Create a device posture rule

client.zeroTrust.devices.posture.create(, ?): DevicePostureRule { id, description, expiration, 5 more } | null

POST/accounts/{account_id}/devices/posture

Creates a new device posture rule.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Zero Trust Write

ParametersExpand Collapse

params: PostureCreateParams { account_id, name, type, 5 more }

account_id: string

Path param

name: string

Body param: The name of the device posture rule.

type: "file" | "application" | "tanium" | 20 more

Body param: The type of device posture rule.

One of the following:

"file"

"application"

"tanium"

"gateway"

"warp"

"disk_encryption"

"serial_number"

"sentinelone"

"carbonblack"

"firewall"

"os_version"

"domain_joined"

"client_certificate"

"client_certificate_v2"

"antivirus"

"unique_client_id"

"kolide"

"tanium_s2s"

"crowdstrike_s2s"

"intune"

"workspace_one"

"sentinelone_s2s"

"custom_s2s"

description?: string

Body param: The description of the device posture rule.

expiration?: string

Body param: Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input?: DeviceInput

Body param: The value to be checked against.

One of the following:

FileInput { operating_system, path, exists, 2 more }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists?: boolean

Whether or not file exists.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

UniqueClientIDInput { id, operating_system }

id: string

List ID.

operating_system: "android" | "ios" | "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

DomainJoinedInput { operating_system, domain }

operating_system: "windows"

Operating System.

domain?: string

Domain.

OSVersionInput { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name?: string

Operating System Distribution Name (linux only).

os_distro_revision?: string

Version of OS Distribution (linux only).

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" | "mac"

Operating System.

One of the following:

"windows"

"mac"

SentineloneInput { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest { id }

id: string

UUID of Access List.

maxLength36

DiskEncryptionInput { checkDisks, requireAll }

checkDisks?: Array<CarbonblackInput>

List of volume names to be checked for encryption.

requireAll?: boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

Path for the application.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

ClientCertificateInput { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

cn?: string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage?: Array<"clientAuth" | "emailProtection">

List of values indicating purposes for which the certificate public key can be used.

One of the following:

"clientAuth"

"emailProtection"

locations?: Locations { paths, trust_stores }

paths?: Array<string>

List of paths to check for client certificate on linux.

trust_stores?: Array<"system" | "user">

List of trust stores to check for client certificate.

One of the following:

"system"

"user"

subject_alternative_names?: Array<string>

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest { update_window_days }

update_window_days?: number

Number of days that the antivirus should be updated within.

WorkspaceOneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen?: string

For more details on last seen, please refer to the Crowdstrike documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os?: string

Os Version.

overall?: string

Overall.

sensor_config?: string

SensorConfig.

state?: "online" | "offline" | "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version?: string

Version.

versionOperator?: "<" | "<=" | ">" | 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

IntuneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput { connection_id, countOperator, issue_count }

connection_id: string

Posture Integration ID.

countOperator?: "<" | "<=" | ">" | 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count?: string

The Number of Issues.

TaniumInput { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen?: string

For more details on eid last seen, refer to the Tanium documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level?: "low" | "medium" | "high" | "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator?: "<" | "<=" | ">" | 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score?: number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats?: number

The Number of active threats.

infected?: boolean

Whether device is infected.

is_active?: boolean

Whether device is active.

network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }

connection_id: string

Posture Integration ID.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match?: Array<DeviceMatch { platform } >

Body param: The conditions that the client must match to run the rule.

platform?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

schedule?: string

Body param: Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

ReturnsExpand Collapse

DevicePostureRule { id, description, expiration, 5 more } | null

id?: string

API UUID.

maxLength36

description?: string

The description of the device posture rule.

expiration?: string

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input?: DeviceInput

The value to be checked against.

One of the following:

FileInput { operating_system, path, exists, 2 more }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

exists?: boolean

Whether or not file exists.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

UniqueClientIDInput { id, operating_system }

id: string

List ID.

operating_system: "android" | "ios" | "chromeos"

Operating System.

One of the following:

"android"

"ios"

"chromeos"

DomainJoinedInput { operating_system, domain }

operating_system: "windows"

Operating System.

domain?: string

Domain.

OSVersionInput { operating_system, operator, version, 3 more }

operating_system: "windows"

Operating System.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

version: string

Version of OS.

os_distro_name?: string

Operating System Distribution Name (linux only).

os_distro_revision?: string

Version of OS Distribution (linux only).

os_version_extra?: string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput { enabled, operating_system }

enabled: boolean

Enabled.

operating_system: "windows" | "mac"

Operating System.

One of the following:

"windows"

"mac"

SentineloneInput { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

File path.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest { id }

id: string

UUID of Access List.

maxLength36

DiskEncryptionInput { checkDisks, requireAll }

checkDisks?: Array<CarbonblackInput>

List of volume names to be checked for encryption.

requireAll?: boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

path: string

Path for the application.

sha256?: string

SHA-256.

thumbprint?: string

Signing certificate thumbprint.

ClientCertificateInput { certificate_id, cn }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }

certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36

check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" | "linux" | "mac"

Operating system.

One of the following:

"windows"

"linux"

"mac"

cn?: string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage?: Array<"clientAuth" | "emailProtection">

List of values indicating purposes for which the certificate public key can be used.

One of the following:

"clientAuth"

"emailProtection"

locations?: Locations { paths, trust_stores }

paths?: Array<string>

List of paths to check for client certificate on linux.

trust_stores?: Array<"system" | "user">

List of trust stores to check for client certificate.

One of the following:

"system"

"user"

subject_alternative_names?: Array<string>

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest { update_window_days }

update_window_days?: number

Number of days that the antivirus should be updated within.

WorkspaceOneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown"

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

connection_id: string

Posture Integration ID.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }

connection_id: string

Posture Integration ID.

last_seen?: string

For more details on last seen, please refer to the Crowdstrike documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

os?: string

Os Version.

overall?: string

Overall.

sensor_config?: string

SensorConfig.

state?: "online" | "offline" | "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:

"online"

"offline"

"unknown"

version?: string

Version.

versionOperator?: "<" | "<=" | ">" | 2 more

Version Operator.

One of the following:

"<"

"<="

">"

">="

"=="

IntuneInput { compliance_status, connection_id }

compliance_status: "compliant" | "noncompliant" | "unknown" | 3 more

Compliance Status.

One of the following:

"compliant"

"noncompliant"

"unknown"

"notapplicable"

"ingraceperiod"

"error"

connection_id: string

Posture Integration ID.

KolideInput { connection_id, countOperator, issue_count }

connection_id: string

Posture Integration ID.

countOperator?: "<" | "<=" | ">" | 2 more

Count Operator.

One of the following:

"<"

"<="

">"

">="

"=="

issue_count?: string

The Number of Issues.

TaniumInput { connection_id, eid_last_seen, operator, 3 more }

connection_id: string

Posture Integration ID.

eid_last_seen?: string

For more details on eid last seen, refer to the Tanium documentation.

operator?: "<" | "<=" | ">" | 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:

"<"

"<="

">"

">="

"=="

risk_level?: "low" | "medium" | "high" | "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:

"low"

"medium"

"high"

"critical"

scoreOperator?: "<" | "<=" | ">" | 2 more

Score Operator.

One of the following:

"<"

"<="

">"

">="

"=="

total_score?: number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }

connection_id: string

Posture Integration ID.

active_threats?: number

The Number of active threats.

infected?: boolean

Whether device is infected.

is_active?: boolean

Whether device is active.

network_status?: "connected" | "disconnected" | "disconnecting" | "connecting"

Network status of device.

One of the following:

"connected"

"disconnected"

"disconnecting"

"connecting"

operational_state?: "na" | "partially_disabled" | "auto_fully_disabled" | 4 more

Agent operational state.

One of the following:

"na"

"partially_disabled"

"auto_fully_disabled"

"fully_disabled"

"auto_partially_disabled"

"disabled_error"

"db_corruption"

operator?: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }

connection_id: string

Posture Integration ID.

operator: "<" | "<=" | ">" | 2 more

Operator.

One of the following:

"<"

"<="

">"

">="

"=="

score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match?: Array<DeviceMatch { platform } >

The conditions that the client must match to run the rule.

platform?: "windows" | "mac" | "linux" | 3 more

One of the following:

"windows"

"mac"

"linux"

"android"

"ios"

"chromeos"

name?: string

The name of the device posture rule.

schedule?: string

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type?: "file" | "application" | "tanium" | 20 more

The type of device posture rule.

One of the following:

"file"

"application"

"tanium"

"gateway"

"warp"

"disk_encryption"

"serial_number"

"sentinelone"

"carbonblack"

"firewall"

"os_version"

"domain_joined"

"client_certificate"

"client_certificate_v2"

"antivirus"

"unique_client_id"

"kolide"

"tanium_s2s"

"crowdstrike_s2s"

"intune"

"workspace_one"

"sentinelone_s2s"

"custom_s2s"

Create a device posture rule

import Cloudflare from 'cloudflare';

const client = new Cloudflare({
  apiToken: process.env['CLOUDFLARE_API_TOKEN'], // This is the default and can be omitted
});

const devicePostureRule = await client.zeroTrust.devices.posture.create({
  account_id: '699d98642c564d2e855e9661899b7252',
  name: 'Admin Serial Numbers',
  type: 'file',
});

console.log(devicePostureRule.id);

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "description": "The rule for admin serial numbers",
    "expiration": "1h",
    "input": {
      "operating_system": "linux",
      "path": "/bin/cat",
      "exists": true,
      "sha256": "https://api.us-2.crowdstrike.com",
      "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
    },
    "match": [
      {
        "platform": "windows"
      }
    ],
    "name": "Admin Serial Numbers",
    "schedule": "1h",
    "type": "file"
  },
  "success": true
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "description": "The rule for admin serial numbers",
    "expiration": "1h",
    "input": {
      "operating_system": "linux",
      "path": "/bin/cat",
      "exists": true,
      "sha256": "https://api.us-2.crowdstrike.com",
      "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
    },
    "match": [
      {
        "platform": "windows"
      }
    ],
    "name": "Admin Serial Numbers",
    "schedule": "1h",
    "type": "file"
  },
  "success": true
}