Using the Correlation Rules service collection

Uber class support Service class support Documentation Version Page Updated

Operation ID

Description

aggregates_rule_versions_post_v1
PEP8	aggregate_rule_versions

Get rules aggregates as specified via json in the request body.

combined_rules_get_v1
PEP8	get_rules_combined

Find all rules matching the query and filter.

combined_rules_get_v2
PEP8	get_rules_combined_v2

Find all rules matching the query and filter.

entities_latest_rules_get_v1
PEP8	get_latest_rule_versions

Retrieve latest rule versions by rule IDs

entities_rule_versions_export_post_v1
PEP8	export_rule

Export rule versions

entities_rule_versions_import_post_v1
PEP8	import_rule

Import rule versions

entities_rule_versions_publish_patch_v1
PEP8	publish_rule_version

Publish existing rule version

entities_rule_versions_delete_v1
PEP8	delete_rule_versions

Delete versions by IDs

entities_rules_get_v1
PEP8	get_rules

Retrieve rules by IDs.

entities_rules_post_v1
PEP8	create_rule

Create a correlation rule.

entities_rules_delete_v1
PEP8	delete_rules

Delete rules by IDs.

entities_rules_patch_v1
PEP8	update_rule

Update a correlation rule.

entities_rules_get_v2
PEP8	get_rules_v2

Retrieve rule versions by IDs

queries_rules_get_v1
PEP8	query_rules

Find all rule IDs matching the query and filter.

queries_rules_get_v2
PEP8	query_rules_v2

Find all rule version IDs matching the query and filter.

aggregates_rule_versions_post_v1

Get rules aggregates as specified via json in the request body.

PEP8 method name

aggregate_rule_versions

Endpoint

Method	Route
	`/correlation-rules/aggregates/rule-versions/v1`

Required Scope

correlation-rules:write

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload provided as a dictionary.
filter	query	string	FQL query specifying the filter parameters.
ids	query	string or list of strings	Correlation rule IDs.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.aggregate_rule_versions(body=body_payload, filter="string", ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.aggregates_rule_versions_post_v1(body=body_payload, filter="string", ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("aggregates_rule_versions_post_v1", body=body_payload, filter="string", ids=id_list)

print(response)

combined_rules_get_v1

Find all rules matching the query and filter.

PEP8 method name

get_rules_combined

Endpoint

Method	Route
	`/correlation-rules/combined/rules/v1`

Required Scope

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL query specifying the filter parameters. Available filters: `customer_id` `user_id` `user_uuid` `status` `name` `created_on` `last_updated_on` Ranged filters: `created_on` `last_updated_on`
q	query	string	Match query criteria, which includes all the filter string fields.
sort	query	string	Rule property to sort on.
offset	query	integer	Starting index of overall result set from which to return IDs.
limit	query	integer	Number of IDs to return.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.get_rules_combined(filter="string",
                                     q="string",
                                     sort="string",
                                     offset=integer,
                                     limit=integer
                                     )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.combined_rules_get_v1(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_rules_get_v1",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                         )
print(response)

combined_rules_get_v2

Find all rules matching the query and filter.

PEP8 method name

get_rules_combined_v2

Endpoint

Method	Route
	`/correlation-rules/combined/rules/v2`

Required Scope

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL query specifying the filter parameters. Available filters: `customer_id` `user_id` `user_uuid` `status` `name` `created_on` `last_updated_on` Ranged filters: `created_on` `last_updated_on`
q	query	string	Match query criteria, which includes all the filter string fields.
sort	query	string	Rule property to sort on.
offset	query	integer	Starting index of overall result set from which to return IDs.
limit	query	integer	Number of IDs to return.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.get_rules_combined_v2(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.combined_rules_get_v2(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_rules_get_v2",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

entities_latest_rules_get_v1

Retrieve latest rule versions by rule IDs.

PEP8 method name

get_latest_rule_versions

Endpoint

Method	Route
	`/correlation-rules/entities/latest-rules/v1`

Required Scope

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.
rule_ids			query	string or list of strings	The rule IDs to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_latest_rule_versions(rule_ids=rule_id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_latest_rules_get_v1(rule_ids=rule_id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_id_list = ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_latest_rules_get_v1", rule_ids=rule_id_list)

print(response)

entities_rule_versions_export_post_v1

Export rule versions.

PEP8 method name

export_rule

Endpoint

Method	Route
	`/correlation-rules/entities/rule-versions/export/v1`

Required Scope

correlation-rules:write

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload provided as a dictionary.
filter	body	string	Filter to use for export.
get_latest	body	boolean	Flag indicating if the latest rule version should be exported.
report_format	body	string	Format to use for rule export.
search	body	dictionary	Rule search to perform. Overrides `filter` and `sort` keywords.
sort	body	string	Sort to use for rule export.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.export_rule(filter="string",
                              get_latest=boolean,
                              report_format="string",
                              sort="string"
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.entities_rule_versions_export_post_v1(filter="string",
                                                        get_latest=boolean,
                                                        report_format="string",
                                                        sort="string"
                                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "get_latest": boolean,
  "report_format": "string",
  "search": {
    "filter": "string",
    "sort": "string"
  }
}

response = falcon.command("entities_rule_versions_export_post_v1", body=body_payload)

print(response)

entities_rule_versions_import_post_v1

Import rule versions.

PEP8 method name

import_rule

Endpoint

Method	Route
	`/correlation-rules/entities/rule-versions/import/v1`

Required Scope

correlation-rules:write

Content-Type

Consumes: multipart/form-data
Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Rule to be imported. Not required if using the `rule` keyword.
rule			body	dictionary	Rule to be imported (Service Class only).

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_json = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.import_rule(rule=rule_json)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_json = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.entities_rule_versions_import_post_v1(rule=rule_json)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.command("entities_rule_versions_import_post_v1", body=body_payload)

print(response)

entities_rule_versions_publish_patch_v1

Publish existing rule version.

PEP8 method name

publish_rule_version

Endpoint

Method	Route
	`/correlation-rules/entities/rule-versions/publish/v1`

Required Scope

correlation-rules:write

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload provided as a dictionary.
id			body	string	Correlation rule version ID to publish.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.publish_rule_version(id="string")

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.entities_rule_versions_publish_patch_v1(id="string")

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "id": "string"
}

response = falcon.command("entities_rule_versions_publish_patch_v1", body=body_payload)

print(response)

entities_rule_versions_delete_v1

Delete versions by IDs.

PEP8 method name

delete_rule_versions

Endpoint

Method	Route
	`/correlation-rules/entities/rule-versions/v1`

Required Scope

correlation-rules:write

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule version IDs to be deleted.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_versions(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rule_versions_delete_v1(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rule_versions_delete_v1", ids=id_list)

print(response)

entities_rules_get_v1

Retrieve rules by IDs.

PEP8 method name

get_rules

Endpoint

Method	Route
	`/correlation-rules/entities/rules/v1`

Required Scope

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule IDs to be retrieved.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_get_v1(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_get_v1", ids=id_list)

print(response)

entities_rules_get_v2

Retrieve rule versions by IDs

PEP8 method name

get_rules_v2

Endpoint

Method	Route
	`/correlation-rules/entities/rules/v2`

Required Scope

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule IDs to be retrieved.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_v2(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_get_v2(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_get_v2", ids=id_list)

print(response)

entities_rules_post_v1

Create a correlation rule.

PEP8 method name

create_rule

Endpoint

Method	Route
	`/correlation-rules/entities/rules/v1`

Required Scope

correlation-rules:write

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload provided as a dictionary.
comment	body	string	Correlation rule comment.
customer_id	body	string	CID for the tenant.
description	body	string	Correlation rule description.
name	body	string	Correlation rule name.
notifications	body	list of dictionaries	List of notifications to implement.
operation	body	dictionary	Operation to perform.
search	body	dictionary	Search to perform.
severity	body	integer	Correlation severity.
status	body	string	Correlation rule status.
tactic	body	string	Identified tactic.
technique	body	string	Identified technique.
trigger_on_create	body	boolean	Flag indicating if the rule triggers on creation.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}
response = falcon.create_rule(comment="string",
                              customer_id="string",
                              description="string",
                              name="string",
                              notifications=notifications_list,
                              operation=operation_dictionary,
                              search=search_dictionary,
                              severity=integer,
                              status="string",
                              tactic="string",
                              technique="string",
                              trigger_on_create=boolean
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.entities_rules_post_v1(comment="string",
                                         customer_id="string",
                                         description="string",
                                         name="string",
                                         notifications=notifications_list,
                                         operation=operation_dictionary,
                                         search=search_dictionary,
                                         severity=integer,
                                         status="string",
                                         tactic="string",
                                         technique="string",
                                         trigger_on_create=boolean
                                         )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "customer_id": "string",
    "description": "string",
    "name": "string",
    "notifications": [
        {
            "config": {
                "cid": "string",
                "config_id": "string",
                "plugin_id": "string",
                "recipients": [
                    "string"
                ],
                "severity": "string"
            },
            "options": {
                "additionalProp1": "string",
                "additionalProp2": "string",
                "additionalProp3": "string"
            },
            "type": "string"
        }
    ],
    "operation": {
        "schedule": {
            "definition": "string"
        },
        "start_on": "2025-02-12T02:11:22.284Z",
        "stop_on": "2025-02-12T02:11:22.284Z"
    },
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
    "severity": 0,
    "status": "string",
    "tactic": "string",
    "technique": "string",
    "trigger_on_create": boolean
}

response = falcon.command("entities_rules_post_v1", body=body_payload)

print(response)

entities_rules_delete_v1

Delete rules by IDs.

PEP8 method name

delete_rules

Endpoint

Method	Route
	`/correlation-rules/entities/rules/v1`

Required Scope

correlation-rules:write

Content-Type

Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule IDs to be deleted.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_delete_v1(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_delete_v1", ids=id_list)

print(response)

entities_rules_patch_v1

Update a correlation rule.

PEP8 method name

update_rule

Endpoint

Method	Route
	`/correlation-rules/entities/rules/v1`

Required Scope

correlation-rules:write

Content-Type

Consumes: application/json
Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
body	body	dictionary	Full body payload provided as a dictionary.
comment	body	string	Correlation rule comment.
customer_id	body	string	CID for the tenant.
description	body	string	Correlation rule description.
id	body	string	Correlation rule ID to update.
name	body	string	Correlation rule name.
notifications	body	list of dictionaries	List of notifications to implement.
operation	body	dictionary	Operation to perform.
search	body	dictionary	Search to perform.
severity	body	integer	Correlation severity.
status	body	string	Correlation rule status.
tactic	body	string	Identified tactic.
technique	body	string	Identified technique.
trigger_on_create	body	boolean	Flag indicating if the rule triggers on creation.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.update_rule(comment="string",
                              customer_id="string",
                              description="string",
                              id="string",
                              name="string",
                              notifications=notifications_list,
                              operation=operation_dictionary,
                              search=search_dictionary,
                              severity=integer,
                              status="string",
                              tactic="string",
                              technique="string",
                              trigger_on_create=boolean
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.entities_rules_patch_v1(comment="string",
                                          customer_id="string",
                                          description="string",
                                          id="string",
                                          name="string",
                                          notifications=notifications_list,
                                          operation=operation_dictionary,
                                          search=search_dictionary,
                                          severity=integer,
                                          status="string",
                                          tactic="string",
                                          technique="string",
                                          trigger_on_create=boolean
                                          )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = [{
    "comment": "string",
    "customer_id": "string",
    "description": "string",
    "id": "string",
    "name": "string",
    "notifications": [
        {
            "config": {
                "cid": "string",
                "config_id": "string",
                "plugin_id": "string",
                "recipients": [
                    "string"
                ],
                "severity": "string"
            },
            "options": {
                "additionalProp1": "string",
                "additionalProp2": "string",
                "additionalProp3": "string"
            },
            "type": "string"
        }
    ],
    "operation": {
        "schedule": {
            "definition": "string"
        },
        "start_on": "2025-02-12T02:11:22.284Z",
        "stop_on": "2025-02-12T02:11:22.284Z"
    },
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
    "severity": 0,
    "status": "string",
    "tactic": "string",
    "technique": "string",
    "trigger_on_create": boolean
}]

response = falcon.command("entities_rules_patch_v1", body=body_payload)

print(response)

queries_rules_get_v1

Find all rule IDs matching the query and filter.

PEP8 method name

query_rules

Endpoint

Method	Route
	`/correlation-rules/queries/rules/v1`

Required Scope

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL query specifying the filter parameters. Available filters: `customer_id` `user_id` `user_uuid` `status` `name` `created_on` `last_updated_on` Ranged filters: `created_on` `last_updated_on`
q	query	string	Match query criteria, which includes all the filter string fields.
sort	query	string	Rule property to sort on.
offset	query	integer	Starting index of overall result set from which to return IDs.
limit	query	integer	Number of IDs to return.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_rules(filter="string",
                              q="string",
                              sort="string",
                              offset=integer,
                              limit=integer
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queries_rules_get_v1(filter="string",
                                       q="string",
                                       sort="string",
                                       offset=integer,
                                       limit=integer
                                       )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_rules_get_v1",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

queries_rules_get_v2

Find all rule version IDs matching the query and filter.

PEP8 method name

query_rules_v2

Endpoint

Method	Route
	`/correlation-rules/queries/rules/v2`

correlation-rules:read

Content-Type

Produces: application/json

Keyword Arguments

Name	Type	Data type	Description
filter	query	string	FQL query specifying the filter parameters. Available filters: `customer_id` `user_id` `user_uuid` `status` `name` `created_on` `last_updated_on` Ranged filters: `created_on` `last_updated_on`
q	query	string	Match query criteria, which includes all the filter string fields.
sort	query	string	Rule property to sort on.
offset	query	integer	Starting index of overall result set from which to return IDs.
limit	query	integer	Number of IDs to return.
parameters	query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_rules_v2(filter="string",
                                 q="string",
                                 sort="string",
                                 offset=integer,
                                 limit=integer
                                 )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queries_rules_get_v2(filter="string",
                                       q="string",
                                       sort="string",
                                       offset=integer,
                                       limit=integer
                                       )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_rules_get_v2",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

Correlation Rules - CrowdStrike/falconpy GitHub Wiki

Using the Correlation Rules service collection

Table of Contents

aggregates_rule_versions_post_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

combined_rules_get_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

combined_rules_get_v2

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

entities_latest_rules_get_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

entities_rule_versions_export_post_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

entities_rule_versions_import_post_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

entities_rule_versions_publish_patch_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage

Service class example (PEP8 syntax)

Service class example (Operation ID syntax)

Uber class example

entities_rule_versions_delete_v1

PEP8 method name

Endpoint

Required Scope

Content-Type

Keyword Arguments

Usage