New FalconCorrelationRule - CrowdStrike/psfalcon GitHub Wiki

New-FalconCorrelationRule

SYNOPSIS

Create Falcon NGSIEM correlation rules

DESCRIPTION

Requires 'Correlation Rules: Write'.

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Name String Correlation rule name X
Description String Correlation rule description X
Cid String Customer identifier X
MitreAttack Object[] An object containing MITRE ATT&CK 'tactic_id' and 'technique_id' X
Severity Int32 Correlation rule severity 10
30
50
70
90
X
Search Object An object containing 'search' properties ('filter', 'lookback', 'outcome', 'trigger_mode', 'use_ingest_time') X
Operation Object An object containing 'operation' properties ('schedule', 'start_on', 'stop_on') X
Status String Correlation rule status active
inactive
X
TemplateId String Correlation rule template identifier X
Notification Object[] An object containing 'notifications' properties ('config', 'options', 'type') X
TriggerOnCreate Boolean Trigger correlation rule upon creation
Comment String Audit log comment

SYNTAX

New-FalconCorrelationRule [-Name] <String> [[-Description] <String>] [[-Cid] <String>] [[-MitreAttack] <Object[]>] [-Severity] <Int32> [-Search] <Object> [-Operation] <Object> [-Status] <String> [[-TemplateId] <String>] [[-Notification] <Object[]>] [[-TriggerOnCreate] <Boolean>] [[-Comment] <String>] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

POST /correlation-rules/entities/rules/v1

falconpy

entities_rules_post_v1

USAGE

2025-08-05: PSFalcon v2.2.9

⚠️ **GitHub.com Fallback** ⚠️