How to setup Prevention Policies in CrowdStrike Falcon

4 February 11, 2025

CrowdStrike Falcon allows administrators to configure Prevention Policies to control how endpoints detect and respond to threats. By customizing prevention settings, you can balance security and system performance while reducing false positives.

This guide covers how to create, modify, and apply prevention policies in the CrowdStrike Falcon Console.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to https://falcon.crowdstrike.com.
  2. Sign in with your admin credentials.

Step 2: Navigate to Prevention Policies

  1. In the left-hand menu, go to Configuration > Prevention Policies.
  2. You will see a list of existing policies (e.g., Standard, High Security, Custom Policies).
  3. Click on a policy to edit or create a new custom policy.

Step 3: Configure Prevention Policy Settings

Once inside a Prevention Policy, you can customize the following settings:

1. Machine Learning Prevention

  • Determines how Falcon detects unknown threats.
  • Options: Disabled, Cautious, Moderate, Aggressive.
  • 📌 Recommended: Keep at Moderate for a balance between security and performance.

2. Exploit Mitigation

  • Protects against memory-based attacks (e.g., buffer overflows, code injections).
  • Recommended: Enable for all applications where possible.

3. Ransomware Protection

  • Enables real-time detection and blocking of ransomware behavior.
  • Enable this setting for maximum protection.

4. Device Control

  • Allows control over USB devices to prevent unauthorized access.
  • Options: Allow, Block, Read-Only Mode.
  • 📌 Recommended: Block unknown USB devices but allow approved devices.

5. Custom Indicators of Compromise (IOCs)

  • Allows administrators to manually add known threat indicators.
  • Example: Block a specific malicious file hash across all endpoints.

Step 4: Apply the Policy to Endpoints

  1. After configuring settings, click Save Policy.
  2. Navigate to Host Management and select Endpoints that should receive the new policy.
  3. Assign the policy to specific groups or all managed devices.
  4. Click Apply Policy to enforce changes.

Step 5: Test and Monitor the Policy

  1. Go to Activity > Detection Summary in the Falcon Console.
  2. Look for alerts related to the updated policy settings.
  3. Adjust prevention levels if needed to fine-tune security without impacting performance.

Best Practices for Prevention Policies

✅ Use Custom Policies for Different User Groups – Apply stricter policies to high-risk users like administrators.
✅ Enable Logging for Troubleshooting – Keep track of false positives to refine policy settings.
✅ Regularly Update Policies – As new threats emerge, adjust settings accordingly.
✅ Follow Recommended Policy settings – CrowdStrike publishes recommended policy settings here (Login Required). Review these recommendations regularly to ensure you are following them.