correlation_rule
Manages CrowdStrike NGSIEM Correlation Rules. Correlation rules allow you to define conditions for generating alerts based on event patterns. For tenant limits and other product-level constraints, see the correlation rules documentation in the Falcon console.
API Scopes
Section titled “API Scopes”The following API scopes are required:
- Correlation Rules: READ
- Correlation Rules: WRITE
Example Usage
Section titled “Example Usage”terraform { required_providers { crowdstrike = { source = "crowdstrike/crowdstrike" } }}
provider "crowdstrike" {}
# Resolve the Customer ID (CID) for the tenant authenticated by the provider.data "crowdstrike_cid" "this" {}
resource "crowdstrike_correlation_rule" "basic_rule" { name = "tf-example-basic-rule" cid = data.crowdstrike_cid.this.cid severity = "medium" status = "inactive"
search = { filter = "#repo=\"base_sensor\" #event_simpleName=ProcessRollup2" lookback = "1h0m" trigger_mode = "verbose" }
schedule = { interval = "1h0m" start_on = "2030-01-01T00:00:00Z" }
notifications = [ { type = "email" is_guardrail = true recipients = ["oncall@example.com"] }, ]}
resource "crowdstrike_correlation_rule" "advanced_rule" { name = "tf-example-advanced-rule" cid = data.crowdstrike_cid.this.cid description = "Detects AWS IAM policy attachments" severity = "high" status = "inactive"
search = { filter = "#Vendor=\"aws\" #event.module=\"cloudtrail\" event.provider=\"iam.amazonaws.com\" event.action=\"AttachUserPolicy\"" lookback = "1h15m" create_case = true trigger_mode = "summary" use_ingest_time = true }
schedule = { interval = "1h0m" start_on = "2030-01-01T00:00:00Z" }
mitre_attack = [ { tactic_id = "TA0004" technique_id = "T1098.003" }, ]
notifications = [ { type = "email" is_guardrail = true recipients = ["oncall@example.com"] }, ]}Schema
Section titled “Schema”Required
Section titled “Required”cid(String) The CID of the environment (tenant ID). Must be 32 lowercase hex characters with no-NNchecksum suffix (the canonical form the API returns).name(String) Name of the correlation rule.notifications(Attributes Set) Notifications sent when the rule requires attention. Each entry describes a delivery channel and is routed to the rule’s regular (errors/warnings) array, the guardrail (auto-deactivation) array, or both viais_guardrail. At least one entry MUST setis_guardrail = true. Regular entries always send on failure and never on success — these options are not configurable. (see below for nested schema)schedule(Attributes) The schedule that controls when the rule runs. (see below for nested schema)search(Attributes) The search configuration that defines the rule’s detection logic. (see below for nested schema)severity(String) The severity level of generated alerts. Valid values:informational,low,medium,high,critical.status(String) Whether the rule isactiveorinactive.
Optional
Section titled “Optional”comment(String) A comment describing the rule or its most recent change.description(String) Description of the correlation rule.mitre_attack(Attributes List) MITRE ATT&CK mappings for the rule. Maximum of 10 entries. (see below for nested schema)
Read-Only
Section titled “Read-Only”id(String) The rule id. This is the stable rule identifier, not a version id.
Nested Schema for notifications
Section titled “Nested Schema for notifications”Required:
type(String) The notification channel type. Valid values:email,slack,pagerduty,webhook,ms_teams.
Optional:
config_id(String) The Fusion SOAR configuration identifier for the delivery channel, written to the APIconfig.config_id. Holds the concrete integration instance id for non-email channels (e.g. theslack/webhook/ms_teamsintegration). Must be unset whentype = "email".is_guardrail(Boolean) If true, the entry is sent to the rule’s guardrail notification list, which fires when the platform auto-deactivates the rule for exceeding outcome thresholds (50 outcomes when the rule runs more than once per 24 hours; 100 outcomes otherwise). At least one notification on every rule must set this totrue. Defaults tofalse.plugin_id(String) The Fusion SOAR plugin identifier for the delivery channel, written to the APIconfig.plugin_id. Used by channels backed by a plugin connector (e.g.slacksends the connector kind such asslack.incoming_webhook). Must be unset whentype = "email".recipients(List of String) Email addresses to notify. Required (at least one) whentype = "email"; not used by other channel types, which route throughplugin_id/config_idinstead.severity(String) Optional per-notification severity label. Valid values:critical,high,medium,low,informational.
Nested Schema for schedule
Section titled “Nested Schema for schedule”Required:
interval(String) How often to run the query, as a Go duration string (e.g.,1h0m,5h30m,30m). Minimum is5m(the API caps at 288 executions per day).start_on(String) The UTC time to start running the query (e.g.,2024-11-19T19:00:00Z). Must be at least 15 minutes in the future at create time.
Optional:
stop_on(String) The UTC time to stop running the query (e.g.,2024-12-31T23:59:59Z). If not specified, no stop time is used. Note: Due to an API limitation, removing this value once set requires the resource to be destroyed and recreated.
Nested Schema for search
Section titled “Nested Schema for search”Required:
filter(String) The query to base the rule on. For info about writing search queries, see CrowdStrike Query Language.lookback(String) The search window as a Go duration string (e.g.,1h0m,5h30m,24h,90m). Should be at least as long as the schedule frequency. Maximum is168h.trigger_mode(String) Must beverbose(One outcome generated for each result matching the query. Total outcomes are limited per rule trigger.) orsummary(One outcome generated for all results matching the query. Total results included in the outcome are limited per rule trigger.).
Optional:
case_template_id(String) The ID of the case template used to generate a case when the rule triggers. If not set, no case template is used.create_case(Boolean) Whether the rule also creates a case when it matches. A detection is always created; set this totrueto additionally create a case (optionally fromcase_template_id). Defaults tofalse.execution_mode(String) The execution mode for the rule. Currently onlyscheduledis supported. Defaults toscheduled. Note: Changes to this field require the resource to be destroyed and recreated.use_ingest_time(Boolean) If true, use the timestamp of the moment the event was ingested by crowdstrike cloud. Otherwise use the moment the event was generated on the system.
Nested Schema for mitre_attack
Section titled “Nested Schema for mitre_attack”Required:
tactic_id(String) The MITRE ATT&CK tactic ID (e.g.,TA0001).
Optional:
technique_id(String) The MITRE ATT&CK technique ID (e.g.,T1078).
Import
Section titled “Import”Import is supported using the following syntax:
# A correlation rule can be imported by specifying the rule ID.terraform import crowdstrike_correlation_rule.example 85ae98xxxxxxd9a8f2