Correlation Rules - CrowdStrike/falconpy GitHub Wiki

CrowdStrike Falcon CrowdStrike Subreddit

Using the Correlation Rules service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
aggregates_rule_versions_post_v1
PEP8 aggregate_rule_versions
Get rules aggregates as specified via json in the request body.
combined_rules_get_v1
PEP8 get_rules_combined
Find all rules matching the query and filter.
combined_rules_get_v2
PEP8 get_rules_combined_v2
Find all rules matching the query and filter.
entities_latest_rules_get_v1
PEP8 get_latest_rule_versions
Retrieve latest rule versions by rule IDs
entities_rule_versions_export_post_v1
PEP8 export_rule
Export rule versions
entities_rule_versions_import_post_v1
PEP8 import_rule
Import rule versions
entities_rule_versions_publish_patch_v1
PEP8 publish_rule_version
Publish existing rule version
entities_rule_versions_delete_v1
PEP8 delete_rule_versions
Delete versions by IDs
entities_rules_get_v1
PEP8 get_rules
Retrieve rules by IDs.
entities_rules_post_v1
PEP8 create_rule
Create a correlation rule.
entities_rules_delete_v1
PEP8 delete_rules
Delete rules by IDs.
entities_rules_patch_v1
PEP8 update_rule
Update a correlation rule.
entities_rules_get_v2
PEP8 get_rules_v2
Retrieve rule versions by IDs
queries_rules_get_v1
PEP8 query_rules
Find all rule IDs matching the query and filter.
queries_rules_get_v2
PEP8 query_rules_v2
Find all rule version IDs matching the query and filter.

aggregates_rule_versions_post_v1

Get rules aggregates as specified via json in the request body.

PEP8 method name

aggregate_rule_versions

Endpoint

Method Route
POST /correlation-rules/aggregates/rule-versions/v1

Required Scope

correlation-rules:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload provided as a dictionary.
filter Service Class Support Uber Class Support query string FQL query specifying the filter parameters.
ids Service Class Support Uber Class Support query string or list of strings Correlation rule IDs.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.aggregate_rule_versions(body=body_payload, filter="string", ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.aggregates_rule_versions_post_v1(body=body_payload, filter="string", ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("aggregates_rule_versions_post_v1", body=body_payload, filter="string", ids=id_list)

print(response)

combined_rules_get_v1

Find all rules matching the query and filter.

PEP8 method name

get_rules_combined

Endpoint

Method Route
GET /correlation-rules/combined/rules/v1

Required Scope

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying the filter parameters.
Available filters:
  • customer_id
  • user_id
  • user_uuid
  • status
  • name
  • created_on
  • last_updated_on
Ranged filters:
  • created_on
  • last_updated_on
q Service Class Support Uber Class Support query string Match query criteria, which includes all the filter string fields.
sort Service Class Support Uber Class Support query string Rule property to sort on.
offset Service Class Support Uber Class Support query integer Starting index of overall result set from which to return IDs.
limit Service Class Support Uber Class Support query integer Number of IDs to return.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.get_rules_combined(filter="string",
                                     q="string",
                                     sort="string",
                                     offset=integer,
                                     limit=integer
                                     )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.combined_rules_get_v1(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_rules_get_v1",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                         )
print(response)

combined_rules_get_v2

Find all rules matching the query and filter.

PEP8 method name

get_rules_combined_v2

Endpoint

Method Route
GET /correlation-rules/combined/rules/v2

Required Scope

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying the filter parameters.
Available filters:
  • customer_id
  • user_id
  • user_uuid
  • status
  • name
  • created_on
  • last_updated_on
Ranged filters:
  • created_on
  • last_updated_on
q Service Class Support Uber Class Support query string Match query criteria, which includes all the filter string fields.
sort Service Class Support Uber Class Support query string Rule property to sort on.
offset Service Class Support Uber Class Support query integer Starting index of overall result set from which to return IDs.
limit Service Class Support Uber Class Support query integer Number of IDs to return.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.get_rules_combined_v2(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.combined_rules_get_v2(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_rules_get_v2",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

entities_latest_rules_get_v1

Retrieve latest rule versions by rule IDs.

PEP8 method name

get_latest_rule_versions

Endpoint

Method Route
GET /correlation-rules/entities/latest-rules/v1

Required Scope

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.
rule_ids Service Class Support Uber Class Support query string or list of strings The rule IDs to retrieve.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_latest_rule_versions(rule_ids=rule_id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_latest_rules_get_v1(rule_ids=rule_id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_id_list = ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_latest_rules_get_v1", rule_ids=rule_id_list)

print(response)

entities_rule_versions_export_post_v1

Export rule versions.

PEP8 method name

export_rule

Endpoint

Method Route
POST /correlation-rules/entities/rule-versions/export/v1

Required Scope

correlation-rules:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload provided as a dictionary.
filter Service Class Support Uber Class Support body string Filter to use for export.
get_latest Service Class Support Uber Class Support body boolean Flag indicating if the latest rule version should be exported.
report_format Service Class Support Uber Class Support body string Format to use for rule export.
search Service Class Support Uber Class Support body dictionary Rule search to perform. Overrides filter and sort keywords.
sort Service Class Support Uber Class Support body string Sort to use for rule export.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.export_rule(filter="string",
                              get_latest=boolean,
                              report_format="string",
                              sort="string"
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.entities_rule_versions_export_post_v1(filter="string",
                                                        get_latest=boolean,
                                                        report_format="string",
                                                        sort="string"
                                                        )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "get_latest": boolean,
  "report_format": "string",
  "search": {
    "filter": "string",
    "sort": "string"
  }
}

response = falcon.command("entities_rule_versions_export_post_v1", body=body_payload)

print(response)

entities_rule_versions_import_post_v1

Import rule versions.

PEP8 method name

import_rule

Endpoint

Method Route
POST /correlation-rules/entities/rule-versions/import/v1

Required Scope

correlation-rules:write

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Rule to be imported. Not required if using the rule keyword.
rule Service Class Support Uber Class Support body dictionary Rule to be imported (Service Class only).

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_json = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.import_rule(rule=rule_json)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_json = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.entities_rule_versions_import_post_v1(rule=rule_json)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.command("entities_rule_versions_import_post_v1", body=body_payload)

print(response)

entities_rule_versions_publish_patch_v1

Publish existing rule version.

PEP8 method name

publish_rule_version

Endpoint

Method Route
PATCH /correlation-rules/entities/rule-versions/publish/v1

Required Scope

correlation-rules:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload provided as a dictionary.
id Service Class Support Uber Class Support body string Correlation rule version ID to publish.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.publish_rule_version(id="string")

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.entities_rule_versions_publish_patch_v1(id="string")

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "id": "string"
}

response = falcon.command("entities_rule_versions_publish_patch_v1", body=body_payload)

print(response)

entities_rule_versions_delete_v1

Delete versions by IDs.

PEP8 method name

delete_rule_versions

Endpoint

Method Route
DELETE /correlation-rules/entities/rule-versions/v1

Required Scope

correlation-rules:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings The rule version IDs to be deleted.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_versions(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rule_versions_delete_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rule_versions_delete_v1", ids=id_list)

print(response)

entities_rules_get_v1

Retrieve rules by IDs.

PEP8 method name

get_rules

Endpoint

Method Route
GET /correlation-rules/entities/rules/v1

Required Scope

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings The rule IDs to be retrieved.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_get_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_get_v1", ids=id_list)

print(response)

entities_rules_get_v2

Retrieve rule versions by IDs

PEP8 method name

get_rules_v2

Endpoint

Method Route
GET /correlation-rules/entities/rules/v2

Required Scope

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings The rule IDs to be retrieved.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_v2(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_get_v2(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_get_v2", ids=id_list)

print(response)

entities_rules_post_v1

Create a correlation rule.

PEP8 method name

create_rule

Endpoint

Method Route
POST /correlation-rules/entities/rules/v1

Required Scope

correlation-rules:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload provided as a dictionary.
comment Service Class Support Uber Class Support body string Correlation rule comment.
customer_id Service Class Support Uber Class Support body string CID for the tenant.
description Service Class Support Uber Class Support body string Correlation rule description.
name Service Class Support Uber Class Support body string Correlation rule name.
notifications Service Class Support Uber Class Support body list of dictionaries List of notifications to implement.
operation Service Class Support Uber Class Support body dictionary Operation to perform.
search Service Class Support Uber Class Support body dictionary Search to perform.
severity Service Class Support Uber Class Support body integer Correlation severity.
status Service Class Support Uber Class Support body string Correlation rule status.
tactic Service Class Support Uber Class Support body string Identified tactic.
technique Service Class Support Uber Class Support body string Identified technique.
trigger_on_create Service Class Support Uber Class Support body boolean Flag indicating if the rule triggers on creation.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}
response = falcon.create_rule(comment="string",
                              customer_id="string",
                              description="string",
                              name="string",
                              notifications=notifications_list,
                              operation=operation_dictionary,
                              search=search_dictionary,
                              severity=integer,
                              status="string",
                              tactic="string",
                              technique="string",
                              trigger_on_create=boolean
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.entities_rules_post_v1(comment="string",
                                         customer_id="string",
                                         description="string",
                                         name="string",
                                         notifications=notifications_list,
                                         operation=operation_dictionary,
                                         search=search_dictionary,
                                         severity=integer,
                                         status="string",
                                         tactic="string",
                                         technique="string",
                                         trigger_on_create=boolean
                                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "customer_id": "string",
    "description": "string",
    "name": "string",
    "notifications": [
        {
            "config": {
                "cid": "string",
                "config_id": "string",
                "plugin_id": "string",
                "recipients": [
                    "string"
                ],
                "severity": "string"
            },
            "options": {
                "additionalProp1": "string",
                "additionalProp2": "string",
                "additionalProp3": "string"
            },
            "type": "string"
        }
    ],
    "operation": {
        "schedule": {
            "definition": "string"
        },
        "start_on": "2025-02-12T02:11:22.284Z",
        "stop_on": "2025-02-12T02:11:22.284Z"
    },
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
    "severity": 0,
    "status": "string",
    "tactic": "string",
    "technique": "string",
    "trigger_on_create": boolean
}

response = falcon.command("entities_rules_post_v1", body=body_payload)

print(response)

entities_rules_delete_v1

Delete rules by IDs.

PEP8 method name

delete_rules

Endpoint

Method Route
DELETE /correlation-rules/entities/rules/v1

Required Scope

correlation-rules:write

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids Service Class Support Uber Class Support query string or list of strings The rule IDs to be deleted.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(ids=id_list)

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_delete_v1(ids=id_list)

print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_delete_v1", ids=id_list)

print(response)

entities_rules_patch_v1

Update a correlation rule.

PEP8 method name

update_rule

Endpoint

Method Route
PATCH /correlation-rules/entities/rules/v1

Required Scope

correlation-rules:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload provided as a dictionary.
comment Service Class Support Uber Class Support body string Correlation rule comment.
customer_id Service Class Support Uber Class Support body string CID for the tenant.
description Service Class Support Uber Class Support body string Correlation rule description.
id Service Class Support Uber Class Support body string Correlation rule ID to update.
name Service Class Support Uber Class Support body string Correlation rule name.
notifications Service Class Support Uber Class Support body list of dictionaries List of notifications to implement.
operation Service Class Support Uber Class Support body dictionary Operation to perform.
search Service Class Support Uber Class Support body dictionary Search to perform.
severity Service Class Support Uber Class Support body integer Correlation severity.
status Service Class Support Uber Class Support body string Correlation rule status.
tactic Service Class Support Uber Class Support body string Identified tactic.
technique Service Class Support Uber Class Support body string Identified technique.
trigger_on_create Service Class Support Uber Class Support body boolean Flag indicating if the rule triggers on creation.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.update_rule(comment="string",
                              customer_id="string",
                              description="string",
                              id="string",
                              name="string",
                              notifications=notifications_list,
                              operation=operation_dictionary,
                              search=search_dictionary,
                              severity=integer,
                              status="string",
                              tactic="string",
                              technique="string",
                              trigger_on_create=boolean
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.entities_rules_patch_v1(comment="string",
                                          customer_id="string",
                                          description="string",
                                          id="string",
                                          name="string",
                                          notifications=notifications_list,
                                          operation=operation_dictionary,
                                          search=search_dictionary,
                                          severity=integer,
                                          status="string",
                                          tactic="string",
                                          technique="string",
                                          trigger_on_create=boolean
                                          )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = [{
    "comment": "string",
    "customer_id": "string",
    "description": "string",
    "id": "string",
    "name": "string",
    "notifications": [
        {
            "config": {
                "cid": "string",
                "config_id": "string",
                "plugin_id": "string",
                "recipients": [
                    "string"
                ],
                "severity": "string"
            },
            "options": {
                "additionalProp1": "string",
                "additionalProp2": "string",
                "additionalProp3": "string"
            },
            "type": "string"
        }
    ],
    "operation": {
        "schedule": {
            "definition": "string"
        },
        "start_on": "2025-02-12T02:11:22.284Z",
        "stop_on": "2025-02-12T02:11:22.284Z"
    },
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
    "severity": 0,
    "status": "string",
    "tactic": "string",
    "technique": "string",
    "trigger_on_create": boolean
}]

response = falcon.command("entities_rules_patch_v1", body=body_payload)

print(response)

queries_rules_get_v1

Find all rule IDs matching the query and filter.

PEP8 method name

query_rules

Endpoint

Method Route
GET /correlation-rules/queries/rules/v1

Required Scope

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying the filter parameters.
Available filters:
  • customer_id
  • user_id
  • user_uuid
  • status
  • name
  • created_on
  • last_updated_on
Ranged filters:
  • created_on
  • last_updated_on
q Service Class Support Uber Class Support query string Match query criteria, which includes all the filter string fields.
sort Service Class Support Uber Class Support query string Rule property to sort on.
offset Service Class Support Uber Class Support query integer Starting index of overall result set from which to return IDs.
limit Service Class Support Uber Class Support query integer Number of IDs to return.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_rules(filter="string",
                              q="string",
                              sort="string",
                              offset=integer,
                              limit=integer
                              )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queries_rules_get_v1(filter="string",
                                       q="string",
                                       sort="string",
                                       offset=integer,
                                       limit=integer
                                       )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_rules_get_v1",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

queries_rules_get_v2

Find all rule version IDs matching the query and filter.

PEP8 method name

query_rules_v2

Endpoint

Method Route
GET /correlation-rules/queries/rules/v2

correlation-rules:read

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter Service Class Support Uber Class Support query string FQL query specifying the filter parameters.
Available filters:
  • customer_id
  • user_id
  • user_uuid
  • status
  • name
  • created_on
  • last_updated_on
Ranged filters:
  • created_on
  • last_updated_on
q Service Class Support Uber Class Support query string Match query criteria, which includes all the filter string fields.
sort Service Class Support Uber Class Support query string Rule property to sort on.
offset Service Class Support Uber Class Support query integer Starting index of overall result set from which to return IDs.
limit Service Class Support Uber Class Support query integer Number of IDs to return.
parameters Service Class Support Uber Class Support query dictionary Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)
from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_rules_v2(filter="string",
                                 q="string",
                                 sort="string",
                                 offset=integer,
                                 limit=integer
                                 )
print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queries_rules_get_v2(filter="string",
                                       q="string",
                                       sort="string",
                                       offset=integer,
                                       limit=integer
                                       )
print(response)
Uber class example
from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_rules_get_v2",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)
⚠️ **GitHub.com Fallback** ⚠️