Using the Correlation Rules service collection
Operation ID
Description
Find all rules matching the query and filter.
Retrieve rules by IDs.
Create a correlation rule.
Delete rules by IDs.
Update a correlation rule.
Find all rule IDs matching the query and filter.
Find all rules matching the query and filter.
get_rules_combined
Method
Route
/correlation-rules/combined/rules/v1
Produces: application/json
Name
Service
Uber
Type
Data type
Description
filter query
string FQL query specifying the filter parameters.
customer_iduser_iduser_uuidstatusnamecreated_onlast_updated_on
Ranged filters:
created_onlast_updated_on
q query
string Match query criteria, which includes all the filter string fields.
sort query
string Rule property to sort on.
offset query
integer Starting index of overall result set from which to return IDs.
limit query
integer Number of IDs to return.
parameters query
dictionary Full query parameters payload as a dictionary, not required when using other keywords.
Service class example (PEP8 syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
response = falcon .get_rules_combined (filter = "string" ,
q = "string" ,
sort = "string" ,
offset = integer ,
limit = integer
)
print (response )Service class example (Operation ID syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
response = falcon .combined_rules_get_v1 (filter = "string" ,
q = "string" ,
sort = "string" ,
offset = integer ,
limit = integer
)
print (response )from falconpy import APIHarnessV2
falcon = APIHarnessV2 (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
response = falcon .command ("combined_rules_get_v1" ,
filter = "string" ,
q = "string" ,
sort = "string" ,
offset = integer ,
limit = integer
)
print (response )Retrieve rules by IDs.
get_rules
Method
Route
/correlation-rules/entities/rules/v1
Produces: application/json
Name
Service
Uber
Type
Data type
Description
ids query
string or list of strings
The rule IDs to be retrieved.
parameters query
dictionary Full query parameters payload as a dictionary, not required when using other keywords.
Service class example (PEP8 syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon .get_rules (ids = id_list )
print (response )Service class example (Operation ID syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon .entities_rules_get_v1 (ids = id_list )
print (response )from falconpy import APIHarnessV2
falcon = APIHarnessV2 (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon .command ("entities_rules_get_v1" , ids = id_list )
print (response )Create a correlation rule.
create_rule
Method
Route
/correlation-rules/entities/rules/v1
Consumes: application/json
Produces: application/json
Name
Service
Uber
Type
Data type
Description
body body
dictionary Full body payload provided as a dictionary.
comment body
string Correlation rule comment.
customer_id body
string CID for the tenant.
description body
string Correlation rule description.
name body
string Correlation rule name.
notifications body
list of dictionaries List of notifications to implement.
operation body
dictionary Operation to perform.
search body
dictionary Search to perform.
severity body
integer Correlation severity.
status body
string Correlation rule status.
tactic body
string Identified tactic.
technique body
string Identified technique.
trigger_on_create body
boolean Flag indicating if the rule triggers on creation.
Service class example (PEP8 syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
notifications_list = [
{
"config" : {
"cid" : "string" ,
"config_id" : "string" ,
"plugin_id" : "string" ,
"recipients" : [
"string"
],
"severity" : "string"
},
"options" : {
"additionalProp1" : "string" ,
"additionalProp2" : "string" ,
"additionalProp3" : "string"
},
"type" : "string"
}
]
operation_dictionary = {
"schedule" : {
"definition" : "string"
},
"start_on" : "2025-02-12T02:11:22.284Z" ,
"stop_on" : "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter" : "string" ,
"lookback" : "string" ,
"outcome" : "string" ,
"trigger_mode" : "string"
}
response = falcon .create_rule (comment = "string" ,
customer_id = "string" ,
description = "string" ,
name = "string" ,
notifications = notifications_list ,
operation = operation_dictionary ,
search = search_dictionary ,
severity = integer ,
status = "string" ,
tactic = "string" ,
technique = "string" ,
trigger_on_create = boolean
)
print (response )Service class example (Operation ID syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
notifications_list = [
{
"config" : {
"cid" : "string" ,
"config_id" : "string" ,
"plugin_id" : "string" ,
"recipients" : [
"string"
],
"severity" : "string"
},
"options" : {
"additionalProp1" : "string" ,
"additionalProp2" : "string" ,
"additionalProp3" : "string"
},
"type" : "string"
}
]
operation_dictionary = {
"schedule" : {
"definition" : "string"
},
"start_on" : "2025-02-12T02:11:22.284Z" ,
"stop_on" : "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter" : "string" ,
"lookback" : "string" ,
"outcome" : "string" ,
"trigger_mode" : "string"
}
response = falcon .entities_rules_post_v1 (comment = "string" ,
customer_id = "string" ,
description = "string" ,
name = "string" ,
notifications = notifications_list ,
operation = operation_dictionary ,
search = search_dictionary ,
severity = integer ,
status = "string" ,
tactic = "string" ,
technique = "string" ,
trigger_on_create = boolean
)
print (response )from falconpy import APIHarnessV2
falcon = APIHarnessV2 (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
body_payload = {
"comment" : "string" ,
"customer_id" : "string" ,
"description" : "string" ,
"name" : "string" ,
"notifications" : [
{
"config" : {
"cid" : "string" ,
"config_id" : "string" ,
"plugin_id" : "string" ,
"recipients" : [
"string"
],
"severity" : "string"
},
"options" : {
"additionalProp1" : "string" ,
"additionalProp2" : "string" ,
"additionalProp3" : "string"
},
"type" : "string"
}
],
"operation" : {
"schedule" : {
"definition" : "string"
},
"start_on" : "2025-02-12T02:11:22.284Z" ,
"stop_on" : "2025-02-12T02:11:22.284Z"
},
"search" : {
"filter" : "string" ,
"lookback" : "string" ,
"outcome" : "string" ,
"trigger_mode" : "string"
},
"severity" : 0 ,
"status" : "string" ,
"tactic" : "string" ,
"technique" : "string" ,
"trigger_on_create" : boolean
}
response = falcon .command ("entities_rules_post_v1" , body = body_payload )
print (response )Delete rules by IDs.
delete_rules
Method
Route
/correlation-rules/entities/rules/v1
Produces: application/json
Name
Service
Uber
Type
Data type
Description
ids query
string or list of strings
The rule IDs to be deleted.
parameters query
dictionary Full query parameters payload as a dictionary, not required when using other keywords.
Service class example (PEP8 syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon .delete_rules (ids = id_list )
print (response )Service class example (Operation ID syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon .entities_rules_delete_v1 (ids = id_list )
print (response )from falconpy import APIHarnessV2
falcon = APIHarnessV2 (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon .command ("entities_rules_delete_v1" , ids = id_list )
print (response )Update a correlation rule.
update_rule
Method
Route
/correlation-rules/entities/rules/v1
Consumes: application/json
Produces: application/json
Name
Service
Uber
Type
Data type
Description
body body
dictionary Full body payload provided as a dictionary.
comment body
string Correlation rule comment.
customer_id body
string CID for the tenant.
description body
string Correlation rule description.
id body
string Correlation rule ID to update.
name body
string Correlation rule name.
notifications body
list of dictionaries List of notifications to implement.
operation body
dictionary Operation to perform.
search body
dictionary Search to perform.
severity body
integer Correlation severity.
status body
string Correlation rule status.
tactic body
string Identified tactic.
technique body
string Identified technique.
trigger_on_create body
boolean Flag indicating if the rule triggers on creation.
Service class example (PEP8 syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
notifications_list = [
{
"config" : {
"cid" : "string" ,
"config_id" : "string" ,
"plugin_id" : "string" ,
"recipients" : [
"string"
],
"severity" : "string"
},
"options" : {
"additionalProp1" : "string" ,
"additionalProp2" : "string" ,
"additionalProp3" : "string"
},
"type" : "string"
}
]
operation_dictionary = {
"schedule" : {
"definition" : "string"
},
"start_on" : "2025-02-12T02:11:22.284Z" ,
"stop_on" : "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter" : "string" ,
"lookback" : "string" ,
"outcome" : "string" ,
"trigger_mode" : "string"
}
response = falcon .update_rule (comment = "string" ,
customer_id = "string" ,
description = "string" ,
id = "string" ,
name = "string" ,
notifications = notifications_list ,
operation = operation_dictionary ,
search = search_dictionary ,
severity = integer ,
status = "string" ,
tactic = "string" ,
technique = "string" ,
trigger_on_create = boolean
)
print (response )Service class example (Operation ID syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
notifications_list = [
{
"config" : {
"cid" : "string" ,
"config_id" : "string" ,
"plugin_id" : "string" ,
"recipients" : [
"string"
],
"severity" : "string"
},
"options" : {
"additionalProp1" : "string" ,
"additionalProp2" : "string" ,
"additionalProp3" : "string"
},
"type" : "string"
}
]
operation_dictionary = {
"schedule" : {
"definition" : "string"
},
"start_on" : "2025-02-12T02:11:22.284Z" ,
"stop_on" : "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter" : "string" ,
"lookback" : "string" ,
"outcome" : "string" ,
"trigger_mode" : "string"
}
response = falcon .entities_rules_patch_v1 (comment = "string" ,
customer_id = "string" ,
description = "string" ,
id = "string" ,
name = "string" ,
notifications = notifications_list ,
operation = operation_dictionary ,
search = search_dictionary ,
severity = integer ,
status = "string" ,
tactic = "string" ,
technique = "string" ,
trigger_on_create = boolean
)
print (response )from falconpy import APIHarnessV2
falcon = APIHarnessV2 (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
body_payload = [{
"comment" : "string" ,
"customer_id" : "string" ,
"description" : "string" ,
"id" : "string" ,
"name" : "string" ,
"notifications" : [
{
"config" : {
"cid" : "string" ,
"config_id" : "string" ,
"plugin_id" : "string" ,
"recipients" : [
"string"
],
"severity" : "string"
},
"options" : {
"additionalProp1" : "string" ,
"additionalProp2" : "string" ,
"additionalProp3" : "string"
},
"type" : "string"
}
],
"operation" : {
"schedule" : {
"definition" : "string"
},
"start_on" : "2025-02-12T02:11:22.284Z" ,
"stop_on" : "2025-02-12T02:11:22.284Z"
},
"search" : {
"filter" : "string" ,
"lookback" : "string" ,
"outcome" : "string" ,
"trigger_mode" : "string"
},
"severity" : 0 ,
"status" : "string" ,
"tactic" : "string" ,
"technique" : "string" ,
"trigger_on_create" : boolean
}]
response = falcon .command ("entities_rules_patch_v1" , body = body_payload )
print (response )Find all rule IDs matching the query and filter.
query_rules
Method
Route
/correlation-rules/queries/rules/v1
Produces: application/json
Name
Service
Uber
Type
Data type
Description
filter query
string FQL query specifying the filter parameters.
customer_iduser_iduser_uuidstatusnamecreated_onlast_updated_on
Ranged filters:
created_onlast_updated_on
q query
string Match query criteria, which includes all the filter string fields.
sort query
string Rule property to sort on.
offset query
integer Starting index of overall result set from which to return IDs.
limit query
integer Number of IDs to return.
parameters query
dictionary Full query parameters payload as a dictionary, not required when using other keywords.
Service class example (PEP8 syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
response = falcon .query_rules (filter = "string" ,
q = "string" ,
sort = "string" ,
offset = integer ,
limit = integer
)
print (response )Service class example (Operation ID syntax) from falconpy import CorrelationRules
falcon = CorrelationRules (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
response = falcon .queries_rules_get_v1 (filter = "string" ,
q = "string" ,
sort = "string" ,
offset = integer ,
limit = integer
)
print (response )from falconpy import APIHarnessV2
falcon = APIHarnessV2 (client_id = CLIENT_ID ,
client_secret = CLIENT_SECRET
)
response = falcon .command ("queries_rules_get_v1" ,
filter = "string" ,
q = "string" ,
sort = "string" ,
offset = integer ,
limit = integer
)
print (response )
