Skip to content
Cloudflare API
Start here
API Reference
Zero Trust
Devices
Posture

Create a device posture rule

POST/accounts/{account_id}/devices/posture

Creates a new device posture rule.

Security
API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194
Accepted Permissions (at least one required)
Zero Trust Write
Path ParametersExpand Collapse
account_id: string
Body ParametersJSONExpand Collapse
name: string

The name of the device posture rule.

type: "file" or "application" or "tanium" or 20 more

The type of device posture rule.

One of the following:
"file"
"application"
"tanium"
"gateway"
"warp"
"disk_encryption"
"serial_number"
"sentinelone"
"carbonblack"
"firewall"
"os_version"
"domain_joined"
"client_certificate"
"client_certificate_v2"
"antivirus"
"unique_client_id"
"kolide"
"tanium_s2s"
"crowdstrike_s2s"
"intune"
"workspace_one"
"sentinelone_s2s"
"custom_s2s"
description: optional string

The description of the device posture rule.

expiration: optional string

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: optional DeviceInput

The value to be checked against.

One of the following:
FileInput { operating_system, path, exists, 2 more }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

File path.

exists: optional boolean

Whether or not file exists.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

UniqueClientIDInput { id, operating_system }
id: string

List ID.

operating_system: "android" or "ios" or "chromeos"

Operating System.

One of the following:
"android"
"ios"
"chromeos"
DomainJoinedInput { operating_system, domain }
operating_system: "windows"

Operating System.

domain: optional string

Domain.

OSVersionInput { operating_system, operator, version, 3 more }
operating_system: "windows"

Operating System.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
version: string

Version of OS.

os_distro_name: optional string

Operating System Distribution Name (linux only).

os_distro_revision: optional string

Version of OS Distribution (linux only).

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput { enabled, operating_system }
enabled: boolean

Enabled.

operating_system: "windows" or "mac"

Operating System.

One of the following:
"windows"
"mac"
SentineloneInput { operating_system, path, sha256, thumbprint }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest { id }
id: string

UUID of Access List.

maxLength36
DiskEncryptionInput { checkDisks, requireAll }
checkDisks: optional array of CarbonblackInput

List of volume names to be checked for encryption.

requireAll: optional boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

Path for the application.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

ClientCertificateInput { certificate_id, cn }
certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36
cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }
certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36
check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
cn: optional string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage: optional array of "clientAuth" or "emailProtection"

List of values indicating purposes for which the certificate public key can be used.

One of the following:
"clientAuth"
"emailProtection"
locations: optional { paths, trust_stores }
paths: optional array of string

List of paths to check for client certificate on linux.

trust_stores: optional array of "system" or "user"

List of trust stores to check for client certificate.

One of the following:
"system"
"user"
subject_alternative_names: optional array of string

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest { update_window_days }
update_window_days: optional number

Number of days that the antivirus should be updated within.

WorkspaceOneInput { compliance_status, connection_id }
compliance_status: "compliant" or "noncompliant" or "unknown"

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
connection_id: string

Posture Integration ID.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }
connection_id: string

Posture Integration ID.

last_seen: optional string

For more details on last seen, please refer to the Crowdstrike documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
os: optional string

Os Version.

overall: optional string

Overall.

sensor_config: optional string

SensorConfig.

state: optional "online" or "offline" or "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:
"online"
"offline"
"unknown"
version: optional string

Version.

versionOperator: optional "<" or "<=" or ">" or 2 more

Version Operator.

One of the following:
"<"
"<="
">"
">="
"=="
IntuneInput { compliance_status, connection_id }
compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
"notapplicable"
"ingraceperiod"
"error"
connection_id: string

Posture Integration ID.

KolideInput { connection_id, countOperator, issue_count }
connection_id: string

Posture Integration ID.

countOperator: "<" or "<=" or ">" or 2 more

Count Operator.

One of the following:
"<"
"<="
">"
">="
"=="
issue_count: string

The Number of Issues.

TaniumInput { connection_id, eid_last_seen, operator, 3 more }
connection_id: string

Posture Integration ID.

eid_last_seen: optional string

For more details on eid last seen, refer to the Tanium documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:
"<"
"<="
">"
">="
"=="
risk_level: optional "low" or "medium" or "high" or "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:
"low"
"medium"
"high"
"critical"
scoreOperator: optional "<" or "<=" or ">" or 2 more

Score Operator.

One of the following:
"<"
"<="
">"
">="
"=="
total_score: optional number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }
connection_id: string

Posture Integration ID.

active_threats: optional number

The Number of active threats.

infected: optional boolean

Whether device is infected.

is_active: optional boolean

Whether device is active.

network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"

Network status of device.

One of the following:
"connected"
"disconnected"
"disconnecting"
"connecting"
operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more

Agent operational state.

One of the following:
"na"
"partially_disabled"
"auto_fully_disabled"
"fully_disabled"
"auto_partially_disabled"
"disabled_error"
"db_corruption"
operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }
connection_id: string

Posture Integration ID.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: optional array of DeviceMatch { platform }

The conditions that the client must match to run the rule.

platform: optional "windows" or "mac" or "linux" or 3 more
One of the following:
"windows"
"mac"
"linux"
"android"
"ios"
"chromeos"
schedule: optional string

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

ReturnsExpand Collapse
errors: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
messages: array of ResponseInfo { code, message, documentation_url, source }
code: number
minimum1000
message: string
documentation_url: optional string
source: optional { pointer }
pointer: optional string
result: DevicePostureRule { id, description, expiration, 5 more }
id: optional string

API UUID.

maxLength36
description: optional string

The description of the device posture rule.

expiration: optional string

Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client.

input: optional DeviceInput

The value to be checked against.

One of the following:
FileInput { operating_system, path, exists, 2 more }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

File path.

exists: optional boolean

Whether or not file exists.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

UniqueClientIDInput { id, operating_system }
id: string

List ID.

operating_system: "android" or "ios" or "chromeos"

Operating System.

One of the following:
"android"
"ios"
"chromeos"
DomainJoinedInput { operating_system, domain }
operating_system: "windows"

Operating System.

domain: optional string

Domain.

OSVersionInput { operating_system, operator, version, 3 more }
operating_system: "windows"

Operating System.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
version: string

Version of OS.

os_distro_name: optional string

Operating System Distribution Name (linux only).

os_distro_revision: optional string

Version of OS Distribution (linux only).

os_version_extra: optional string

Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version.

FirewallInput { enabled, operating_system }
enabled: boolean

Enabled.

operating_system: "windows" or "mac"

Operating System.

One of the following:
"windows"
"mac"
SentineloneInput { operating_system, path, sha256, thumbprint }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

File path.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

TeamsDevicesAccessSerialNumberListInputRequest { id }
id: string

UUID of Access List.

maxLength36
DiskEncryptionInput { checkDisks, requireAll }
checkDisks: optional array of CarbonblackInput

List of volume names to be checked for encryption.

requireAll: optional boolean

Whether to check all disks for encryption.

TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }
operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
path: string

Path for the application.

sha256: optional string

SHA-256.

thumbprint: optional string

Signing certificate thumbprint.

ClientCertificateInput { certificate_id, cn }
certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36
cn: string

Common Name that is protected by the certificate.

TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }
certificate_id: string

UUID of Cloudflare managed certificate.

maxLength36
check_private_key: boolean

Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key.

operating_system: "windows" or "linux" or "mac"

Operating system.

One of the following:
"windows"
"linux"
"mac"
cn: optional string

Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables.

extended_key_usage: optional array of "clientAuth" or "emailProtection"

List of values indicating purposes for which the certificate public key can be used.

One of the following:
"clientAuth"
"emailProtection"
locations: optional { paths, trust_stores }
paths: optional array of string

List of paths to check for client certificate on linux.

trust_stores: optional array of "system" or "user"

List of trust stores to check for client certificate.

One of the following:
"system"
"user"
subject_alternative_names: optional array of string

List of certificate Subject Alternative Names.

TeamsDevicesAntivirusInputRequest { update_window_days }
update_window_days: optional number

Number of days that the antivirus should be updated within.

WorkspaceOneInput { compliance_status, connection_id }
compliance_status: "compliant" or "noncompliant" or "unknown"

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
connection_id: string

Posture Integration ID.

CrowdstrikeInput { connection_id, last_seen, operator, 6 more }
connection_id: string

Posture Integration ID.

last_seen: optional string

For more details on last seen, please refer to the Crowdstrike documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
os: optional string

Os Version.

overall: optional string

Overall.

sensor_config: optional string

SensorConfig.

state: optional "online" or "offline" or "unknown"

For more details on state, please refer to the Crowdstrike documentation.

One of the following:
"online"
"offline"
"unknown"
version: optional string

Version.

versionOperator: optional "<" or "<=" or ">" or 2 more

Version Operator.

One of the following:
"<"
"<="
">"
">="
"=="
IntuneInput { compliance_status, connection_id }
compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more

Compliance Status.

One of the following:
"compliant"
"noncompliant"
"unknown"
"notapplicable"
"ingraceperiod"
"error"
connection_id: string

Posture Integration ID.

KolideInput { connection_id, countOperator, issue_count }
connection_id: string

Posture Integration ID.

countOperator: "<" or "<=" or ">" or 2 more

Count Operator.

One of the following:
"<"
"<="
">"
">="
"=="
issue_count: string

The Number of Issues.

TaniumInput { connection_id, eid_last_seen, operator, 3 more }
connection_id: string

Posture Integration ID.

eid_last_seen: optional string

For more details on eid last seen, refer to the Tanium documentation.

operator: optional "<" or "<=" or ">" or 2 more

Operator to evaluate risk_level or eid_last_seen.

One of the following:
"<"
"<="
">"
">="
"=="
risk_level: optional "low" or "medium" or "high" or "critical"

For more details on risk level, refer to the Tanium documentation.

One of the following:
"low"
"medium"
"high"
"critical"
scoreOperator: optional "<" or "<=" or ">" or 2 more

Score Operator.

One of the following:
"<"
"<="
">"
">="
"=="
total_score: optional number

For more details on total score, refer to the Tanium documentation.

SentineloneS2sInput { connection_id, active_threats, infected, 4 more }
connection_id: string

Posture Integration ID.

active_threats: optional number

The Number of active threats.

infected: optional boolean

Whether device is infected.

is_active: optional boolean

Whether device is active.

network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"

Network status of device.

One of the following:
"connected"
"disconnected"
"disconnecting"
"connecting"
operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more

Agent operational state.

One of the following:
"na"
"partially_disabled"
"auto_fully_disabled"
"fully_disabled"
"auto_partially_disabled"
"disabled_error"
"db_corruption"
operator: optional "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }
connection_id: string

Posture Integration ID.

operator: "<" or "<=" or ">" or 2 more

Operator.

One of the following:
"<"
"<="
">"
">="
"=="
score: number

A value between 0-100 assigned to devices set by the 3rd party posture provider.

match: optional array of DeviceMatch { platform }

The conditions that the client must match to run the rule.

platform: optional "windows" or "mac" or "linux" or 3 more
One of the following:
"windows"
"mac"
"linux"
"android"
"ios"
"chromeos"
name: optional string

The name of the device posture rule.

schedule: optional string

Polling frequency for the WARP client posture check. Default: 5m (poll every five minutes). Minimum: 1m.

type: optional "file" or "application" or "tanium" or 20 more

The type of device posture rule.

One of the following:
"file"
"application"
"tanium"
"gateway"
"warp"
"disk_encryption"
"serial_number"
"sentinelone"
"carbonblack"
"firewall"
"os_version"
"domain_joined"
"client_certificate"
"client_certificate_v2"
"antivirus"
"unique_client_id"
"kolide"
"tanium_s2s"
"crowdstrike_s2s"
"intune"
"workspace_one"
"sentinelone_s2s"
"custom_s2s"
success: true

Whether the API call was successful.

Create a device posture rule

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    -d '{
          "name": "Admin Serial Numbers",
          "type": "file",
          "description": "The rule for admin serial numbers",
          "expiration": "1h",
          "input": {
            "operating_system": "linux",
            "path": "/bin/cat",
            "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
          },
          "schedule": "1h"
        }'
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "description": "The rule for admin serial numbers",
    "expiration": "1h",
    "input": {
      "operating_system": "linux",
      "path": "/bin/cat",
      "exists": true,
      "sha256": "https://api.us-2.crowdstrike.com",
      "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
    },
    "match": [
      {
        "platform": "windows"
      }
    ],
    "name": "Admin Serial Numbers",
    "schedule": "1h",
    "type": "file"
  },
  "success": true
}
Returns Examples
{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "description": "The rule for admin serial numbers",
    "expiration": "1h",
    "input": {
      "operating_system": "linux",
      "path": "/bin/cat",
      "exists": true,
      "sha256": "https://api.us-2.crowdstrike.com",
      "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e"
    },
    "match": [
      {
        "platform": "windows"
      }
    ],
    "name": "Admin Serial Numbers",
    "schedule": "1h",
    "type": "file"
  },
  "success": true
}