Skip to content
CrowdStrike Developer Center

ioa_exclusion

An IOA exclusion prevents a specific IOA detection pattern from triggering for matching command line and image filename regex values.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • IOA Exclusions: READ
  • IOA Exclusions: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


resource "crowdstrike_ioa_exclusion" "example" {
  name        = "example-ioa-exclusion"
  description = "Exclude an approved administrative workflow"
  pattern_id  = "12345"


  cl_regex    = ".*--approved-operation.*"
  ifn_regex   = ".*approved-tool\\.exe"
  host_groups = ["all"]
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • cl_regex (String) Command-line regex pattern for exclusion matching. Maximum length is 256 characters.
  • host_groups (Set of String) Host group IDs that receive this exclusion. Use ["all"] to apply globally.
  • ifn_regex (String) Image filename regex pattern for exclusion matching. Maximum length is 256 characters.
  • name (String) Display name of the IOA exclusion.
  • pattern_id (String) Identifier of the IOA pattern to exclude.

Optional

Section titled “Optional”
  • comment (String) Additional context stored when creating or updating the exclusion. Falcon does not return this field on reads, so imported resources cannot populate it automatically.
  • description (String) Description of the IOA exclusion.

Read-Only

Section titled “Read-Only”
  • applied_globally (Boolean) Whether the exclusion is applied globally to all hosts.
  • created_by (String) User who created the exclusion.
  • created_on (String) Timestamp when the exclusion was created.
  • id (String) Unique identifier of the IOA exclusion.
  • last_modified (String) Timestamp when the exclusion was last modified.
  • last_updated (String) RFC850 timestamp of the last Terraform update to this resource.
  • modified_by (String) User who last modified the exclusion.
  • pattern_name (String) Name of the IOA pattern.

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
# IOA exclusions can be imported using their ID
terraform import crowdstrike_ioa_exclusion.example 12345678-1234-1234-1234-123456789012
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use