Skip to content
CrowdStrike Developer Center

ioa_rule_group

Manages IOA (Indicator of Attack) rule groups in CrowdStrike Falcon. Rule groups contain custom IOA rules that define detection logic for suspicious activities based on process creation, file creation, network connections, and domain name patterns.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Custom IOA Rules: READ
  • Custom IOA Rules: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}
resource "crowdstrike_ioa_rule_group" "linux_monitoring" {
  name        = "Linux Security Monitoring"
  platform    = "Linux"
  description = "Custom IOA rules for monitoring suspicious Linux activity"
  comment     = "Managed by Terraform"
  enabled     = true


  rules = [
    {
      name             = "Suspicious Network Connection"
      description      = "Monitors for suspicious outbound network connections"
      comment          = "Managed by Terraform"
      pattern_severity = "critical"
      type             = "Network Connection"
      action           = "Monitor"
      enabled          = true


      image_filename = {
        include = ".*suspicious.*"
        exclude = ".*legitimate.*"
      }


      command_line = {
        include = ".*malicious.*"
        exclude = ".*safe.*"
      }


      remote_ip_address = {
        include = ".*"
      }


      connection_type = ["TCP", "UDP"]
    },
    {
      name             = "Unauthorized Process Creation"
      description      = "Detects unauthorized process creation"
      comment          = "Kill unauthorized processes immediately"
      pattern_severity = "high"
      type             = "Process Creation"
      action           = "Kill Process"
      enabled          = true


      parent_image_filename = {
        include = ".*/bin/bash"
      }


      image_filename = {
        include = ".*/tmp/.*"
      }


      command_line = {
        include = ".*"
      }
    }
  ]
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • name (String) The name of the IOA rule group.
  • platform (String) The platform for the IOA rule group. One of: Windows, Linux, Mac.

Optional

Section titled “Optional”
  • comment (String) The comment stored in audit logs when making changes to the IOA rule group.
  • description (String) The description of the IOA rule group.
  • enabled (Boolean) Whether the IOA rule group is enabled.
  • rules (Attributes List) Ordered list of IOA rules within this rule group. (see below for nested schema)

Read-Only

Section titled “Read-Only”
  • cid (String) The customer ID associated with the rule group.
  • committed_on (String) The timestamp when the rule group was committed.
  • created_by (String) The user who created the rule group.
  • created_on (String) The timestamp when the rule group was created.
  • deleted (Boolean) Whether the rule group has been marked as deleted.
  • id (String) The ID of the IOA rule group.
  • modified_by (String) The user who last modified the rule group.
  • modified_on (String) The timestamp when the rule group was last modified.

Nested Schema for rules

Section titled “Nested Schema for rules”

Required:

  • action (String) The action to take when the rule triggers.
  • description (String) The description of the IOA rule.
  • name (String) The name of the IOA rule.
  • pattern_severity (String) The severity of the pattern.
  • type (String) The rule type.

Optional:

  • command_line (Attributes) Command line match criteria. (see below for nested schema)
  • comment (String) The comment stored in audit logs when making changes to the IOA rule group rule. This attribute behaves as write-only: the configured value is sent to the API on every apply, but Terraform does not reconcile drift in this field.
  • connection_type (Set of String) Connection types to match. Only valid for Network Connection rules.
  • domain_name (Attributes) Domain name match criteria. Only valid for Domain Name rules. (see below for nested schema)
  • enabled (Boolean) Whether the rule is enabled.
  • file_path (Attributes) File path match criteria. Only valid for File Creation rules. (see below for nested schema)
  • file_type (Set of String) File types to match. Only valid for File Creation rules.
  • grandparent_command_line (Attributes) Grandparent command line match criteria. (see below for nested schema)
  • grandparent_image_filename (Attributes) Grandparent image filename match criteria. (see below for nested schema)
  • image_filename (Attributes) Image filename match criteria. (see below for nested schema)
  • parent_command_line (Attributes) Parent command line match criteria. (see below for nested schema)
  • parent_image_filename (Attributes) Parent image filename match criteria. (see below for nested schema)
  • remote_ip_address (Attributes) Remote IP address match criteria. Only valid for Network Connection rules. (see below for nested schema)
  • remote_port (Attributes) Remote port match criteria. Only valid for Network Connection rules. (see below for nested schema)

Read-Only:

  • instance_id (String) The unique instance ID of the rule.

Nested Schema for rules.command_line

Section titled “Nested Schema for rules.command_line”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.domain_name

Section titled “Nested Schema for rules.domain_name”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.file_path

Section titled “Nested Schema for rules.file_path”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.grandparent_command_line

Section titled “Nested Schema for rules.grandparent_command_line”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.grandparent_image_filename

Section titled “Nested Schema for rules.grandparent_image_filename”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.image_filename

Section titled “Nested Schema for rules.image_filename”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.parent_command_line

Section titled “Nested Schema for rules.parent_command_line”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.parent_image_filename

Section titled “Nested Schema for rules.parent_image_filename”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.remote_ip_address

Section titled “Nested Schema for rules.remote_ip_address”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Nested Schema for rules.remote_port

Section titled “Nested Schema for rules.remote_port”

Optional:

  • exclude (String) Regex pattern for exclusion.
  • include (String) Regex pattern for inclusion.

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
terraform import crowdstrike_ioa_rule_group.example abc123
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use