Skip to content
CrowdStrike Developer Center

cloud_security_suppression_rules

This data source retrieves detailed information about cloud security suppression rules. Suppression rules define criteria for automatically suppressing findings, such as IOMs, across your environment. Text-based fields (name, description) accept wildcards *. All fields query Falcon using logical AND. If FQL is defined, all other fields will be ignored. For advanced queries to further narrow your search, please use a Falcon Query Language (FQL) filter.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Cloud Security Policies: READ
  • Cloud Security Policies: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


# Get all suppression rules
data "crowdstrike_cloud_security_suppression_rules" "all" {}


# Use FQL for advanced filtering
data "crowdstrike_cloud_security_suppression_rules" "fql_advanced" {
  fql = "name:*'Production*'+suppression_reason:'false-positive'"
}


# Combine multiple filters (logical AND)
data "crowdstrike_cloud_security_suppression_rules" "combined" {
  type   = "IOM"
  reason = "compensating-control"
  name   = "Security Exception*"
}

Schema

Section titled “Schema”

Optional

Section titled “Optional”
  • description (String) Description of the suppression rule to search for. Wildcards are accepted (e.g., suppression rule).
  • disabled (Boolean) Filter suppression rules by disabled status. When false, shows only active rules (non-expired). When true, shows all rules including expired ones. If not specified, shows all rules.
  • fql (String) Falcon Query Language (FQL) filter for advanced suppression rule searches. FQL filter, allowed props: name, description, subdomain, suppression_reason, disabled
  • name (String) Name of the suppression rule to search for. Wildcards are accepted (e.g., suppression rule).
  • reason (String) Suppression reason to filter by. One of: accept-risk, compensating-control, false-positive.
  • type (String) Type of suppression rule to filter by. This corresponds to the subdomain field in the API. One of: IOM.

Read-Only

Section titled “Read-Only”

Nested Schema for rules

Section titled “Nested Schema for rules”

Read-Only:

  • asset_filter (Attributes) Filter criteria for scope assets. Within each attribute, assets match if they contain ANY of the specified values (OR logic). Between different attributes, assets must match ALL specified attributes (AND logic). (see below for nested schema)
  • comment (String) Comment for suppression. This will be attached to the findings suppressed by this rule.
  • description (String) Description of the suppression rule.
  • expiration_date (String) Expiration date for suppression in RFC3339 format.
  • id (String) Unique identifier of the suppression rule.
  • name (String) Name of the suppression rule.
  • reason (String) Reason for suppression. One of: accept-risk, compensating-control, false-positive.
  • rule_selection_filter (Attributes) Filter criteria for rule selection. Within each attribute, rules match if they contain ANY of the specified values (OR logic). Between different attributes, rules must match ALL specified attributes (AND logic). (see below for nested schema)
  • type (String) Type of suppression rule. One of: IOM.

Nested Schema for rules.asset_filter

Section titled “Nested Schema for rules.asset_filter”

Read-Only:

  • account_ids (Set of String) Set of cloud account IDs. An Asset will match if it belongs to an account included in this set.
  • cloud_group_ids (Set of String) Set of cloud group IDs. An Asset will match if it belongs to a Cloud Group whose ID is included in this set.
  • cloud_providers (Set of String) Set of cloud providers. Examples: aws, azure, gcp. An Asset will match if it belongs to a cloud provider included in this set.
  • regions (Set of String) Set of regions. Examples: eu-central-1, eastus, us-west-1. An Asset will match if it is located in a region included in this set.
  • resource_ids (Set of String) Set of resource IDs. An Asset will match if its resource ID is included in this set.
  • resource_names (Set of String) Set of resource names. An Asset will match if its resource name is included in this set.
  • resource_types (Set of String) Set of resource types. Examples: AWS::S3::Bucket, compute.googleapis.com/Instance, Microsoft.ContainerService/managedClusters. An Asset will match if its resource type is included in this set.
  • service_categories (Set of String) Set of service categories. Examples: Compute, Identity, Networking. An Asset will match if its cloud service category is included in this set.
  • tags (Map of String) Map of tags. These must match the k=v format. An Asset will match if any of its tag key-value pairs match those specified in this map.

Nested Schema for rules.rule_selection_filter

Section titled “Nested Schema for rules.rule_selection_filter”

Read-Only:

  • ids (Set of String) Set of rule IDs. A rule will match if its ID is included in this set.
  • names (Set of String) Set of rule names. A rule will match if its name is included in this set.
  • origins (Set of String) Set of rule origins. One of: Custom, Default. A rule will match if its origin is included in this set.
  • providers (Set of String) Set of rule cloud providers. Examples: AWS, Azure, GCP, OCI. A rule will match if its cloud provider is included in this set.
  • services (Set of String) Set of cloud services. Examples: Azure Cosmos DB, CloudFront, Compute Engine, EC2, Elasticache, Virtual Network. A rule will match if its cloud service is included in this set.
  • severities (Set of String) Set of rule severities. One of: critical, high, medium, informational. A rule will match if its severity is included in this set.
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use