This post will cover some basic steps and concepts of managing policies in the Falcon Platform. It is often necessary to have multiple policies to manage any organization. We’ll cover basic policy creation, policy settings and adding devices to a policy in this document.
There are no specific requirements other than to have an installation of the Falcon product and sensors deployed. For more information on how to deploy a sensor, please see other articles in the Tech Center for specific guidance.
Navigate to the “Configuration” app and select “Prevention Policies”.
In our scenario we’ll create a policy for the servers in an organization. To do this select the “add new policy button.
After clicking the “Add New Policy” a “Policy Details” page will open.
Add a name, in this case we’ll call the policy “Servers” and have them added manually. Add a description and select “create”
Upon policy creation, the “Policy Settings” page will open so that each settings can be enabled/disabled according to the needs of the policy. In this case enable all the settings and set the ML slider to ” Extra Aggressive” since this policy will apply to servers. When policy settings are complete, save and confirm the changes. Before adding members, enable the policy.
Note: enable the policy by selecting the “Enable” button above the “Save” button.
To add hosts to the policy click the “Assignment” tab located to the right of the “Settings” tab.
Click on the “Add groups to policy” button. Groups are created to manage the policy assignment of hosts as they are added to the organization for example, as servers are added they can automatically be assigned a server policy. In this case we will select the previously set up server group. Groups allow for the automatic or static assignment of policies. This enables systems to automatically be assigned the correct policy as soon as the Falcon sensor is deployed instead of manually assigning each host.
Select the group, then “Apply”
After the “Add Groups to Policy” dialogue box is closed, navigate back to the settings tab and click “Enable” in the upper right corner. Then “Save” to make sure all changes have been saved.
At this point, the policy has been created and enabled with the selected settings saved, members have been added to the policy.
Falcon provides all the necessary management tools, whether a small to medium sized business or large enterprise.
- CrowdStrike Tech Center
- Sign up for a weekly Falcon demo
- Request a 1:1 Demo
- Guide to AV Replacement
- CrowdStrike Products
- Falcon OverWatch CrowdCast
How to Manage Policies on the Falcon Platform
One of the key features required to be legitimate AV replacement product is the ability to manage policies in large, complex environments. CrowdStrike Falcon gives enterprise organizations granular control over their policies. In the UI, navigate to the configuration app and select Prevention Policies. The prevention policies page has multiple tabs, Windows policies and Mac policies.
To manage any device using Mac OS, select the Mac Policies tab and add, remove, or edit Mac policies there. We’ll walk you through basic policy creation. To do this, select the Add New Policy button. Give your policy a name. In my case, I’ll create a generic server policy. The platform will be Windows. Then select either Manual or Automatic Assignment. I’ll choose manual for this example.
Then if you’d like to fill a description, you can do so at the bottom. After selecting Create, the policy settings page will open where you can configure the policy details. This page is divided into two sections, malware protection and behavior-based prevention. Since I will lock down my servers, I’ll enable all protection. Once those are all enabled, save and confirm the changes.
Now that the policy has been configured, we’ll add systems to the policy under the Add Members tab. I’ll use the categories across the top to filter my choices. After filtering choices using the operating system, I see four systems from which to choose. I’ll select the two at the bottom, as the other two servers are domain controllers and they have their own specific policy.
I can verify that these systems have been added to the policy by selecting the Current Members tab. Once I’m satisfied with my changes, I’ll select Enable and confirm. Hitting the All Policies will take me back to the policy management page where we see the newly created policy listed at the bottom.