- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Channel File Control Settings
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Detections
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon Discover
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust