Skip to content
CrowdStrike Developer Center

prevention_policies

This data source provides information about prevention policies in Falcon.

API Scopes

Section titled “API Scopes”

The following API scopes are required:

  • Prevention policies: READ

Example Usage

Section titled “Example Usage”
terraform {
  required_providers {
    crowdstrike = {
      source = "registry.terraform.io/crowdstrike/crowdstrike"
    }
  }
}


provider "crowdstrike" {
  cloud = "us-2"
}


# Get all prevention policies
data "crowdstrike_prevention_policies" "all" {
  sort = "name.asc"
}


# Get enabled Windows prevention policies and filter by name and description using individual attributes
data "crowdstrike_prevention_policies" "windows_enabled" {
  platform_name = "Windows"
  enabled       = true
  name          = "production-policy"
  description   = "production*"
  sort          = "name.asc"
}


# Get specific prevention policies by their IDs
data "crowdstrike_prevention_policies" "specific_policies" {
  ids = [
    "037a1708a8504b3a9cdbfdefba05f932",
    "4979a243c0d84342a66692f4810348ef",
    "9913bc2788a449678ab1269f44942463"
  ]
}


# Get enabled Linux prevention policies using FQL filter
data "crowdstrike_prevention_policies" "enabled_linux" {
  filter = "platform_name:'Linux'+enabled:true"
  sort   = "name.asc"
}

Schema

Section titled “Schema”

Optional

Section titled “Optional”
  • created_by (String) Filter policies by the user who created them. All provided filter attributes must match for a policy to be returned (omitted attributes are ignored). Supports wildcard matching with '' where '' matches any sequence of characters until the end of the string or until the next literal character in the pattern is found. Multiple wildcards can be used in a single pattern. Matching is case insensitive. Cannot be used together with ‘filter’ or ‘ids’.
  • description (String) Filter policies by description. All provided filter attributes must match for a policy to be returned (omitted attributes are ignored). Supports wildcard matching with '' where '' matches any sequence of characters until the end of the string or until the next literal character in the pattern is found. Multiple wildcards can be used in a single pattern. Matching is case insensitive. Cannot be used together with ‘filter’ or ‘ids’.
  • enabled (Boolean) Filter policies by enabled status. All provided filter attributes must match for a policy to be returned (omitted attributes are ignored). Cannot be used together with ‘filter’ or ‘ids’.
  • filter (String) FQL filter to apply to the prevention policies query. When specified, only policies matching the filter will be returned. Cannot be used together with ‘ids’ or other filter attributes. Example: platform_name:'Windows'
  • ids (List of String) List of prevention policy IDs to retrieve. When specified, only policies with matching IDs will be returned. Cannot be used together with ‘filter’ or other filter attributes.
  • modified_by (String) Filter policies by the user who last modified them. All provided filter attributes must match for a policy to be returned (omitted attributes are ignored). Supports wildcard matching with '' where '' matches any sequence of characters until the end of the string or until the next literal character in the pattern is found. Multiple wildcards can be used in a single pattern. Matching is case insensitive. Cannot be used together with ‘filter’ or ‘ids’.
  • name (String) Filter policies by name. All provided filter attributes must match for a policy to be returned (omitted attributes are ignored). Supports wildcard matching with '' where '' matches any sequence of characters until the end of the string or until the next literal character in the pattern is found. Multiple wildcards can be used in a single pattern. Matching is case insensitive. Cannot be used together with ‘filter’ or ‘ids’.
  • platform_name (String) Filter policies by platform_name (Windows, Linux, Mac). All provided filter attributes must match for a policy to be returned (omitted attributes are ignored). Cannot be used together with ‘filter’ or ‘ids’.
  • sort (String) Sort order for the results. Valid values include field names with optional ‘.asc’ or ‘.desc’ suffix. Example: ‘name.asc’, ‘precedence.desc’

Read-Only

Section titled “Read-Only”

Nested Schema for policies

Section titled “Nested Schema for policies”

Read-Only:

  • created_by (String) User who created the policy
  • created_timestamp (String) Timestamp when the policy was created
  • description (String) The prevention policy description
  • enabled (Boolean) Whether the prevention policy is enabled
  • host_groups (List of String) List of host group IDs assigned to the policy
  • id (String) The prevention policy ID
  • ioa_rule_groups (List of String) List of IOA rule group IDs associated with the policy
  • modified_by (String) User who last modified the policy
  • modified_timestamp (String) Timestamp when the policy was last modified
  • name (String) The prevention policy name
  • platform_name (String) The platform name (Windows, Linux, Mac)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use