custom_ioc
Manages IOC (Indicator of Compromise) indicators in CrowdStrike Falcon. IOC indicators allow you to create custom indicators based on SHA256 hashes, MD5 hashes, domains, IPv4 addresses, or IPv6 addresses with actions such as allow, detect, or prevent.
API Scopes
Section titled “API Scopes”The following API scopes are required:
- IOC Management: READ
- IOC Management: WRITE
Example Usage
Section titled “Example Usage”# Allow a specific SHA256 hash globally across all Mac hostsresource "crowdstrike_custom_ioc" "allow_by_hash" { type = "sha256" value = "73cb3858a687a8494ca3323053016282f3dad39d42cf62ca4e79dda2aac7d9ac" action = "allow" severity = "informational" description = "Allowlist for approved application - VENDSEC-10155" platforms = ["mac"] host_groups = ["all"] tags = ["vendsec-approved"]}
# Detect a domain, scoped to specific host groupsresource "crowdstrike_custom_ioc" "detect_domain" { type = "domain" value = "malicious-example.com" action = "detect" severity = "high" description = "Known C2 domain" platforms = ["windows", "mac", "linux"] host_groups = ["host-group-id-1", "host-group-id-2"] expiration = "2030-12-31T23:59:59Z"}
# Block an MD5 hash globallyresource "crowdstrike_custom_ioc" "block_md5" { type = "md5" value = "44d88612fea8a8f36de82e1278abb02f" action = "prevent" severity = "critical" description = "Known malware hash" platforms = ["windows"] host_groups = ["all"]}Schema
Section titled “Schema”Required
Section titled “Required”host_groups(Set of String) Host group IDs that receive this indicator. Use["all"]to apply globally.platforms(Set of String) The platforms this IOC indicator applies to. Valid values are:windows,mac,linux,ios,android. Hash types (sha256,md5) only support non-mobile platforms (windows,mac,linux);all_subdomainsonly supports mobile platforms (ios,android).type(String) The type of the IOC indicator. Valid values are:sha256,md5,domain,ipv4,ipv6,all_subdomains.sha256andmd5are only valid with non-mobile platforms (windows,mac,linux);all_subdomainsis only valid with mobile platforms (ios,android).value(String) The value of the IOC indicator. For hash types, this is the hash value. For domain types, this is the domain name. For IP types, this is the IP address.
Optional
Section titled “Optional”action(String) The action to take on non-mobile platforms (windows,mac,linux). Required whenplatformscontains a non-mobile platform. Valid values are:allow,detect,prevent,prevent_no_ui,no_action. Fordomain,ipv4, andipv6types onlydetectandno_actionare permitted.description(String) A description of the IOC indicator.expiration(String) The expiration date of the IOC indicator in RFC 3339 format (e.g.2025-12-31T23:59:59Z). Must be a future date. Once this date passes, the API auto-resetsactionormobile_actiontono_actionserver-side. Terraform will show permanent drift onactionafter that point untilexpirationis bumped/removed oractionis set tono_action.mobile_action(String) The action to take on mobile platforms (ios,android). Required whenplatformscontains a mobile platform. Valid values are:allow,detect,prevent,prevent_no_ui,no_action.severity(String) The severity level of the IOC indicator. Required whenactionormobile_actionisdetectorprevent; must not be set for other actions. Valid values are:informational,low,medium,high,critical.source(String) The source of the IOC indicator.tags(Set of String) A set of tags to apply to the IOC indicator.
Read-Only
Section titled “Read-Only”applied_globally(Boolean) Whether the indicator is applied globally to all hosts.created_by(String) The user who created the IOC indicator.created_on(String) The timestamp when the IOC indicator was created.id(String) The unique identifier of the IOC indicator.modified_by(String) The user who last modified the IOC indicator.modified_on(String) The timestamp when the IOC indicator was last modified.
Import
Section titled “Import”Import is supported using the following syntax:
terraform import crowdstrike_custom_ioc.example indicator-id-here