New FalconCorrelationRule - CrowdStrike/psfalcon GitHub Wiki
Create Falcon NGSIEM correlation rules
Requires 'Correlation Rules: Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| Name | String | Correlation rule name | X | ||||
| Description | String | Correlation rule description | X | ||||
| Cid | String | Customer identifier | X | ||||
| MitreAttack | Object[] | An object containing MITRE ATT&CK 'tactic_id' and 'technique_id' | X | ||||
| Severity | Int32 | Correlation rule severity |
1030507090
|
X | |||
| Search | Object | An object containing 'search' properties ('filter', 'lookback', 'outcome', 'trigger_mode', 'use_ingest_time') | X | ||||
| Operation | Object | An object containing 'operation' properties ('schedule', 'start_on', 'stop_on') | X | ||||
| Status | String | Correlation rule status |
activeinactive
|
X | |||
| TemplateId | String | Correlation rule template identifier | X | ||||
| Notification | Object[] | An object containing 'notifications' properties ('config', 'options', 'type') | X | ||||
| TriggerOnCreate | Boolean | Trigger correlation rule upon creation | |||||
| Comment | String | Audit log comment |
New-FalconCorrelationRule [-Name] <String> [[-Description] <String>] [[-Cid] <String>] [[-MitreAttack] <Object[]>] [-Severity] <Int32> [-Search] <Object> [-Operation] <Object> [-Status] <String> [[-TemplateId] <String>] [[-Notification] <Object[]>] [[-TriggerOnCreate] <Boolean>] [[-Comment] <String>] [-WhatIf] [-Confirm] [<CommonParameters>]POST /correlation-rules/entities/rules/v1
2025-08-05: PSFalcon v2.2.9
