Using the Correlation Rules service collection

Table of Contents

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

aggregates_rule_versions_post_v1

Get rules aggregates as specified via json in the request body.

PEP8 method name

aggregate_rule_versions

Endpoint

Method	Route
	/correlation-rules/aggregates/rule-versions/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload provided as a dictionary.
filter			query	string	FQL query specifying the filter parameters.
ids			query	string or list of strings	Correlation rule IDs.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.aggregate_rule_versions(body=body_payload, filter="string", ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.aggregates_rule_versions_post_v1(body=body_payload, filter="string", ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = { }

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("aggregates_rule_versions_post_v1", body=body_payload, filter="string", ids=id_list)

print(response)

combined_rules_get_v1

Find all rules matching the query and filter.

PEP8 method name

get_rules_combined

Endpoint

Method	Route
	/correlation-rules/combined/rules/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query specifying the filter parameters. Available filters: customer_id user_id user_uuid status name created_on last_updated_on Ranged filters: created_on last_updated_on
q			query	string	Match query criteria, which includes all the filter string fields.
sort			query	string	Rule property to sort on.
offset			query	integer	Starting index of overall result set from which to return IDs.
limit			query	integer	Number of IDs to return.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.get_rules_combined(filter="string",
                                     q="string",
                                     sort="string",
                                     offset=integer,
                                     limit=integer
                                     )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.combined_rules_get_v1(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_rules_get_v1",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                         )
print(response)

combined_rules_get_v2

Find all rules matching the query and filter.

PEP8 method name

get_rules_combined_v2

Endpoint

Method	Route
	/correlation-rules/combined/rules/v2

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query specifying the filter parameters. Available filters: customer_id user_id user_uuid status name created_on last_updated_on Ranged filters: created_on last_updated_on
q			query	string	Match query criteria, which includes all the filter string fields.
sort			query	string	Rule property to sort on.
offset			query	integer	Starting index of overall result set from which to return IDs.
limit			query	integer	Number of IDs to return.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.get_rules_combined_v2(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.combined_rules_get_v2(filter="string",
                                        q="string",
                                        sort="string",
                                        offset=integer,
                                        limit=integer
                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("combined_rules_get_v2",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

entities_latest_rules_get_v1

Retrieve latest rule versions by rule IDs.

PEP8 method name

get_latest_rule_versions

Endpoint

Method	Route
	/correlation-rules/entities/latest-rules/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.
rule_ids			query	string or list of strings	The rule IDs to retrieve.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_latest_rule_versions(rule_ids=rule_id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_latest_rules_get_v1(rule_ids=rule_id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

rule_id_list = ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_latest_rules_get_v1", rule_ids=rule_id_list)

print(response)

entities_rule_versions_export_post_v1

Export rule versions.

PEP8 method name

export_rule

Endpoint

Method	Route
	/correlation-rules/entities/rule-versions/export/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload provided as a dictionary.
filter			body	string	Filter to use for export.
get_latest			body	boolean	Flag indicating if the latest rule version should be exported.
report_format			body	string	Format to use for rule export.
search			body	dictionary	Rule search to perform. Overrides filter and sort keywords.
sort			body	string	Sort to use for rule export.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.export_rule(filter="string",
                              get_latest=boolean,
                              report_format="string",
                              sort="string"
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.entities_rule_versions_export_post_v1(filter="string",
                                                        get_latest=boolean,
                                                        report_format="string",
                                                        sort="string"
                                                        )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "get_latest": boolean,
  "report_format": "string",
  "search": {
    "filter": "string",
    "sort": "string"
  }
}

response = falcon.command("entities_rule_versions_export_post_v1", body=body_payload)

print(response)

entities_rule_versions_import_post_v1

Import rule versions.

PEP8 method name

import_rule

Endpoint

Method	Route
	/correlation-rules/entities/rule-versions/import/v1

Required Scope

Content-Type

• Consumes: multipart/form-data
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Rule to be imported. Not required if using the rule keyword.
rule			body	dictionary	Rule to be imported (Service Class only).

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_json = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.import_rule(rule=rule_json)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

rule_json = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.entities_rule_versions_import_post_v1(rule=rule_json)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "description": "test_string",
    "name": "test_string",
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
}

response = falcon.command("entities_rule_versions_import_post_v1", body=body_payload)

print(response)

entities_rule_versions_publish_patch_v1

Publish existing rule version.

PEP8 method name

publish_rule_version

Endpoint

Method	Route
	/correlation-rules/entities/rule-versions/publish/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload provided as a dictionary.
id			body	string	Correlation rule version ID to publish.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.publish_rule_version(id="string")

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.entities_rule_versions_publish_patch_v1(id="string")

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
  "id": "string"
}

response = falcon.command("entities_rule_versions_publish_patch_v1", body=body_payload)

print(response)

entities_rule_versions_delete_v1

Delete versions by IDs.

PEP8 method name

delete_rule_versions

Endpoint

Method	Route
	/correlation-rules/entities/rule-versions/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule version IDs to be deleted.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rule_versions(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rule_versions_delete_v1(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rule_versions_delete_v1", ids=id_list)

print(response)

entities_rules_get_v1

Retrieve rules by IDs.

PEP8 method name

get_rules

Endpoint

Method	Route
	/correlation-rules/entities/rules/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule IDs to be retrieved.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_get_v1(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_get_v1", ids=id_list)

print(response)

entities_rules_get_v2

Retrieve rule versions by IDs

PEP8 method name

get_rules_v2

Endpoint

Method	Route
	/correlation-rules/entities/rules/v2

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule IDs to be retrieved.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_rules_v2(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_get_v2(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_get_v2", ids=id_list)

print(response)

entities_rules_post_v1

Create a correlation rule.

PEP8 method name

create_rule

Endpoint

Method	Route
	/correlation-rules/entities/rules/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload provided as a dictionary.
comment			body	string	Correlation rule comment.
customer_id			body	string	CID for the tenant.
description			body	string	Correlation rule description.
name			body	string	Correlation rule name.
notifications			body	list of dictionaries	List of notifications to implement.
operation			body	dictionary	Operation to perform.
search			body	dictionary	Search to perform.
severity			body	integer	Correlation severity.
status			body	string	Correlation rule status.
tactic			body	string	Identified tactic.
technique			body	string	Identified technique.
trigger_on_create			body	boolean	Flag indicating if the rule triggers on creation.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}
response = falcon.create_rule(comment="string",
                              customer_id="string",
                              description="string",
                              name="string",
                              notifications=notifications_list,
                              operation=operation_dictionary,
                              search=search_dictionary,
                              severity=integer,
                              status="string",
                              tactic="string",
                              technique="string",
                              trigger_on_create=boolean
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.entities_rules_post_v1(comment="string",
                                         customer_id="string",
                                         description="string",
                                         name="string",
                                         notifications=notifications_list,
                                         operation=operation_dictionary,
                                         search=search_dictionary,
                                         severity=integer,
                                         status="string",
                                         tactic="string",
                                         technique="string",
                                         trigger_on_create=boolean
                                         )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "comment": "string",
    "customer_id": "string",
    "description": "string",
    "name": "string",
    "notifications": [
        {
            "config": {
                "cid": "string",
                "config_id": "string",
                "plugin_id": "string",
                "recipients": [
                    "string"
                ],
                "severity": "string"
            },
            "options": {
                "additionalProp1": "string",
                "additionalProp2": "string",
                "additionalProp3": "string"
            },
            "type": "string"
        }
    ],
    "operation": {
        "schedule": {
            "definition": "string"
        },
        "start_on": "2025-02-12T02:11:22.284Z",
        "stop_on": "2025-02-12T02:11:22.284Z"
    },
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
    "severity": 0,
    "status": "string",
    "tactic": "string",
    "technique": "string",
    "trigger_on_create": boolean
}

response = falcon.command("entities_rules_post_v1", body=body_payload)

print(response)

entities_rules_delete_v1

Delete rules by IDs.

PEP8 method name

delete_rules

Endpoint

Method	Route
	/correlation-rules/entities/rules/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	The rule IDs to be deleted.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_rules(ids=id_list)

print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.entities_rules_delete_v1(ids=id_list)

print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("entities_rules_delete_v1", ids=id_list)

print(response)

entities_rules_patch_v1

Update a correlation rule.

PEP8 method name

update_rule

Endpoint

Method	Route
	/correlation-rules/entities/rules/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload provided as a dictionary.
comment			body	string	Correlation rule comment.
customer_id			body	string	CID for the tenant.
description			body	string	Correlation rule description.
id			body	string	Correlation rule ID to update.
name			body	string	Correlation rule name.
notifications			body	list of dictionaries	List of notifications to implement.
operation			body	dictionary	Operation to perform.
search			body	dictionary	Search to perform.
severity			body	integer	Correlation severity.
status			body	string	Correlation rule status.
tactic			body	string	Identified tactic.
technique			body	string	Identified technique.
trigger_on_create			body	boolean	Flag indicating if the rule triggers on creation.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.update_rule(comment="string",
                              customer_id="string",
                              description="string",
                              id="string",
                              name="string",
                              notifications=notifications_list,
                              operation=operation_dictionary,
                              search=search_dictionary,
                              severity=integer,
                              status="string",
                              tactic="string",
                              technique="string",
                              trigger_on_create=boolean
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

notifications_list = [
    {
        "config": {
            "cid": "string",
            "config_id": "string",
            "plugin_id": "string",
            "recipients": [
                "string"
            ],
            "severity": "string"
        },
        "options": {
            "additionalProp1": "string",
            "additionalProp2": "string",
            "additionalProp3": "string"
        },
        "type": "string"
    }
]

operation_dictionary = {
    "schedule": {
        "definition": "string"
    },
    "start_on": "2025-02-12T02:11:22.284Z",
    "stop_on": "2025-02-12T02:11:22.284Z"
}

search_dictionary = {
    "filter": "string",
    "lookback": "string",
    "outcome": "string",
    "trigger_mode": "string"
}

response = falcon.entities_rules_patch_v1(comment="string",
                                          customer_id="string",
                                          description="string",
                                          id="string",
                                          name="string",
                                          notifications=notifications_list,
                                          operation=operation_dictionary,
                                          search=search_dictionary,
                                          severity=integer,
                                          status="string",
                                          tactic="string",
                                          technique="string",
                                          trigger_on_create=boolean
                                          )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = [{
    "comment": "string",
    "customer_id": "string",
    "description": "string",
    "id": "string",
    "name": "string",
    "notifications": [
        {
            "config": {
                "cid": "string",
                "config_id": "string",
                "plugin_id": "string",
                "recipients": [
                    "string"
                ],
                "severity": "string"
            },
            "options": {
                "additionalProp1": "string",
                "additionalProp2": "string",
                "additionalProp3": "string"
            },
            "type": "string"
        }
    ],
    "operation": {
        "schedule": {
            "definition": "string"
        },
        "start_on": "2025-02-12T02:11:22.284Z",
        "stop_on": "2025-02-12T02:11:22.284Z"
    },
    "search": {
        "filter": "string",
        "lookback": "string",
        "outcome": "string",
        "trigger_mode": "string"
    },
    "severity": 0,
    "status": "string",
    "tactic": "string",
    "technique": "string",
    "trigger_on_create": boolean
}]

response = falcon.command("entities_rules_patch_v1", body=body_payload)

print(response)

queries_rules_get_v1

Find all rule IDs matching the query and filter.

PEP8 method name

query_rules

Endpoint

Method	Route
	/correlation-rules/queries/rules/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query specifying the filter parameters. Available filters: customer_id user_id user_uuid status name created_on last_updated_on Ranged filters: created_on last_updated_on
q			query	string	Match query criteria, which includes all the filter string fields.
sort			query	string	Rule property to sort on.
offset			query	integer	Starting index of overall result set from which to return IDs.
limit			query	integer	Number of IDs to return.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_rules(filter="string",
                              q="string",
                              sort="string",
                              offset=integer,
                              limit=integer
                              )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queries_rules_get_v1(filter="string",
                                       q="string",
                                       sort="string",
                                       offset=integer,
                                       limit=integer
                                       )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_rules_get_v1",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)

queries_rules_get_v2

Find all rule version IDs matching the query and filter.

PEP8 method name

query_rules_v2

Endpoint

Method	Route
	/correlation-rules/queries/rules/v2

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	FQL query specifying the filter parameters. Available filters: customer_id user_id user_uuid status name created_on last_updated_on Ranged filters: created_on last_updated_on
q			query	string	Match query criteria, which includes all the filter string fields.
sort			query	string	Rule property to sort on.
offset			query	integer	Starting index of overall result set from which to return IDs.
limit			query	integer	Number of IDs to return.
parameters			query	dictionary	Full query parameters payload as a dictionary, not required when using other keywords.

Usage

Service class example (PEP8 syntax)

from falconpy.correlation_rules import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.query_rules_v2(filter="string",
                                 q="string",
                                 sort="string",
                                 offset=integer,
                                 limit=integer
                                 )
print(response)

Service class example (Operation ID syntax)

from falconpy import CorrelationRules

falcon = CorrelationRules(client_id=CLIENT_ID,
                          client_secret=CLIENT_SECRET
                          )

response = falcon.queries_rules_get_v2(filter="string",
                                       q="string",
                                       sort="string",
                                       offset=integer,
                                       limit=integer
                                       )
print(response)

Uber class example

from falconpy import APIHarnessV2

falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("queries_rules_get_v2",
                          filter="string",
                          q="string",
                          sort="string",
                          offset=integer,
                          limit=integer
                          )
print(response)