cloud_risk_findings

This data source retrieves cloud risk findings from Falcon Cloud Security. Cloud risks represent security findings and misconfigurations detected in cloud environments. For advanced queries, use Falcon Query Language (FQL) filters. For more information, refer to the Cloud Risks API documentation.

API Scopes

The following API scopes are required:

• Cloud Security Risks: READ
• Cloud Security Assets: READ

Example Usage

terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}

provider "crowdstrike" {
  cloud = "us-2"
}


# Example 1: Fetch recent cloud risk findings
data "crowdstrike_cloud_risk_findings" "recent" {
  filter = "last_seen:>'2025-11-24T09:48:12.983Z'"
  sort   = "first_seen.desc"
}

output "total_recent_risks" {
  value = length(data.crowdstrike_cloud_risk_findings.recent.risks)
}

# Example 2: Fetch high severity privileged identity risk findings
data "crowdstrike_cloud_risk_findings" "privileged_identity" {
  filter = "rule_name:*'High privileged identity '+severity:'Medium'"
}

output "privileged_identity_risks_by_rule" {
  value = {
    for risk in data.crowdstrike_cloud_risk_findings.privileged_identity.risks :
    risk.rule_name => risk.asset_gcrn...
  }
}

# Example 3: Get high severity open risk findings
data "crowdstrike_cloud_risk_findings" "high_severity_open" {
  filter = "status:'Open'+severity:'High'"
}

locals {
  risks_by_severity = {
    for risk in data.crowdstrike_cloud_risk_findings.high_severity_open.risks :
    risk.severity => risk...
  }
}

output "risk_counts_by_severity" {
  value = {
    for severity, risks in local.risks_by_severity :
    severity => length(risks)
  }
}

Schema

Optional

• filter (String) FQL filter string. Supported fields: account_id, account_name, asset_gcrn, asset_id, asset_name, asset_region, asset_type, cloud_group, cloud_provider, first_seen, last_seen, resolved_at, risk_factor, rule_id, rule_name, service_category, severity, status, suppressed_by, suppressed_reason, tags. Example: severity:'High'+status:'open'
• sort (String) The field to sort on. Use .asc or .desc suffix to specify sort direction. Supported fields: account_id, account_name, asset_id, asset_name, asset_region, asset_type, cloud_provider, first_seen, last_seen, resolved_at, rule_name, service_category, severity, status. Example: first_seen.desc

Read-Only

• risks (Attributes Set) Complete list of all cloud risks matching the filter criteria (see below for nested schema)

Nested Schema for risks

Read-Only:

• account_id (String) Cloud account ID where the risk was detected.
• account_name (String) Cloud account name where the risk was detected.
• asset_gcrn (String) Global Cloud Resource Name (GCRN) of the asset.
• asset_id (String) Unique identifier of the affected asset.
• asset_name (String) Name of the affected asset.
• asset_region (String) Cloud region where the asset resides.
• asset_tags (List of String) Tags associated with the asset.
• asset_type (String) Type of the affected asset (e.g., ‘instance’, ‘bucket’, ‘database’).
• cloud_groups (List of String) Cloud groups associated with the risk.
• cloud_provider (String) Cloud provider where the risk was detected (e.g., ‘aws’, ‘azure’, ‘gcp’).
• first_seen (String) Timestamp when the risk was first detected.
• id (String) Unique identifier of the cloud risk.
• last_seen (String) Timestamp when the risk was last seen.
• resolved_at (String) Timestamp when the risk was resolved.
• rule_description (String) Description of the rule that detected this risk.
• rule_id (String) Unique identifier of the rule that detected this risk.
• rule_name (String) Name of the rule that detected this risk.
• service_category (String) Service category of the affected resource.
• severity (String) Severity level of the risk (e.g., ‘Critical’, ‘High’, ‘Medium’, ‘Low’, ‘Informational’).
• status (String) Current status of the risk (e.g., ‘open’, ‘resolved’, ‘suppressed’).