Integrations
- 1Password
- Abnormal
- Absolute
- AbuseIPDB
- Acronis
- Active Directory On-Prem
- Adaptive Shield
- Adobe Cloud
- ADP
- Agari Phishing Response
- Airlock
- Airlock Digital
- Akamai Identity Cloud Social
- Alert Logic
- AlgoSec Firewall Analyzer
- Alienvault OTX
- Alienvault USM
- Anodot
- Ansible
- Anthropic
- Anvilogic
- Any Run
- Apex One
- ArcSight ESM
- Ardoq
- Area 1
- Armis Centrix
- Asana
- Asset Panda
- Astrix
- Atlassian Crowd
- Atlassian User Management
- Atlassian User Provisioning
- AuditBoard
- auth0
- Authentik
- Authomize
- Automox
- AWS
- AWS IAM Identity Center
- Axonius
- Azure
- Azure Data Explorer
- Azure DevOps
- Azure Log Analytics
- Azure Storage
- BambooHR
- Big Fix
- BigPanda
- Bitbucket
- Bitdefender
- Bitsight
- Bitwarden
- Black Duck
- Black Kite
- Blink
- BMC Remedy
- Box
- Brinqa
- Bugcrowd
- Cato Networks
- Censys
- Chorus
- Cisco Advanced Phishing Protection
- Cisco Domain Protection
- Cisco Identity Services Engine
- Cisco Meraki
- Cisco Talos
- Cisco Umbrella
- Cisco Webex
- Claroty CTD
- Claroty xDome
- ClearPass
- ClickHouse
- ClickUp
- Cloud Custodian
- Cloudflare
- Cloudflare R2
- Cobalt.io
- Check Point Harmony
- Check Point Infinity Events
- Check Point Management
- Check Point XDR/XPR
- Checkmarx SAST
- Checkmarx One
- Chronicle
- Compass
- Confluence
- Confluence Data Center
- Coralogix
- Coralogix Incident Management
- Cortex XDR
- Cortex Xpanse
- Coupa Compass
- CredStash
- Cribl
- CrowdStrike
- CrowdStrike
- Actions
- Overview
- Check Analysis Progress
- Check MalQuery Operation Status
- Check Submission Quota
- CrowdStrike Cloud Query
- Configure Host Groups To File Integrity Policy
- Configure Rule Groups To File Integrity Policy
- Create Batch Session
- Create File Integrity Policy
- Create Indicator
- Create Prevention Policy
- Create Rule Within Rule Group
- Create Sensor Update Policy
- CrowdStrike Custom Action
- Delete Action
- Delete CSPM AWS Account
- Delete CSPM Azure Account
- Delete Custom Script
- Delete Device
- Delete Host Groups
- Delete Indicator
- Delete Report
- Delete Rule Groups
- Delete Rules
- Download Execution Report
- Find Hosts That Observed IOC
- Find Malicious Domains
- Find Malicious IPAddresses
- Get Adversaries
- Get Adversary Report
- Get Alert Details
- Get Analysis Report
- Get Analysis Report Summary
- Get Application
- Get Detection
- Get Devices By IDs
- Get Devices Count For IOC
- Get File Integrity Policies Details
- Get FileVantage Rule Group Details
- Get Indicator Details
- Get Installed Devices
- Get Prevention Policy
- Get Processes By IOC
- Get Remediations
- Get RTR Extracted File Contents
- Get RTR Sessions Details
- Get Scheduled Report
- Get Sensor Update Policy
- Get Vulnerabilities
- Isolate Endpoint
- Launch Scheduled Report
- Lift Endpoint Isolation
- List Adversary IDs
- List Alerts
- List Applications
- List Available Streams
- List Custom Scripts IDs
- List Detections
- List Devices
- List File Integrity Policies IDs
- List FileVantage Rule Group IDs
- List Host Groups
- List Incidents
- List Indicators
- List IOC Actions
- List IOC Platforms
- List IOC Severities
- List IOC Types
- List Parent Rule Groups
- List Prevention Policies
- List Report Executions
- List RTR Session Files
- List RTR Sessions
- List Scheduled Reports
- List Sensor Update Policies
- List Vulnerabilities
- MalQuery Exact Search
- MalQuery Fuzzy Search
- Next Gen SIEM Advanced Search
- Perform Host Action
- Perform Host Group Action
- Perform Incident Action
- Perform Prevention Policies Action
- Perform Sensor Update Policies Action
- Query Adversaries Intel Reports IDs
- Query Adversary Reports
- Query Submitted Samples
- Retrieve Process Details By ID
- Run Admin Command On A Single Host
- Run Command On A Single Host
- Run Command On Batch Session
- Schedule YARA Hunt
- Search Indicators
- Search Query By ID
- Search Vulnerabilities
- Submit File For Analysis
- Update Alerts
- Update File Integrity Policy
- Update Indicators
- Upload Custom Script
- Triggers
- CyberArk
- Cybersixgill
- CyCognito
- Cyera
- Cylance
- Cymulate
- Cyware CTIX
- Darktrace
- Dasera
- Databricks
- Datadog
- DataSet
- Delighted
- Delinea
- Devo
- Digital-Shadows
- Discord
- Docusign
- Domo
- Drata
- Dropbox
- Dropbox Business
- druva
- Duo
- Duo Auth
- Dynatrace
- EasyVista
- EchoTrail
- Egnyte
- Egnyte Secure Govern
- Elasticsearch
- Entro
- Entrust Certificate Services
- Ermetic
- Exabeam
- Exchange Online
- Expel
- F5
- Falcon LogScale
- Falcon Surface
- Fastly
- FireHydrant
- Flare.io
- Forcepoint DLP
- Forescout
- FortiGate
- Freshservice
- GCP
- Gemini
- Ghostwriter
- Git
- GitHub
- GitLab
- Glean
- Gmail
- Google Calendar
- Google Chat
- Google Docs
- Google Drive
- Google Forms
- Google Looker
- Google Meet
- Google Sheets
- Google Workspace
- Grafana
- Greenhouse
- GreyNoise
- Grip Security
- GYTPOL
- HackerOne
- HackNotice
- Halo PSA
- Have I Been Pwned
- HiBob
- HubSpot
- Hunters
- Hybrid Analysis
- Hyperproof
- IBM CLoud
- IBM NS1 Connect
- IBM Security Verify
- IBM X Force
- Imperva
- Incident.io
- Infobip
- Infoblox Cloud Services Portal
- Intercom
- Intezer
- IP API
- IPinfo
- IPWHOIS
- Ironscales
- Ivanti RiskSense
- Jamf
- JetBrains
- JFrog
- Jira
- Jira Data Center
- Joe Sandbox
- JumpCloud
- Kandji
- Keeper Secrets Manager
- Kenna Security
- KnowBe4
- KnowBe4 Events
- Kubernetes
- Lacework
- LaunchDarkly
- Lark
- LimaCharlie
- Linear
- Litmos
- Living Security
- LogicMonitor
- LogRhythm
- Magnet One
- Manage Engine ServiceDesk Plus
- Mattermost
- Maven
- Microsoft Defender For Cloud
- Microsoft Defender For Cloud Apps
- Microsoft Defender For Endpoints
- Microsoft Defender XDR
- Microsoft E-Discovery
- Microsoft Entra ID
- Microsoft Excel
- Microsoft Graph
- Microsoft Intune
- Microsoft Office 365 Management Activity
- Microsoft Outlook
- Microsoft Purview
- Microsoft Sentinel
- Microsoft SQL Server
- Microsoft Teams
- Mimecast
- MISP
- Monday
- MongoDB Atlas
- MxToolbox
- Neo4j
- NetBox
- Netography
- Netskope
- NetSPI
- New Relic
- Nexthink
- Nightfall AI
- NinjaOne
- Notion
- Nozomi Networks
- Nuclei
- Nucleus
- Nutanix Hypervisor
- Obsidian
- Okta
- OneDrive
- OneLogin
- OneTrust
- Oort
- OpenAI
- OpenCTI
- Opsgenie
- OPSWAT
- Oracle Cloud
- Oracle HCM
- Oracle NetSuite
- Oracle PeopleSoft
- Orca Security
- OWASP ZAP
- PagerDuty
- Palo Alto NGFW
- Palo Alto Firewall
- Panther
- Passwordstate
- Pentera
- Perception Point
- PhishLabs
- PhishLabs Incident Data
- PhishLabs Open Web Monitoring
- Pingdom
- PingID
- PingOne
- PlexTrac
- PortSwigger
- Postman
- Postman SCIM
- Power BI
- PowerShell
- Prisma Access
- Prisma Cloud
- Prisma Cloud CWP
- Prometheus
- Proofpoint
- Proofpoint ITM
- Proofpoint Protection Server
- Proofpoint Security Awareness Training
- Proofpoint TAP
- Proofpoint TRAP
- Pub-Sub
- QRadar
- Qualys
- Rapid7
- Rapid7 InsightIDR
- Rapid7 InsightVM Cloud
- Rapid7 Threat Command
- Reco
- Recorded Future
- Recorded Future Triage Cloud
- Red Hat IDM
- Rippling
- RSS
- Rubrik
- runZero
- SafeBase
- SafeBreach
- Sage HR
- SailPoint
- SailPoint IdentityIQ
- Salesforce
- SAP Ariba
- Sap Concur
- ScienceLogic
- Securin
- Securin VI
- SecurityScorecard
- Securonix
- Seemplicity
- Sekoia.io
- SemGrep
- SentinelOne
- ServiceNow
- SharePoint
- Shodan
- Shopify
- Silverfort
- Slack
- Smartsheet
- Snipe IT
- Snowflake
- Snyk
- SolarWinds Information Service
- SolarWinds Service Desk
- SonarQube
- Sophos
- Split
- Splunk
- Splunk Observability
- Splunk SOAR
- Spur
- StrongDM
- Sumo Logic
- Symantec EDR
- Sysdig
- Tableau
- Tanium
- TeamCity
- TeamViewer
- Telegram
- Tempo
- Tenable
- Tenable Security Center
- Terraform
- Terraform Cloud
- Tessian
- TheHive
- Thinkst Canary
- Thomson Reuters
- ThreatQuotient
- Traliant LMS
- Trellix Email Security
- Trello
- Trend Vision One
- Twilio
- UKG HR
- Uptycs
- URLScan
- Vault
- Veracode
- Verkada
- Vertica
- VMware vSphere
- VMware Carbon Black
- VirusTotal
- WeChat
- WhatsApp
- WhoIs
- WildFire
- Wiz
- Workday
- Workspace ONE UEM
- YesWeHack
- Zendesk
- Zero Networks
- Zoom
- Zscaler Internet Access
- Zscaler Private Access
- Dropzone AI
On this page
Actions
Create Rule Within Rule Group
Create a rule within a rule group.
Preview this Workflow on desktop
External DocumentationTo learn more, visit the CrowdStrike documentation.
Parameters
| Parameter | Description |
|---|---|
| Comment | A comment to add to the new rule. |
| Description | The description of the new rule. |
| Disposition ID | The ID of the disposition. |
| Field Values | A list of JSON objects that represents the field values for the new rule. Note: At lease one field value is required. For Example: |
| Name | The name of the new rule. |
| Pattern Severity | The severity of the new rule. |
| Rule Group ID | The ID of the rule group to associate the rule with. |
| Rule Type ID | The rule type ID for the new rule. |
Example Output
Copy
Ask AI
{
"meta": {
"query_time": 0.012345678,
"writes": {
"resources_affected": 1
},
"powered_by": "mock-engine",
"trace_id": "aabbccdd-eeff-0011-2233-445566778899"
},
"resources": [
{
"instance_id": "mock-123",
"customer_id": "mock-customer-abc",
"ruletype_id": "9",
"ruletype_name": "File Modification",
"comment": "Mock Data Entry",
"enabled": true,
"deleted": false,
"magic_cookie": 7,
"rulegroup_id": "mock-group-xyz",
"version_ids": [
"v1.0"
],
"instance_version": 2,
"name": "MockRule",
"description": "This is a mock rule for testing.",
"pattern_id": "50001",
"pattern_severity": "medium",
"action_label": "Log Only",
"disposition_id": 10,
"field_values": [
{
"name": "FilePath",
"value": "/tmp/test.txt",
"label": "File Path",
"type": "excludable",
"values": [
{
"label": "include",
"value": "/tmp/test.txt"
}
],
"final_value": "/tmp/test.txt"
},
{
"name": "OperationType",
"value": "Write",
"label": "Operation Type",
"type": "inclusion",
"values": [
{
"label": "include",
"value": "Write"
}
],
"final_value": "Write"
},
{
"name": "FileSize",
"value": "> 1000",
"label": "File Size",
"type": "numerical",
"values": [
{
"label": "greater than",
"value": "1000"
}
],
"final_value": "> 1000"
}
],
"created_by": "mock-user-1",
"created_on": "2025-05-18T13:00:00.000000Z",
"modified_by": "mock-user-2",
"modified_on": "2025-05-18T13:15:00.000000Z",
"committed_on": "2025-05-18T13:30:00.000000Z"
}
]
}
Workflow Library Example
Create Rule Within Rule Group with Crowdstrike and Send Results Via EmailPreview this Workflow on desktopWas this page helpful?
Assistant
Responses are generated using AI and may contain mistakes.