USB Device Control Policy - CrowdStrike/psfalcon Wiki

CrowdStrike Falcon API DocumentationEU 1US-1US-2US-GOV-1

Command Permission
Copy-FalconDeviceControlPolicy device-control-policies:readdevice-control-policies:write
Edit-FalconDeviceControlPolicy device-control-policies:write
Get-FalconDeviceControlPolicy device-control-policies:read
Get-FalconDeviceControlPolicyMember device-control-policies:read
Invoke-FalconDeviceControlPolicyAction device-control-policies:write
New-FalconDeviceControlPolicy device-control-policies:write
Remove-FalconDeviceControlPolicy device-control-policies:write
Set-FalconDeviceControlPrecedence device-control-policies:write

Manage Device Control policies

Create a policy

New-FalconDeviceControlPolicy -PlatformName Windows -Name 'My Device Control Policy' -Description 'Short description of my Device Control policy.'

Enable policy settings

$Settings = @{
    enforcement_mode = 'MONITOR_ENFORCE'
    end_user_notifications = 'NOTIFY_USER'
    classes = @(
        @{
            id = 'AUDIO_VIDEO'
            action = 'BLOCK_ALL'
            exceptions = @(
                @{
                    combined_id = '1133_2092_7A4F8BD0'
                    action = 'FULL_ACCESS'
                    expiration_time = '2023-01-01T00:00:00Z'
                }
            )
        },
        @{
            id = 'MASS_STORAGE'
            action = 'BLOCK_ALL'
            exceptions = @(
                @{
                    vendor_id = '59f'
                    vendor_name = 'LaCie'
                    product_id = '10c4'
                    product_name = 'HDD'
                    action = 'BLOCK_EXECUTE'
                },
                @{
                    vendor_id_decimal = '3010'
                    vendor_name = 'Seagate'
                    action = 'FULL_ACCESS'
                }
            )
        }
    )
}
Edit-FalconDeviceControlPolicy -Id <id> -Settings $Settings

Create/add exceptions

$Settings = @{
    classes = @(
        @{
            id = 'ANY'
            exceptions = @(
                @{
                    action = 'BLOCK_ALL'
                    combined_id = '1_2_345'
                },
                @{
                    action = 'BLOCK_ALL'
                    vendor_id_decimal = '6'
                    vendor_name = 'Example Vendor'
                    product_id_decimal = '7'
                    product_name = 'Example Product'
                    serial_number = '891'
                }
            )
        },
        @{
            id = 'IMAGING'
            action = 'BLOCK_ALL'
            exceptions = @(
                @{
                    action = 'FULL_ACCESS'
                    combined_id = '5_4_321'
                },
                @{
                    action = 'FULL_ACCESS'
                    vendor_id_decimal = '20'
                    vendor_name = 'Example Vendor 2'
                    product_id_decimal = '30'
                    product_name = 'Example Product 2'
                },
            )
        },
        @{
            id = 'MASS_STORAGE'
            action = 'BLOCK_ALL'
            exceptions = @(
                @{
                    action = 'FULL_ACCESS'
                    combined_id = '5_4_321'
                },
                @{
                    action = 'FULL_ACCESS'
                    vendor_id_decimal = '30'
                    vendor_name = 'Example Vendor 3'
                },
            )
        }
    )
}
Edit-FalconDeviceControlPolicy -Id <id> -Settings $Settings

See Add a list of combined_id exceptions to a Device Control policy.

Delete exceptions

$Settings = @{ delete_exceptions = @('id', 'id') }
Edit-FalconDeviceControlPolicy -Id <id> -Settings $Settings

NOTE: The required id values can be found under the settings.classes.exceptions sub-object. Classes can be filtered by their relevant id values to find the specific exceptions for that class type.

$Policy = Get-FalconDeviceControlPolicy -Ids <id>
$Policy.settings.classes.Where({ $_.id -eq 'MASS_STORAGE' }).exceptions

See Create CSVs containing Device Control policy details and exceptions.

Assign host groups to a policy

Invoke-FalconDeviceControlPolicyAction -Name add-host-group -Id <id> -GroupId <id>

Enable the policy

Invoke-FalconDeviceControlPolicyAction -Name enable -Id <id>

Set policy precedence

NOTE: All policy ids (with the exception of platform_default) must be supplied in precedence order.

Set-FalconDeviceControlPrecedence -PlatformName Windows -Ids <id1>, <id2>, <id3>, <id4>

Delete a policy

Remove-FalconDeviceControlPolicy -Ids <id>, <id>

Find Device Control policies

Find policy details using a filtered search

Get-FalconDeviceControlPolicy -Filter "name:'policy'" -Sort created_timestamp.asc -Detailed

List policy ids using a filtered search

Get-FalconDeviceControlPolicy -Filter "name:'diana.hudson'" -Sort name.desc -Detailed

List details about specific policies

Get-FalconDeviceControlPolicy -Ids <id>, <id>

Show members of a Device Control policy

Get-FalconDeviceControlPolicyMember -Id <id> [-Detailed] [-All]
⚠️ **GitHub.com Fallback** ⚠️