Skip to content

correlation_rule

Manages CrowdStrike NGSIEM Correlation Rules. Correlation rules allow you to define conditions for generating alerts based on event patterns. For tenant limits and other product-level constraints, see the correlation rules documentation in the Falcon console.

The following API scopes are required:

  • Correlation Rules: READ
  • Correlation Rules: WRITE
terraform {
required_providers {
crowdstrike = {
source = "crowdstrike/crowdstrike"
}
}
}
provider "crowdstrike" {}
# Resolve the Customer ID (CID) for the tenant authenticated by the provider.
data "crowdstrike_cid" "this" {}
resource "crowdstrike_correlation_rule" "basic_rule" {
name = "tf-example-basic-rule"
cid = data.crowdstrike_cid.this.cid
severity = "medium"
status = "inactive"
search = {
filter = "#repo=\"base_sensor\" #event_simpleName=ProcessRollup2"
lookback = "1h0m"
trigger_mode = "verbose"
}
schedule = {
interval = "1h0m"
start_on = "2030-01-01T00:00:00Z"
}
notifications = [
{
type = "email"
is_guardrail = true
recipients = ["oncall@example.com"]
},
]
}
resource "crowdstrike_correlation_rule" "advanced_rule" {
name = "tf-example-advanced-rule"
cid = data.crowdstrike_cid.this.cid
description = "Detects AWS IAM policy attachments"
severity = "high"
status = "inactive"
search = {
filter = "#Vendor=\"aws\" #event.module=\"cloudtrail\" event.provider=\"iam.amazonaws.com\" event.action=\"AttachUserPolicy\""
lookback = "1h15m"
create_case = true
trigger_mode = "summary"
use_ingest_time = true
}
schedule = {
interval = "1h0m"
start_on = "2030-01-01T00:00:00Z"
}
mitre_attack = [
{
tactic_id = "TA0004"
technique_id = "T1098.003"
},
]
notifications = [
{
type = "email"
is_guardrail = true
recipients = ["oncall@example.com"]
},
]
}
  • cid (String) The CID of the environment (tenant ID). Must be 32 lowercase hex characters with no -NN checksum suffix (the canonical form the API returns).
  • name (String) Name of the correlation rule.
  • notifications (Attributes Set) Notifications sent when the rule requires attention. Each entry describes a delivery channel and is routed to the rule’s regular (errors/warnings) array, the guardrail (auto-deactivation) array, or both via is_guardrail. At least one entry MUST set is_guardrail = true. Regular entries always send on failure and never on success — these options are not configurable. (see below for nested schema)
  • schedule (Attributes) The schedule that controls when the rule runs. (see below for nested schema)
  • search (Attributes) The search configuration that defines the rule’s detection logic. (see below for nested schema)
  • severity (String) The severity level of generated alerts. Valid values: informational, low, medium, high, critical.
  • status (String) Whether the rule is active or inactive.
  • comment (String) A comment describing the rule or its most recent change.
  • description (String) Description of the correlation rule.
  • mitre_attack (Attributes List) MITRE ATT&CK mappings for the rule. Maximum of 10 entries. (see below for nested schema)
  • id (String) The rule id. This is the stable rule identifier, not a version id.

Required:

  • type (String) The notification channel type. Valid values: email, slack, pagerduty, webhook, ms_teams.

Optional:

  • config_id (String) The Fusion SOAR configuration identifier for the delivery channel, written to the API config.config_id. Holds the concrete integration instance id for non-email channels (e.g. the slack/webhook/ms_teams integration). Must be unset when type = "email".
  • is_guardrail (Boolean) If true, the entry is sent to the rule’s guardrail notification list, which fires when the platform auto-deactivates the rule for exceeding outcome thresholds (50 outcomes when the rule runs more than once per 24 hours; 100 outcomes otherwise). At least one notification on every rule must set this to true. Defaults to false.
  • plugin_id (String) The Fusion SOAR plugin identifier for the delivery channel, written to the API config.plugin_id. Used by channels backed by a plugin connector (e.g. slack sends the connector kind such as slack.incoming_webhook). Must be unset when type = "email".
  • recipients (List of String) Email addresses to notify. Required (at least one) when type = "email"; not used by other channel types, which route through plugin_id/config_id instead.
  • severity (String) Optional per-notification severity label. Valid values: critical, high, medium, low, informational.

Required:

  • interval (String) How often to run the query, as a Go duration string (e.g., 1h0m, 5h30m, 30m). Minimum is 5m (the API caps at 288 executions per day).
  • start_on (String) The UTC time to start running the query (e.g., 2024-11-19T19:00:00Z). Must be at least 15 minutes in the future at create time.

Optional:

  • stop_on (String) The UTC time to stop running the query (e.g., 2024-12-31T23:59:59Z). If not specified, no stop time is used. Note: Due to an API limitation, removing this value once set requires the resource to be destroyed and recreated.

Required:

  • filter (String) The query to base the rule on. For info about writing search queries, see CrowdStrike Query Language.
  • lookback (String) The search window as a Go duration string (e.g., 1h0m, 5h30m, 24h, 90m). Should be at least as long as the schedule frequency. Maximum is 168h.
  • trigger_mode (String) Must be verbose (One outcome generated for each result matching the query. Total outcomes are limited per rule trigger.) or summary (One outcome generated for all results matching the query. Total results included in the outcome are limited per rule trigger.).

Optional:

  • case_template_id (String) The ID of the case template used to generate a case when the rule triggers. If not set, no case template is used.
  • create_case (Boolean) Whether the rule also creates a case when it matches. A detection is always created; set this to true to additionally create a case (optionally from case_template_id). Defaults to false.
  • execution_mode (String) The execution mode for the rule. Currently only scheduled is supported. Defaults to scheduled. Note: Changes to this field require the resource to be destroyed and recreated.
  • use_ingest_time (Boolean) If true, use the timestamp of the moment the event was ingested by crowdstrike cloud. Otherwise use the moment the event was generated on the system.

Required:

  • tactic_id (String) The MITRE ATT&CK tactic ID (e.g., TA0001).

Optional:

  • technique_id (String) The MITRE ATT&CK technique ID (e.g., T1078).

Import is supported using the following syntax:

Terminal window
# A correlation rule can be imported by specifying the rule ID.
terraform import crowdstrike_correlation_rule.example 85ae98xxxxxxd9a8f2