Skip to content
CrowdStrike Developer Center

filevantage_rule_group

This resource allows management of a FileVantage rule group. A FileVantage rule group is a collection of file integrity rules that can be assigned to a FileVantge policy.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Falcon FileVantage: READ
  • Falcon FileVantage: WRITE

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}




resource "crowdstrike_filevantage_rule_group" "example" {
  name        = "example_filevantage_policy"
  description = "made with terraform"
  type        = "WindowsRegistry"
  rules = [
    {
      description                 = "first rule"
      path                        = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\"
      severity                    = "High"
      depth                       = "ANY"
      registry_values             = ["first", "rule"]
      watch_key_value_set_changes = true
      enable_content_capture      = true
    },
    {
      description                 = "second rule"
      path                        = "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\"
      severity                    = "High"
      depth                       = "ANY"
      registry_values             = ["Value1", "Value2"]
      watch_key_value_set_changes = true
      enable_content_capture      = true
    },
  ]
}


output "filevantage_rule_group" {
  value = crowdstrike_filevantage_rule_group.example
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • name (String) Name of the filevantage rule group.

Optional

Section titled “Optional”
  • description (String) Description of the filevantage rule group.
  • rules (Attributes List) Rules to be associated with the rule group. Precedence is determined by the order of the rules in the list. (see below for nested schema)
  • type (String) The type of filevantage rule group.

Read-Only

Section titled “Read-Only”
  • id (String) Identifier for the filevantage rule group.
  • last_updated (String) Timestamp of the last Terraform update of the resource.

Nested Schema for rules

Section titled “Nested Schema for rules”

Required:

  • description (String) Description of the filevantage rule.
  • path (String) Representing the file system or registry path to monitor. All paths must end with the path separator, e.g. c:\windows\ for windows and /usr/bin/ for linux/mac.
  • severity (String) Severity to categorize change events produced by this rule.

Optional:

  • depth (String) Depth below the base path to monitor.
  • enable_content_capture (Boolean) Enable content capture for the rule. Requires watch_file_write_changes or watch_key_value_set_changes to be enabled.
  • exclude (String) Represents the files, directories, registry keys, or registry values that will be excluded from monitoring.
  • exclude_processes (String) Represents the changes performed by specific processes that will be excluded from monitoring.
  • exclude_users (String) Represents the changes performed by specific users that will be excluded from monitoring.
  • file_names (List of String) List of file names whose content will be monitored. Listed files must match the file include pattern and not match the file exclude pattern.
  • include (String) Represents the files, directories, registry keys, or registry values that will be monitored. Defaults to all (*)
  • include_processes (String) Represents the changes performed by specific processes that will be monitored.
  • include_users (String) Represents the changes performed by specific users that will be monitored.
  • registry_values (List of String) List of registry values whose content will be monitored. Listed registry values must match the registry include pattern and not match the registry exclude pattern.
  • watch_directory_attribute_changes (Boolean) Monitor directory attribute change events.
  • watch_directory_create_changes (Boolean) Monitor directory creation events.
  • watch_directory_delete_changes (Boolean) Monitor directory deletion events.
  • watch_directory_permission_changes (Boolean) Monitor directory permission change events.
  • watch_directory_rename_changes (Boolean) Monitor directory rename events.
  • watch_file_attribute_changes (Boolean) Monitor file attribute change events.
  • watch_file_create_changes (Boolean) Monitor file creation events.
  • watch_file_delete_changes (Boolean) Monitor file deletion events.
  • watch_file_permission_changes (Boolean) Monitor file permission change events.
  • watch_file_rename_changes (Boolean) Monitor file rename events.
  • watch_file_write_changes (Boolean) Monitor file write events.
  • watch_key_create_changes (Boolean) Monitor registry key creation events.
  • watch_key_delete_changes (Boolean) Monitor registry key deletion events.
  • watch_key_permissions_changes (Boolean) Monitor registry key permission change events.
  • watch_key_rename_changes (Boolean) Monitor registry key rename events.
  • watch_key_value_delete_changes (Boolean) Monitor registry value deletion events.
  • watch_key_value_set_changes (Boolean) Monitor registry value set events.

Read-Only:

  • id (String) Identifier for the filevantage rule.
  • precedence (Number) Precedence of the rule in the rule group.

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
# filevantage rule group can be imported by specifying the policy id.
terraform import crowdstrike_filevantage_rule_group.example 7fb858a949034a0cbca175f660f1e769
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use