| Operation ID | Description |
|---|
| Find all rules matching the query and filter. |
| Retrieve rules by IDs. |
| Create a correlation rule. |
| Delete rules by IDs. |
| Update a correlation rule. |
| Find all rule IDs matching the query and filter. |
Find all rules matching the query and filter.
get_rules_combined
| Method | Route |
|---|
 | /correlation-rules/combined/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| filter |  | | query | string | FQL query specifying the filter parameters.
Available filters:customer_iduser_iduser_uuidstatusnamecreated_onlast_updated_on
Ranged filters:created_onlast_updated_on
|
| q | | | query | string | Match query criteria, which includes all the filter string fields. |
| sort | | | query | string | Rule property to sort on. |
| offset | | | query | integer | Starting index of overall result set from which to return IDs. |
| limit | | | query | integer | Number of IDs to return. |
| parameters | | | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_rules_combined(filter="string",
q="string",
sort="string",
offset=integer,
limit=integer
)
print(response)
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.combined_rules_get_v1(filter="string",
q="string",
sort="string",
offset=integer,
limit=integer
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("combined_rules_get_v1",
filter="string",
q="string",
sort="string",
offset=integer,
limit=integer
)
print(response)
Retrieve rules by IDs.
get_rules
| Method | Route |
|---|
| /correlation-rules/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| ids | | | query | string or list of strings | The rule IDs to be retrieved. |
| parameters | | | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)
print(response)
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_rules_get_v1(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_rules_get_v1", ids=id_list)
print(response)
Create a correlation rule.
create_rule
| Method | Route |
|---|
 | /correlation-rules/entities/rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| body | |  | body | dictionary | Full body payload provided as a dictionary. |
| comment | |  | body | string | Correlation rule comment. |
| customer_id | | | body | string | CID for the tenant. |
| description | | | body | string | Correlation rule description. |
| name | | | body | string | Correlation rule name. |
| notifications | | | body | list of dictionaries | List of notifications to implement. |
| operation | | | body | dictionary | Operation to perform. |
| search | | | body | dictionary | Search to perform. |
| severity | | | body | integer | Correlation severity. |
| status | | | body | string | Correlation rule status. |
| tactic | | | body | string | Identified tactic. |
| technique | | | body | string | Identified technique. |
| trigger_on_create | | | body | boolean | Flag indicating if the rule triggers on creation. |
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
notifications_list = [
{
"config": {
"cid": "string",
"config_id": "string",
"plugin_id": "string",
"recipients": [
"string"
],
"severity": "string"
},
"options": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"type": "string"
}
]
operation_dictionary = {
"schedule": {
"definition": "string"
},
"start_on": "2025-02-12T02:11:22.284Z",
"stop_on": "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter": "string",
"lookback": "string",
"outcome": "string",
"trigger_mode": "string"
}
response = falcon.create_rule(comment="string",
customer_id="string",
description="string",
name="string",
notifications=notifications_list,
operation=operation_dictionary,
search=search_dictionary,
severity=integer,
status="string",
tactic="string",
technique="string",
trigger_on_create=boolean
)
print(response)
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
notifications_list = [
{
"config": {
"cid": "string",
"config_id": "string",
"plugin_id": "string",
"recipients": [
"string"
],
"severity": "string"
},
"options": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"type": "string"
}
]
operation_dictionary = {
"schedule": {
"definition": "string"
},
"start_on": "2025-02-12T02:11:22.284Z",
"stop_on": "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter": "string",
"lookback": "string",
"outcome": "string",
"trigger_mode": "string"
}
response = falcon.entities_rules_post_v1(comment="string",
customer_id="string",
description="string",
name="string",
notifications=notifications_list,
operation=operation_dictionary,
search=search_dictionary,
severity=integer,
status="string",
tactic="string",
technique="string",
trigger_on_create=boolean
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = {
"comment": "string",
"customer_id": "string",
"description": "string",
"name": "string",
"notifications": [
{
"config": {
"cid": "string",
"config_id": "string",
"plugin_id": "string",
"recipients": [
"string"
],
"severity": "string"
},
"options": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"type": "string"
}
],
"operation": {
"schedule": {
"definition": "string"
},
"start_on": "2025-02-12T02:11:22.284Z",
"stop_on": "2025-02-12T02:11:22.284Z"
},
"search": {
"filter": "string",
"lookback": "string",
"outcome": "string",
"trigger_mode": "string"
},
"severity": 0,
"status": "string",
"tactic": "string",
"technique": "string",
"trigger_on_create": boolean
}
response = falcon.command("entities_rules_post_v1", body=body_payload)
print(response)
Delete rules by IDs.
delete_rules
| Method | Route |
|---|
 | /correlation-rules/entities/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| ids | | | query | string or list of strings | The rule IDs to be deleted. |
| parameters | | | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(ids=id_list)
print(response)
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_rules_delete_v1(ids=id_list)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_rules_delete_v1", ids=id_list)
print(response)
Update a correlation rule.
update_rule
| Method | Route |
|---|
 | /correlation-rules/entities/rules/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| body | | | body | dictionary | Full body payload provided as a dictionary. |
| comment | | | body | string | Correlation rule comment. |
| customer_id | | | body | string | CID for the tenant. |
| description | | | body | string | Correlation rule description. |
| id | | | body | string | Correlation rule ID to update. |
| name | | | body | string | Correlation rule name. |
| notifications | | | body | list of dictionaries | List of notifications to implement. |
| operation | | | body | dictionary | Operation to perform. |
| search | | | body | dictionary | Search to perform. |
| severity | | | body | integer | Correlation severity. |
| status | | | body | string | Correlation rule status. |
| tactic | | | body | string | Identified tactic. |
| technique | | | body | string | Identified technique. |
| trigger_on_create | | | body | boolean | Flag indicating if the rule triggers on creation. |
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
notifications_list = [
{
"config": {
"cid": "string",
"config_id": "string",
"plugin_id": "string",
"recipients": [
"string"
],
"severity": "string"
},
"options": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"type": "string"
}
]
operation_dictionary = {
"schedule": {
"definition": "string"
},
"start_on": "2025-02-12T02:11:22.284Z",
"stop_on": "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter": "string",
"lookback": "string",
"outcome": "string",
"trigger_mode": "string"
}
response = falcon.update_rule(comment="string",
customer_id="string",
description="string",
id="string",
name="string",
notifications=notifications_list,
operation=operation_dictionary,
search=search_dictionary,
severity=integer,
status="string",
tactic="string",
technique="string",
trigger_on_create=boolean
)
print(response)
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
notifications_list = [
{
"config": {
"cid": "string",
"config_id": "string",
"plugin_id": "string",
"recipients": [
"string"
],
"severity": "string"
},
"options": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"type": "string"
}
]
operation_dictionary = {
"schedule": {
"definition": "string"
},
"start_on": "2025-02-12T02:11:22.284Z",
"stop_on": "2025-02-12T02:11:22.284Z"
}
search_dictionary = {
"filter": "string",
"lookback": "string",
"outcome": "string",
"trigger_mode": "string"
}
response = falcon.entities_rules_patch_v1(comment="string",
customer_id="string",
description="string",
id="string",
name="string",
notifications=notifications_list,
operation=operation_dictionary,
search=search_dictionary,
severity=integer,
status="string",
tactic="string",
technique="string",
trigger_on_create=boolean
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
body_payload = [{
"comment": "string",
"customer_id": "string",
"description": "string",
"id": "string",
"name": "string",
"notifications": [
{
"config": {
"cid": "string",
"config_id": "string",
"plugin_id": "string",
"recipients": [
"string"
],
"severity": "string"
},
"options": {
"additionalProp1": "string",
"additionalProp2": "string",
"additionalProp3": "string"
},
"type": "string"
}
],
"operation": {
"schedule": {
"definition": "string"
},
"start_on": "2025-02-12T02:11:22.284Z",
"stop_on": "2025-02-12T02:11:22.284Z"
},
"search": {
"filter": "string",
"lookback": "string",
"outcome": "string",
"trigger_mode": "string"
},
"severity": 0,
"status": "string",
"tactic": "string",
"technique": "string",
"trigger_on_create": boolean
}]
response = falcon.command("entities_rules_patch_v1", body=body_payload)
print(response)
Find all rule IDs matching the query and filter.
query_rules
| Method | Route |
|---|
| /correlation-rules/queries/rules/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| filter | | | query | string | FQL query specifying the filter parameters.
Available filters:customer_iduser_iduser_uuidstatusnamecreated_onlast_updated_on
Ranged filters:created_onlast_updated_on
|
| q | | | query | string | Match query criteria, which includes all the filter string fields. |
| sort | | | query | string | Rule property to sort on. |
| offset | | | query | integer | Starting index of overall result set from which to return IDs. |
| limit | | | query | integer | Number of IDs to return. |
| parameters | | | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_rules(filter="string",
q="string",
sort="string",
offset=integer,
limit=integer
)
print(response)
from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.queries_rules_get_v1(filter="string",
q="string",
sort="string",
offset=integer,
limit=integer
)
print(response)
from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("queries_rules_get_v1",
filter="string",
q="string",
sort="string",
offset=integer,
limit=integer
)
print(response)