Edit FalconCorrelationRule - CrowdStrike/psfalcon GitHub Wiki
Modify Falcon NGSIEM correlation rules
Requires 'Correlation Rules: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Id | String | Correlation 'rule_id' (specific version) | X | ||||
| Name | String | Correlation rule name | X | ||||
| Description | String | Correlation rule description | X | ||||
| MitreAttack | Object[] | An object containing MITRE ATT&CK 'tactic_id' and 'technique_id' | X | ||||
| Severity | Int32 | Correlation rule severity |
1030507090
|
X | |||
| Search | Object | An object containing 'search' properties ('filter', 'lookback', 'outcome', 'trigger_mode', 'use_ingest_time') | X | ||||
| Operation | Object | An object containing 'operation' properties ('schedule', 'start_on', 'stop_on') | X | ||||
| Status | String | Correlation rule status |
activeinactive
|
X | |||
| State | String | Correlation rule state |
publishedunpublished
|
X | |||
| Notification | Object[] | An object containing 'notifications' properties ('config', 'options', 'type') | X | ||||
| Comment | String | Audit log comment | X |
Edit-FalconCorrelationRule [-Id] <String> [[-Name] <String>] [[-Description] <String>] [[-MitreAttack] <Object[]>] [[-Severity] <Int32>] [[-Search] <Object>] [[-Operation] <Object>] [[-Status] <String>] [[-State] <String>] [[-Notification] <Object[]>] [[-Comment] <String>] [-WhatIf] [-Confirm] [<CommonParameters>]PATCH /correlation-rules/entities/rules/v1
2025-08-05: PSFalcon v2.2.9
