Skip Navigation

Create policy

Service endpoint
/policies/v2
Optional query string parameters
Example
https://protectapi.cylance.com/policies/v2
Method
HTTP/1.1 POST
Request headers
  • Content-Type: application/json
  • Authorization: Bearer
    JWT Token returned by Auth API
    with the policy:create scope encoded.

Request

The following example creates a policy with most features enabled and includes some sample exclusions. You can copy this example, change the user_id, and this should create an example policy in your tenant.
This example is provided just for testing the API. Do not use this example policy on your devices. Device policies should be tested before applying to a large number of devices in your organization.
{ "user_id": "a2c0ac7a-a63d-4583-b646-ae10db9c9769", "policy": { "memoryviolation_actions": { "memory_violations_ext_v2": [ { "violation_type": "syscallprobe", "action": "Alert" }, { "action": "Alert", "violation_type": "directsyscall" }, { "violation_type": "systemdllwrite", "action": "Alert" }, { "action": "Alert", "violation_type": "dangerouscomobject" }, { "violation_type": "doppelganger", "action": "Alert" }, { "violation_type": "dangerousenvvariable", "action": "Alert" }, { "violation_type": "oopprotect", "action": "Alert" }, { "action": "Alert", "violation_type": "childprocessprotect" }, { "action": "Alert", "violation_type": "stolensystemtoken" }, { "violation_type": "maliciouslowintegrity", "action": "Alert" }, { "violation_type": "injectionviaapc", "action": "Alert" }, { "action": "Alert", "violation_type": "runmacroscript" } ], "memory_violations": [ { "violation_type": "lsassread", "action": "Alert" }, { "violation_type": "outofprocessunmapmemory", "action": "Alert" }, { "violation_type": "stackpivot", "action": "Alert" }, { "violation_type": "stackprotect", "action": "Alert" }, { "violation_type": "outofprocessoverwritecode", "action": "Alert" }, { "action": "Alert", "violation_type": "outofprocesscreatethread" }, { "violation_type": "overwritecode", "action": "Alert" }, { "action": "Alert", "violation_type": "outofprocesswritepe" }, { "violation_type": "outofprocessallocation", "action": "Alert" }, { "violation_type": "outofprocessmap", "action": "Alert" }, { "violation_type": "outofprocesswrite", "action": "Alert" }, { "action": "Alert", "violation_type": "outofprocessapc" } ], "memory_violations_ext": [ { "violation_type": "dyldinjection", "action": "Alert" }, { "violation_type": "trackdataread", "action": "Alert" }, { "action": "Alert", "violation_type": "zeroallocate" }, { "action": "Alert", "violation_type": "maliciouspayload" } ], "memory_exclusion_list_v2": [ { "violations": [], "path": "\\Application\\TestApp\\MyApp\\program.exe" } ] }, "persona": { "mitigation_actions": [ { "action": "alertsOnly", "threshold": "70" }, { "threshold": "30", "action": "promptUsernameAndPassword" } ], "admin_whitelist": [ { "username": "admin" } ], "mode": "1" }, "device_control": { "configurations": [ { "device_class": "AndroidUSB", "control_mode": "FullAccess" }, { "control_mode": "FullAccess", "device_class": "iOS" }, { "control_mode": "FullAccess", "device_class": "StillImage" }, { "device_class": "USBCDDVDRW", "control_mode": "FullAccess" }, { "control_mode": "FullAccess", "device_class": "USBDrive" }, { "device_class": "VMWareMount", "control_mode": "FullAccess" }, { "control_mode": "FullAccess", "device_class": "WPD" } ], "exclusion_list": [ { "vendor_id": "1234", "comment": "Test external device", "serial_number": null, "product_id": "5678", "control_mode": "FullAccess", "date_added": "2022-02-01T23:56:32.479Z" } ] }, "policy": [ { "value": "1", "name": "auto_blocking" }, { "value": "1", "name": "auto_uploading" }, { "value": "500", "name": "threat_report_limit" }, { "name": "low_confidence_threshold", "value": "-600" }, { "value": "2", "name": "full_disc_scan" }, { "name": "watch_for_new_files", "value": "1" }, { "value": "1", "name": "memory_exploit_detection" }, { "value": "0", "name": "trust_files_in_scan_exception_list" }, { "name": "logpolicy", "value": "1" }, { "name": "script_control", "value": "1" }, { "value": "1", "name": "prevent_service_shutdown" }, { "name": "scan_max_archive_size", "value": "0" }, { "name": "sample_copy_path", "value": "\\\\server_name\\shared_folder" }, { "name": "kill_running_threats", "value": "1" }, { "name": "show_notifications", "value": "1" }, { "value": "1000", "name": "optics_set_disk_usage_maximum_fixed" }, { "name": "optics_malware_auto_upload", "value": "1" }, { "value": "1", "name": "optics_memory_defense_auto_upload" }, { "value": "0", "name": "optics_script_control_auto_upload" }, { "value": "0", "name": "optics_application_control_auto_upload" }, { "name": "optics_sensors_dns_visibility", "value": "1" }, { "value": "1", "name": "optics_sensors_private_network_address_visibility" }, { "name": "optics_sensors_windows_event_log_visibility", "value": "1" }, { "name": "optics_sensors_windows_advanced_audit_visibility", "value": "1" }, { "name": "optics_sensors_advanced_powershell_visibility", "value": "1" }, { "name": "optics_sensors_advanced_wmi_visibility", "value": "1" }, { "name": "optics_sensors_advanced_executable_parsing", "value": "1" }, { "value": "1", "name": "optics_sensors_enhanced_process_hooking_visibility" }, { "value": "1", "name": "optics_sensors_enhanced_file_read_visibility" }, { "name": "device_control", "value": "1" }, { "name": "optics", "value": "1" }, { "name": "auto_delete", "value": "1" }, { "name": "days_until_deleted", "value": "14" }, { "name": "pdf_auto_uploading", "value": "0" }, { "name": "ole_auto_uploading", "value": "0" }, { "value": "0", "name": "docx_auto_uploading" }, { "value": "0", "name": "python_auto_uploading" }, { "value": "0", "name": "autoit_auto_uploading" }, { "value": "0", "name": "powershell_auto_uploading" }, { "value": null, "name": "custom_thumbprint" }, { "value": [ "C:\\Test" ], "name": "scan_exception_list" }, { "value": "1", "name": "optics_show_notifications" } ], "script_control": { "powershell_settings": { "control_mode": "Alert", "console_mode": "Allow" }, "macro_settings": { "control_mode": "Alert" }, "global_settings": { "control_mode": "Alert", "allowed_folders": [ "/users/*/temp/*" ] }, "activescript_settings": { "control_mode": "Alert" } }, "filetype_actions": { "suspicious_files": [ { "actions": "3", "file_type": "executable" } ], "threat_files": [ { "actions": "3", "file_type": "executable" } ] }, "logpolicy": { "retentiondays": "30", "log_upload": { "compress": "True", "delete": "False" }, "maxlogsize": "100" }, "file_exclusions": [ { "reason": "SHA256 for testing", "category_id": "2", "md5": null, "research_class_id": "0", "file_hash": "443010d98917908efb64a1e8c4a560ec126649bd7e4d0ddd87643356e6f3506f", "cloud_score": null, "av_industry": false, "file_name": "Test file", "file_type": 1, "research_subclass_id": "0", "infinity": null } ], "checksum": "", "script_control_v2": { "python_settings": { "control_mode": "Alert" }, "dotnet_dlr_settings": { "control_mode": "Alert" } }, "policy_name": "Example Policy" } }

Response

Please see the Response status codes for more information.

Request JSON schema

Field Name
Description
checksum
Checksum is required when creating a policy. This uses an empty value.
Example:
"checksum": ""
device_control
Device Control allows or blocks access to USB mass storage devices. device_control must be enabled under
policy
.
All device_class entries must be included in the request.
  • AndroidUSB: This is a portable device running Android OS, like a smartphone or a tablet.
    An Android device could connect and be identified as Android, Still Image, or Windows Portable Device. If you want to block Android devices, consider blocking Still Image and Windows Portable Devices as well.
  • iOS: This is an Apple portable device running iOS, like an iPhone or iPad.
    iOS devices will not charge when Device Control is enabled and set to Block, unless the Apple device is powered off. Apple includes their charging capability within functions of the device that are required for our iOS device blocking capability. Non-Apple devices do not bundle their charging capability in this manner and are not impacted.
  • StillImage: This is the device class containing scanners, digital cameras, multi-mode video cameras with frame capture, and frame grabbers.
  • USBCDDVDRW:  This is a USB optical drive.
  • USBDrive: This is a USB hard drive or USB flash drive.
  • VMWareMount: This is a VMware USB Passthrough, which allows a VMware virtual machine client to access USB devices connected to the host.
  • WPD: This is a Windows Portable Device, which uses the Microsoft Windows Portable Device driver technology, such as mobile phones, digital cameras, and portable media players.
Device control exclusion list allows or blocks access to specific USB mass storage devices.
  • comment: This adds details about the exclusion. This information is optional.
  • control_mode: This allows or blocks the specific USB mass storage device.
    • Block: This does not allow the USB mass storage device from connecting to the endpoint.
    • FullAccess: This allows the USB mass storage device to connect to the endpoint.
  • product_id: This is the product identifier for the USB mass storage device. This information is optional.
  • serial_number: This is the serial number for the USB mass storage device. This information is optional.
  • vendor_id: This is the vendor identifier for the USB mass storage device. This information is required.
One way to find the Vendor ID for a USB mass storage device is to enable Device Control in a policy, assign that policy to an endpoint, then attach the USB mass storage device to the endpoint. You can view External Device logs in the
Cylance
Console, on the Protection page or the Device Details page (External Devices tab).
Example:
"exclusion_list": [ { "vendor_id": "1234", "comment": "Test device control exclusion", "serial_number": 987654321", "product_id": "5678", "control_mode": "FullAccess" } ]
file_exclusions
This adds file exclusions to the policy safe list, under file actions. Policy safe list are file exclusions specific to the policy, and any endpoints assigned to the policy will allow the excluded files to run.
  • category_id: This is a list of categories to identify the type of file. This information is optional.
    • 1 - None
    • 2 - AdminTool
    • 3 - InternalApplication
    • 4 - CommercialSoftware
    • 5 - OperatingSystem
    • 6 - Drivers
    • 7 - SecuritySoftware
  • file_hash: This is the SHA256 hash for the file. This information is required.
  • file_name: This is the name of the file being excluded. This information is optional.
  • md5: This is the MD5 hash for the file. This information is optional.
  • reason: This is the reason the file was excluded. This information is required.
Example:
"exclusion_list": [ { "reason": "Test Exclusion", "category_id": "2", "md5": "d41d8cd98f00b204e9800998ecf8427e", "file_hash": "bf17366ee3bb8068a9ad70fc9e68 496e7e311a055bf4ffeeff53cc5d29ccce52", "file_name": "filename" } ]
filetype_actions
These actions indicate the autoquarantine of unsafe and abnormal files.
  • actions: Set auto-quarantine and auto-upload to enable or disable.
    • 0: auto-quarantine OFF, auto-upload OFF
    • 1: auto-quarantine ON, auto-upload OFF\
    • 2: auto-quarantine OFF, auto-upload OFF
    • Use for suspicious_files when threat_files is set to 3 and Auto-Quarantine for suspicious_files is disabled.
    • 3: auto-quarantine ON, auto-upload ON
  • file_type: The only option is "executable".
  • suspicious_files: Abnormal files
  • threat_files: Unsafe files
logpolicy
These are the agent log file settings.
  • log_upload: This is the setting to enable or disable uploading agent log files.
    • null: Disabled
    • 1: Enabled
  • maxlogsize: This is the maximum file size (in MB) for a single agent log file.
  • retentiondays: This is the number of days to save agent log files. Log files older than the set number of days will be deleted.
memoryviolation
_actions
These are the violation types for memory protection. The following 3 rows explain the possible violation types:
memory_violations
  • lsassread (LSASS read): Memory belonging to the
    Windows
    Local Security Authority process has been accessed in a manner that indicates an attempt to obtain users' passwords.
  • outofprocessallocation (remote allocation of memory): A process has allocated memory in another process. Most allocations will only occur within the same process. This generally indicates an attempt to inject code or data into another process, which may be a first step in reinforcing a malicious presence on a system.
  • outofprocessapc (remote APC scheduled): A process has diverted the execution of another process’s thread. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
  • outofprocesscreatethread (remote thread creation): A process has created a new thread in another process. A process’s threads are usually only created by that same process. This is generally used by an attacker to activate a malicious presence that has been injected into another process.
  • outofprocessmap (remote mapping of memory): A process has introduced code and/or data into another process. This may indicate an attempt to begin executing code in another process and thereby reinforce a malicious presence.
  • outofprocessoverwritecode (remote overwrite code): A process has modified executable memory in another process. Under normal conditions, executable memory will not be modified, especially by another process. This usually indicates an attempt to divert execution in another process.
  • outofprocessunmapmemory (remote unmap of memory): A process has removed a
    Windows
    executable from the memory of another process. This may indicate an intent to replace the executable image with a modified copy for the purpose of diverting execution.
  • outofprocesswrite (remote write to memory): A process has modified memory in another process. This is usually an attempt to store code or data in previously allocated memory (see OutOfProcessAllocation), but it is possible that an attacker is trying to overwrite existing memory in order to divert execution for a malicious purpose.
  • outofprocesswritepe (remote write PE to memory): A process has modified memory in another process to contain an executable image. Generally, this indicates that an attacker is attempting to execute code without first writing that code to disk.
  • overwritecode (overwrite code): The code residing in a process’s memory has been modified using a technique that may indicate an attempt to bypass Data Execution Prevention (DEP).
  • stackpivot (stack pivot): The stack for a thread has been replaced with a different stack. Generally, the system will only allocate a single stack for a thread. An attacker would use a different stack to control execution in a way that is not blocked by Data Execution Prevention (DEP).
  • stackprotect (stack protect): The memory protection of a thread’s stack has been modified to enable execution permission. Stack memory should not be executable, so usually this means that an attacker is preparing to run malicious code stored in stack memory as part of an exploit, an attempt which would otherwise be blocked by Data Execution Prevention (DEP).
memory_violations
_ext
  • dyldinjection (DYLD injections): An environment variable has been set that will cause a shared library to be injected into a launched process. Attacks can modify the plist of applications like Safari or replace applications with bash scripts, causing their modules to be loaded automatically when an application starts.
  • maliciouspayload (malicious payload): A generic shellcode and payload detection associated with exploitation has been detected.
  • trackdataread (RAM scraping): A process is trying to read valid magnetic stripe track data from another process. Typically related to point of sale systems (POS).
  • zeroallocate (zero allocate): A null page has been allocated. The memory region is typically reserved, but in certain circumstances, it can be allocated. Attacks can use this to setup privilege escalation by taking advantage of some known null de-reference exploit, typically in the kernel.
memory_violations
_ext_v2
  • childprocessprotect (Memory Permission Changes in Child Processes) - Windows only: A violating process has spawned a child process and has modified memory access permissions in that child process.
  • dangerouscomobject (Dangerous COM Object) - Windows only: A Malicious code that has a reference to a Component Object Model (COM) object has been detected.
  • dangerouseenvvariable (Dangerous Environment Variable) - Windows only:  An environment variable that may have malicious code attached has been detected.
  • directsyscall (Direct System Calls) - Windows only: Aan attempt to silently inject malicious code into other processes has been detected. This violation type cannot be blocked.
  • doppelganger (Doppelganger): A new (malicious) process was started from a file that has not yet been written to the file system. The file writer transaction is usually rolled back after the process start (so the malicious file is never committed to disk), and any attempt to scan the file on disk will only see the unmodified benign file.
  • maliciouslowintegrity (Low Integrity Process Start) - Windows only: A process has been set to run with a low integrity level.
  • oopprotect (Memory Permission Changes in Other Processes) - Windows only: A violating process has modified memory access permissions within another process. This is usually done to inject code into another process to make memory executable by modifying memory access permissions. There are few legitimate uses of this.
  • stolensystemtoken (Stolen System Token) - Windows only: An access token has been modified to allow a user to bypass security access controls.
  • syscallprobe (System Call Monitoring) - Windows only: A system call made to an application or operating system has been detected.
  • systemdllwrite (System DLL Overwrite) - Windows only: An attempt to overwrite a system DLL has been detected.
memory_exclusion
_list_v2
These are the executable files to exclude from Memory Protection. This must be a relative path to the excluded executable file.
Example:
"memory_exclusions_list_v2": [ { "violations": [], "path": "C:\\temp\\file1.txt" }, { "violations": [], "path": "C:\\temp\\file2.txt" } ]
persona
Persona Desktop
policy settings control what the agent will do on the device.
  • admin_whitelist: This setting adds a username to the admin safe list allows that user to log on to the device and their actions will not count towards the trust score.
    • username: This is the username added to the safe list.
  • mitigation_actions
    • action: Select a mitigation action. Up to two mitigation actions are allowed per policy.
      • prompt2fa
      • promptUsernameAndPassword
    • method: This is the method used for two-factor authentication (2FA).
      • google
      • fido
    • threshold: Enter a value between 10 and 90.
  • mode: This is the setting to enable or disable
    Persona Desktop
    in a policy.
    • 0 - Disabled
    • 1 - Enabled
policy
Various policy settings are contained within this section. Some policy settings are enabled under
policy
and configured in a different section, like device_control and logpolicy. For most policy settings, the possible values will be either 0 (disabled) or 1 (enabled). The remaining cells in this table explain policy settings in detail.
Automatic policy settings
  • auto_blocking: This is the setting to auto quarantine unsafe threats.
  • auto_delete: This is the setting to automatically delete quarantined files after a set number of days. If this feature is enabled, set "days_until_deleted" for the number of days to retain a quarantined file.
  • auto_uploading: This is the setting to automatically upload files that
    BlackBerry
    has not seen before.
    BlackBerry
    will perform an analysis on the file and provide details to assist in manual analysis and triage.
  • autoit_auto_uploading: This setting is currently not in use.
  • pdf_auto_uploading
  • powershell_auto_uploading
  • python_auto_uploading
Various policy settings
  • custom_thumbprint:
  • days_until_deleted: This is the setting for the number of days to retain a quarantined file. Quarantined files older than the set number of days will be automatically deleted. The minimum number of days is 14, the maximum number of days is 365. The "auto-delete" setting must be enabled.
  • device_control: This is the setting to enable or disable the device control feature.
  • docx_auto_uploading: This setting is currently not in use.
  • full_disc_scan: This is the setting to have
    BlackBerry
    analyze all executable files on disk to detect any dormant threats. This is the background threat detection setting.
    • 0: Disabled
    • 1: Run Recurring (performs a scan every nine days)
    • 2: Run Once (runs a full disk scan upon installation only)
  • kill_running_threats: This is the setting to kill processes and child processes regardless of the state when a threat is detected (EXE or DLL).
  • logpolicy: This setting is not used.
  • low_confidence_threshold: This is the setting to adjust the
    BlackBerry
    Score threshold between unsafe and abnormal threats. The default is -600, therefore:
    • A
      BlackBerry
      score of -600 to -1000 is unsafe.
    • A
      BlackBerry
      score of 0 to -599 is abnormal.
    • A
      BlackBerry
      score greater than 0 is safe.
  • memory_exploit_detection: This is the setting to enable or disable the memory protection feature. This affects "memory_violation_actions" ("memory_violations" and "memory_violations_ext").
  • sample_copy_path: This is the setting to copy all file samples to a network share (CIFS/SMB). For Example:
    { "name": "sample_copy_path", "value": "\\\\server_name\\shared_folder" }
  • scan_exception_list: This is the setting to exclude specific folders and subfolders from being scanned by full_disc_scan and watch_for_new_files. Set the value to the absolute path for the excluded files. For example:
    { "name": "scan_exception_list", "value": [ "c:\\temp" ] }
  • scan_max_archive_size: This is the setting for the maximum archive file size (in MB) to be scanned. The value can be 0 to 150. If set to 0, then archive files will not be scanned. For example:
    { "name": "scan_max_archive_size", "value": "0" }
  • script_control: This is the setting to enable or disable the script control feature. Also set the script_control settings (see below in this table).
Various policy settings continued
  • show_notifications: This is the setting to enable or disable desktop notifications on the endpoint for
    BlackBerry Protect Desktop
    events.
  • threat_report_limit: This is the number of threats to upload to the console.
    Example:
    { "name": "threat_report_limit", "value": "500" }
  • trust_files_in_scan_exception_list: This is the setting to allow execution of files in the excluded folders. This is related to the scan_exception_list.
  • watch_for_new_files: This is the setting to analyze new or modified executable files for threats.
  • ole_auto_uploading: This setting is currently not in use.
  • prevent_service_shutdown: This is the setting that protects the
    BlackBerry
    service from being shutdown, either manually or by another process.
  • sample_copy_path: This is the setting to copy all file samples to a network share (CIFS/SMB).
    Example:
    { "name": "sample_copy_path", "value": "\\\\server_name\\shared_folder" }
Optics policy settings
  • optics: This is the setting to enable or disable
    BlackBerry Optics
    .
  • optics_application_control_auto_upload: This is the setting to allow the automatic uploading of application control related focus data.
  • optics_malware_auto_upload: This is the setting to allow the automatic uploading of threat related focus data.
  • optics_memory_defense_auto_upload: This is the setting to allow the automatic uploading of memory protection related Focus Data.
  • optics_script_control_auto_upload: This is the setting to allow the automatic uploading of script control related focus data.
  • optics_sensors_advanced_executable_parsing: This is the setting to enable recording data fields associated with portable executable (PE) files, such as file version, import functions, and packer types. This is enhanced portable executable parsing in the policy settings.
  • optics_sensors_advanced_powershell_visibility: This is the setting to enable recording commands, arguments, scripts, and content entered directly into the Powershell Console and the Powershell Integrated Scripting Environment (ISE).
  • optics_sensors_advanced_wmi_visibility: This is the setting to enable recording additional Windows Management Instrumentation (WMI) attributes and parameters.
  • optics_sensors_dns_visibility: This is the setting to enable recording commands and arguments of commands issued directly or indirectly to the Windows Management Instrumentation (WMI) interpreter.
  • optics_sensors_enhanced_file_read_visibility: This is the setting to enable monitoring file reads within an identified set of directories.
  • optics_sensors_enhanced_process_hooking_visibility: This is the setting to enable recording process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.
  • optics_sensors_private_network_address_visibility: This is the setting to enable recording network connections within the RFC 1918 and RFC 3419 address spaces.
  • optics_sensors_windows_event_log_visibility: This is the setting to enable recording
    Windows
    Security Events and their associated attributes.
  • optics_set_disk_usage_maximum_fixed: This is used to set the maximum amount of device storage reserved for use by
    BlackBerry Optics
    , in MB. The minimum value is 500 and the maximum value is 1000.
    Example:
    { "name": "optics_set_disk_usage_maximum_fixed", "value": "1000" }
  • optics_show_notifications: This is the setting to enable or disable desktop notifications on the endpoint for
    BlackBerry Optics
    events.
  • optics_show_notification: This is the setting to enable or disable
    BlackBerry Optics
    desktop notifications on the device.
policy_name
This is the name of the policy. The name must be unique to your tenant.
script_control
The policy settings for script control. script_control must be enabled (set to "1") under policy.
activescript_settings
  • control_mode: These are the setting for active script.
    • Alert: An alert is sent when an active script event occurs. The active script is allowed to run.
    • Block: The active script is blocked and an alert is sent.
global_settings
  • allowed_folders: The relative path to scripts that are allowed to run when script control is enabled. Script control folder exclusions apply to all agent versions (agent 1310 or later). For example:
    "allowed_folders": [ "\\temp_scriptcontrol" ]
  • control_mode: This is the setting to enable or disable script control for agent version 1370 or earlier. This works for active scripts and PowerShell. This does not work for macros. To use script control with macros, use agent version 1380 or later.
    • Allow: An alert is sent when an active script or PowerShell event occurs. The script is allowed to run.
    • Block: The active script or PowerShell is blocked and an alert is sent.
macro_settings
  • control_mode: These are the setting for
    Microsoft Office
    macros.
    • Alert: An alert is sent when an
      Microsoft Office
      macro event occurs. The macro is allowed to run.
    • Block: The
      Microsoft Office
      macro is blocked and an alert is sent.
powershell_settings
  • console_mode: The PowerShell console is blocked to prevent PowerShell command usage, including one-liners. To use this feature, the PowerShell control_mode must be set to Block. Values can be either Allow or Block
  • control_mode:
    • Alert: This is an alert is sent when a PowerShell script event occurs. The PowerShell script is allowed to run.
    • Block: This is the PowerShell script is blocked and an alert is sent.
script_control continued
About disabling script control
For Agent versions 1430 and later, you can disable script control for active script, PowerShell, or macros. Disabling script control allows the selected script type to run and does not send an alert to the console.
To disable script control for a specific script type, do not include the script type in the create policy API request. For example: script control for macros is disabled.
"script_control": { "powershell_settings": { "control_mode": "Block", "console_mode": "Block" }, global_settings": { "control_mode": "Alert", "allowed_folders": [ "\\temp_scriptcontrol" ] }, "activescript_settings": { "control_mode": "Alert" } }
script_control_v2
user_id
This is the unique ID for the user creating the policy. Only administrators can create policies.
To get the user_id, use Get users.

Response JSON schema

This table only covers descriptions not covered in the Request JSON Schema Descriptions table (see previous table).
Field Name
Description
policy_id
This is the unique identifier for the policy.
policy_utctimestamp
This is the date and time (in UTC) when the policy was created.