Create policy

Content-Type: application/json
Authorization: Bearer
JWT Token returned by Auth API
with the policy:create scope encoded.

lsassread (LSASS read): Memory belonging to the
Windows
Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords.
outofprocessallocation (remote allocation of memory): A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.
outofprocessapc (remote APC scheduled): A process has diverted the execution of another process’s thread. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
outofprocesscreatethread (remote thread creation): A process has created a new thread in another process. A process’s threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
outofprocessmap (remote mapping of memory): A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence.
outofprocessoverwritecode (remote overwrite code): A process has modified executable memory in another process. Under normal conditions, executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process.
outofprocessunmapmemory (remote unmap of memory): A process has removed a
Windows
executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution.
outofprocesswrite (remote write to memory): A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.
outofprocesswritepe (remote write PE to memory): A process has modified memory in another process to contain an executable image. Generally, this indicates that an attacker is attempting to execute code without first writing that code to disk.
overwritecode (overwrite code): The code residing in a process’s memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).
stackpivot (stack pivot): The stack for a thread has been replaced with a different stack. Generally, the system will only allocate a single stack for a thread. An attacker would use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP).
stackprotect (stack protect): The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by Data Execution Prevention (DEP).

dyldinjection (DYLD injections): An environment variable has been set that will cause a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts, causing their modules to be loaded automatically when an application starts.
maliciouspayload (malicious payload): A generic shellcode and payload detection associated with exploitation has been detected.
trackdataread (RAM scraping): A process is trying to read valid magnetic stripe track data from another process. Typically related to point of sale systems (POS).
zeroallocate (zero allocate): A null page has been allocated. The memory region is typically reserved, but in certain circumstances, it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.

childprocessprotect (Memory Permission Changes in Child Processes) - Windows only: A violating process has spawned a child process and has modified memory access permissions in that child process.
dangerouscomobject (Dangerous COM Object) - Windows only: A Malicious code that has a reference to a Component Object Model (COM) object has been detected.
dangerouseenvvariable (Dangerous Environment Variable) - Windows only:  An environment variable that may have malicious code attached has been detected.
directsyscall (Direct System Calls) - Windows only: Aan attempt to silently inject malicious code into other processes has been detected. This violation type cannot be blocked.
doppelganger (Doppelganger): A new (malicious) process was started from a file that has not yet been written to the file system. The file writer transaction is usually rolled back after the process start (so the malicious file is never committed to disk), and any attempt to scan the file on disk will only see the unmodified benign file.
maliciouslowintegrity (Low Integrity Process Start) - Windows only: A process has been set to run with a low integrity level.
oopprotect (Memory Permission Changes in Other Processes) - Windows only: A violating process has modified memory access permissions within another process. This is usually done to inject code into another process to make memory executable by modifying memory access permissions. There are few legitimate uses of this.
stolensystemtoken (Stolen System Token) - Windows only: An access token has been modified to allow a user to bypass security access controls.
syscallprobe (System Call Monitoring) - Windows only: A system call made to an application or operating system has been detected.
systemdllwrite (System DLL Overwrite) - Windows only: An attempt to overwrite a system DLL has been detected.

"memory_exclusions_list_v2": [
    {
        "violations": [],
        "path": "C:\\temp\\file1.txt"
    },
    {
        "violations": [],
        "path": "C:\\temp\\file2.txt"
    }
]

custom_thumbprint:
days_until_deleted: This is the setting for the number of days to retain a quarantined file. Quarantined files older than the set number of days will be automatically deleted. The minimum number of days is 14, the maximum number of days is 365. The "auto-delete" setting must be enabled.
device_control: This is the setting to enable or disable the device control feature.
docx_auto_uploading: This setting is currently not in use.
full_disc_scan: This is the setting to have
Cylance
analyze all executable files on disk to detect any dormant threats. This is the background threat detection setting.
0: Disabled
1: Run Recurring (performs a scan every nine days)
2: Run Once (runs a full disk scan upon installation only)
kill_running_threats: This is the setting to kill processes and child processes regardless of the state when a threat is detected (EXE or DLL).
logpolicy: This setting is not used.
memory_exploit_detection: This is the setting to enable or disable the memory protection feature. This affects "memory_violation_actions" ("memory_violations" and "memory_violations_ext").

sample_copy_path: This is the setting to copy all file samples to a network share (CIFS/SMB). For Example:
{
    "name": "sample_copy_path",
    "value": "\\\\server_name\\shared_folder"
}
scan_exception_list: This is the setting to exclude specific folders and subfolders from being scanned by full_disc_scan and watch_for_new_files. Set the value to the absolute path for the excluded files. For example:
{
    "name": "scan_exception_list",
    "value": [
        "c:\\temp"
    ]
}
scan_max_archive_size: This is the setting for the maximum archive file size (in MB) to be scanned. The value can be 0 to 150. If set to 0, then archive files will not be scanned. For example:
{
    "name": "scan_max_archive_size",
    "value": "0"
}
script_control: This is the setting to enable or disable the script control feature. Also set the script_control settings (see below in this table).

show_notifications: This is the setting to enable or disable desktop notifications on the endpoint for

CylancePROTECT Desktop

events.

threat_report_limit: This is the number of threats to upload to the console.

Example:

{
    "name": "threat_report_limit",
    "value": "500"
}

trust_files_in_scan_exception_list: This is the setting to allow execution of files in the excluded folders. This is related to the scan_exception_list.

watch_for_new_files: This is the setting to analyze new or modified executable files for threats.

ole_auto_uploading: This setting is currently not in use.

prevent_service_shutdown: This is the setting that protects the

Cylance

service from being shutdown, either manually or by another process.

sample_copy_path: This is the setting to copy all file samples to a network share (CIFS/SMB).

Example:

{
    "name": "sample_copy_path",
    "value": "\\\\server_name\\shared_folder"
}

optics: This is the setting to enable or disable
CylanceOPTICS
.
optics_application_control_auto_upload: This is the setting to allow the automatic uploading of application control related focus data.
optics_malware_auto_upload: This is the setting to allow the automatic uploading of threat related focus data.
optics_memory_defense_auto_upload: This is the setting to allow the automatic uploading of memory protection related Focus Data.
optics_script_control_auto_upload: This is the setting to allow the automatic uploading of script control related focus data.
optics_sensors_advanced_executable_parsing: This is the setting to enable recording data fields associated with portable executable (PE) files, such as file version, import functions, and packer types. This is enhanced portable executable parsing in the policy settings.
optics_sensors_advanced_powershell_visibility: This is the setting to enable recording commands, arguments, scripts, and content entered directly into the Powershell Console and the Powershell Integrated Scripting Environment (ISE).
optics_sensors_advanced_wmi_visibility: This is the setting to enable recording additional Windows Management Instrumentation (WMI) attributes and parameters.
optics_sensors_dns_visibility: This is the setting to enable recording commands and arguments of commands issued directly or indirectly to the Windows Management Instrumentation (WMI) interpreter.
optics_sensors_enhanced_file_read_visibility: This is the setting to enable monitoring file reads within an identified set of directories.
optics_sensors_enhanced_process_hooking_visibility: This is the setting to enable recording process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.
optics_sensors_private_network_address_visibility: This is the setting to enable recording network connections within the RFC 1918 and RFC 3419 address spaces.
optics_sensors_windows_event_log_visibility: This is the setting to enable recording
Windows
Security Events and their associated attributes.
optics_set_disk_usage_maximum_fixed: This is used to set the maximum amount of device storage reserved for use by
CylanceOPTICS
, in MB. The minimum value is 500 and the maximum value is 1000.
Example:
{
    "name": "optics_set_disk_usage_maximum_fixed",
    "value": "1000"
}
optics_show_notifications: This is the setting to enable or disable desktop notifications on the endpoint for
CylanceOPTICS
events.
optics_show_notification: This is the setting to enable or disable
CylanceOPTICS
desktop notifications on the device.