Skip to main content

Overview

Prevention policies control malware protection settings, detection behaviors, and other security features on endpoints. These policies define how the Falcon sensor prevents and detects threats across different platforms.
Required API Scope: Prevention Policies: Read (for read operations) or Prevention Policies: Write (for write operations)

Get Prevention Policies

Search for and retrieve Prevention policies.
Get-FalconPreventionPolicy
Get-FalconPreventionPolicy [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Include] <string[]>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string[]
Policy identifier(s). Pattern: ^[a-fA-F0-9]{32}$
Filter
string
Falcon Query Language (FQL) expression to limit resultsExample: platform_name:'Windows'+enabled:true
Sort
string
Property and direction to sort resultsValid values: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc
Limit
int32
Maximum number of results per request (1-5000)
Include
string[]
Include additional propertiesValid values: members
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Examples

Get-FalconPreventionPolicy -All -Detailed

Create Prevention Policy

Create new Prevention policies.
New-FalconPreventionPolicy
New-FalconPreventionPolicy -Name <string> -PlatformName <string> [[-Description] <string>] [[-Setting] <object[]>]

Parameters

Name
string
required
Policy name
PlatformName
string
required
Operating system platformValid values: Windows, Mac, Linux, iOS, Android
Description
string
Policy description
Setting
object[]
An array of policy settings containing prevention configuration. Each setting should include id and value properties.
InputObject
object[]
One or more policies to create in a single request (for batch operations, max 100 per request)

Examples

$Settings = @(
    @{ id = 'PREVENTION_ADWARE'; value = 'ENABLED' },
    @{ id = 'PREVENTION_UNWANTED_SOFTWARE'; value = 'ENABLED' }
)
New-FalconPreventionPolicy -Name 'Production Servers' -PlatformName 'Windows' -Description 'Prevention policy for production servers' -Setting $Settings

Edit Prevention Policy

Modify existing Prevention policies.
Edit-FalconPreventionPolicy
Edit-FalconPreventionPolicy -Id <string> [[-Name] <string>] [[-Description] <string>] [[-Setting] <object[]>]

Parameters

Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
Name
string
Policy name
Description
string
Policy description
Setting
object[]
Policy settings to update. Each setting should contain id and value.
InputObject
object[]
One or more policies to modify in a single request (for batch operations, max 100 per request)

Examples

Edit-FalconPreventionPolicy -Id <policy_id> -Name 'Updated Policy Name'

Remove Prevention Policy

Remove Prevention policies.
Remove-FalconPreventionPolicy
Remove-FalconPreventionPolicy -Id <string[]>

Parameters

Id
string[]
required
Policy identifier(s) to remove. Pattern: ^[a-fA-F0-9]{32}$

Example

Remove-FalconPreventionPolicy -Id <policy_id>

Policy Actions

Perform actions on Prevention policies such as enabling/disabling or assigning to host groups.
Invoke-FalconPreventionPolicyAction
Invoke-FalconPreventionPolicyAction -Name <string> [[-GroupId] <string>] -Id <string>

Parameters

Name
string
required
Action to performValid values: add-host-group, add-rule-group, disable, enable, remove-host-group, remove-rule-group
GroupId
string
Host or rule group identifier. Pattern: ^[a-fA-F0-9]{32}$Required for: add-host-group, add-rule-group, remove-host-group, remove-rule-group
Id
string
required
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$

Examples

Invoke-FalconPreventionPolicyAction -Name enable -Id <policy_id>

Get Policy Members

Search for members (hosts) assigned to Prevention policies.
Get-FalconPreventionPolicyMember
Get-FalconPreventionPolicyMember [[-Id] <string>] [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

Id
string
Policy identifier. Pattern: ^[a-fA-F0-9]{32}$
Filter
string
Falcon Query Language expression to limit results
Sort
string
Property and direction to sort results
Limit
int32
Maximum number of results per request (1-5000)
Offset
int32
Position to begin retrieving results
Detailed
switch
Retrieve detailed information
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results

Example

Get-FalconPreventionPolicyMember -Id <policy_id> -Detailed -All

Set Policy Precedence

Set Prevention policy precedence order for a specific platform.
Set-FalconPreventionPrecedence
Set-FalconPreventionPrecedence -PlatformName <string> -Id <string[]>

Parameters

PlatformName
string
required
Operating system platformValid values: Windows, Mac, Linux, iOS, Android
Id
string[]
required
Policy identifiers in desired precedence order (highest to lowest priority). Pattern: ^[a-fA-F0-9]{32}$
All policy identifiers must be supplied in order, with the exception of the platform_default policy.

Example

$PolicyOrder = @('<policy_id_1>', '<policy_id_2>', '<policy_id_3>')
Set-FalconPreventionPrecedence -PlatformName 'Windows' -Id $PolicyOrder

Response Policies

Manage Real-time Response policies

Sensor Update Policies

Control sensor version deployment

Build docs developers (and LLMs) love

Get started for freeTalk to us