Skip to content
CrowdStrike Developer Center

response_policy

Manages CrowdStrike Real Time Response (RTR) policies that control endpoint response capabilities. RTR policies determine what remote response actions (commands, scripts, file operations) are available to responders on endpoints.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Response Policies: READ
  • Response Policies: WRITE

Example Usage

Section titled “Example Usage”
resource "crowdstrike_response_policy" "example" {
  name          = "Production RTR Policy"
  description   = "Allows basic RTR commands for production hosts"
  platform_name = "Windows" # Valid values: "Windows", "Mac", "Linux"
  enabled       = true
  host_groups   = [crowdstrike_host_group.production.id]


  # Required for any RTR functionality (all platforms)
  real_time_response = true


  # Common RTR commands (all platforms)
  custom_scripts = true
  get_command    = true
  put_command    = true
  exec_command   = false


  # Windows-only settings
  falcon_scripts      = true # Requires custom_scripts
  memdump_command     = false
  xmemdump_command    = false
  put_and_run_command = false # Also available on Mac
}

Schema

Section titled “Schema”

Required

Section titled “Required”
  • name (String) Name of the response policy.
  • platform_name (String) Platform for the response policy. (Windows, Mac, Linux). Changing this value will require replacing the resource.

Optional

Section titled “Optional”
  • custom_scripts (Boolean) Allows those with RTR Active Responder and RTR Administrator roles to run custom scripts.
  • description (String) Description of the response policy.
  • enabled (Boolean) Enable the response policy.
  • exec_command (Boolean) Run any executable on the remote host.
  • falcon_scripts (Boolean) Allows those with the RTR Administrator role to run Falcon scripts (Windows only). Requires custom_scripts.
  • get_command (Boolean) Extract files from a remote host via the CrowdStrike cloud.
  • host_groups (Set of String) Host group IDs to attach to the policy.
  • memdump_command (Boolean) Dump process memory of a remote host (Windows only).
  • put_and_run_command (Boolean) Send files and execute them with a single command (Windows and Mac only).
  • put_command (Boolean) Send files to a remote host via the CrowdStrike cloud.
  • real_time_response (Boolean) Allow those with Real Time Responder roles to remotely connect to hosts.
  • xmemdump_command (Boolean) Dump the complete memory of a remote host (Windows only).

Read-Only

Section titled “Read-Only”
  • id (String) Identifier for the response policy.
  • last_updated (String) Timestamp of the last Terraform update of the resource.

Import

Section titled “Import”

Import is supported using the following syntax:

Terminal window
terraform import crowdstrike_response_policy.example abc123
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use