Correlation Rules
The Correlation Rules service collection provides operations for managing correlation rules and templates. Create, update, delete, and query correlation rules. Export and import rule versions, publish rule versions, and manage rule templates.
| Language | Last Update |
|---|---|
| Python | v1.4.8 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
aggregates_rule_versions_post_v1aggregate_rule_versions | Get rules aggregates as specified via json in the request body. |
combined_rules_get_v1get_rules_combined | Find all rules matching the query and filter. |
combined_rules_get_v2get_rules_combined_v2 | Find all rules matching the query and filter. |
entities_latest_rules_get_v1get_latest_rule_versions | Retrieve latest rule versions by rule IDs. |
entities_rule_versions_export_post_v1export_rule | Export rule versions. |
entities_rule_versions_import_post_v1import_rule | Import rule versions. |
entities_rule_versions_publish_patch_v1publish_rule_version | Publish existing rule version. |
entities_rule_versions_delete_v1delete_rule_versions | Delete versions by IDs. |
entities_rules_get_v1get_rules | Retrieve rules by IDs. |
entities_rules_post_v1create_rule | Create a correlation rule. |
entities_rules_delete_v1delete_rules | Delete rules by IDs. |
entities_rules_patch_v1update_rule | Update a correlation rule. |
entities_rules_get_v2get_rules_v2 | Retrieve rule versions by IDs. |
queries_rules_get_v1query_rules | Find all rule IDs matching the query and filter. |
queries_rules_get_v2query_rules_v2 | Find all rule version IDs matching the query and filter. |
queries_templates_get_v1Mixin0query_templates | Search rule template IDs matching the filter. |
entities_templates_rules_post_v1create_rule_from_template | Create rule from template. |
entities_templates_get_v1Mixin0get_rule_templates_by_id | Retrieve rule templates by IDs. |
aggregates_rule_versions_post_v1
Section titled “aggregates_rule_versions_post_v1”Get rules aggregates as specified via json in the request body.
POST /correlation-rules/aggregates/rule-versions/v1
PEP 8
aggregate_rule_versionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload provided as a dictionary. |
| filter | query | string | FQL query specifying the filter parameters. |
| ids | query | string or list of strings | Correlation rule IDs. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.aggregate_rule_versions(filter="string", ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.aggregates_rule_versions_post_v1(filter="string", ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("aggregates_rule_versions_post_v1", ids=id_list, filter="string", body={})print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string"
response, err := client.CorrelationRules.AggregatesRuleVersionsPostV1( &correlation_rules.AggregatesRuleVersionsPostV1Params{ Body: []models.MsaAggregateQueryRequest{}, Ids: []string{"ID1", "ID2", "ID3"}, Filter: &filter, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.aggregatesRuleVersionsPostV1( ["ID1", "ID2", "ID3"], // ids [{}], // body "string" // filter);
console.log(response);use rusty_falcon::apis::correlation_rules_api::aggregates_rule_versions_post_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = aggregates_rule_versions_post_v1( &falcon.cfg, // configuration vec!["string".to_string()], // ids vec![serde_json::json!({})], // body Some("string"), // filter ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CorrelationRules.new
body = [{}]
response = api.aggregates_rule_versions_post_v1(body, ['ID1', 'ID2', 'ID3'])
puts responsecombined_rules_get_v1
Section titled “combined_rules_get_v1”Find all rules matching the query and filter.
GET /correlation-rules/combined/rules/v1
PEP 8
get_rules_combinedParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Available filters: customer_id, user_id, user_uuid, status, name, created_on, last_updated_on. Ranged filters: created_on, last_updated_on. |
| q | query | string | Match query criteria, which includes all the filter string fields. |
| sort | query | string | Rule property to sort on. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| limit | query | integer | Number of IDs to return. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.get_rules_combined(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.combined_rules_get_v1(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("combined_rules_get_v1", filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" q := "string" sort := "string" offset := int64(0) limit := int64(0)
response, err := client.CorrelationRules.CombinedRulesGetV1( &correlation_rules.CombinedRulesGetV1Params{ Filter: &filter, Q: &q, Sort: &sort, Offset: &offset, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.combinedRulesGetV1( "string", // filter "string", // q "string", // sort integer, // offset integer // limit);
console.log(response);Examples coming soon.
Examples coming soon.
combined_rules_get_v2
Section titled “combined_rules_get_v2”Find all rules matching the query and filter.
GET /correlation-rules/combined/rules/v2
PEP 8
get_rules_combined_v2Parameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Available filters: customer_id, user_id, user_uuid, status, name, created_on, last_updated_on. Ranged filters: created_on, last_updated_on. |
| q | query | string | Match query criteria, which includes all the filter string fields. |
| sort | query | string | Rule property to sort on. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| limit | query | integer | Number of IDs to return. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.get_rules_combined_v2(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.combined_rules_get_v2(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("combined_rules_get_v2", filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)Get-FalconCorrelationRule -Filter "string" ` -Query "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" q := "string" sort := "string" offset := int64(0) limit := int64(0)
response, err := client.CorrelationRules.CombinedRulesGetV2( &correlation_rules.CombinedRulesGetV2Params{ Filter: &filter, Q: &q, Sort: &sort, Offset: &offset, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.combinedRulesGetV2( "string", // filter "string", // q "string", // sort integer, // offset integer // limit);
console.log(response);Examples coming soon.
Examples coming soon.
entities_latest_rules_get_v1
Section titled “entities_latest_rules_get_v1”Retrieve latest rule versions by rule IDs.
GET /correlation-rules/entities/latest-rules/v1
PEP 8
get_latest_rule_versionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
| rule_ids | query | string or list of strings | The rule IDs to retrieve. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_latest_rule_versions(rule_ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_latest_rules_get_v1(rule_ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_latest_rules_get_v1", rule_ids=id_list)print(response)Get-FalconCorrelationRule -RuleId @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesLatestRulesGetV1( &correlation_rules.EntitiesLatestRulesGetV1Params{ RuleIds: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesLatestRulesGetV1(["ID1", "ID2", "ID3"]); // ruleIds
console.log(response);use rusty_falcon::apis::correlation_rules_api::entities_latest_rules_get_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = entities_latest_rules_get_v1( &falcon.cfg, // configuration vec!["string".to_string()], // rule_ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CorrelationRules.new
response = api.entities_latest_rules_get_v1(['ID1', 'ID2', 'ID3'])
puts responseentities_rule_versions_export_post_v1
Section titled “entities_rule_versions_export_post_v1”Export rule versions.
POST /correlation-rules/entities/rule-versions/export/v1
PEP 8
export_ruleParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload provided as a dictionary. |
| filter | body | string | Filter to use for export. |
| get_latest | body | boolean | Flag indicating if the latest rule version should be exported. |
| report_format | body | string | Format to use for rule export. |
| search | body | dictionary | Rule search to perform. Overrides filter and sort keywords. |
| sort | body | string | Sort to use for rule export. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.export_rule(filter="string", get_latest=boolean, report_format="string", search={}, sort="string")print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.entities_rule_versions_export_post_v1(filter="string", get_latest=boolean, report_format="string", search={}, sort="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "get_latest": boolean, "report_format": "string", "search": { "filter": "string", "sort": "string" }}
response = falcon.command("entities_rule_versions_export_post_v1", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
get_latest := boolean report_format := "string"
response, err := client.CorrelationRules.EntitiesRuleVersionsExportPostV1( &correlation_rules.EntitiesRuleVersionsExportPostV1Params{ Body: &models.CorrelationrulesapiRuleVersionReportRequest{ GetLatest: &get_latest, ReportFormat: &report_format, Search: &struct{}{}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRuleVersionsExportPostV1( { getLatest: boolean, reportFormat: "string", search: { filter: "string", sort: "string" }} // body);
console.log(response);use rusty_falcon::apis::correlation_rules_api::entities_rule_versions_export_post_v1;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::ApiRuleVersionReportRequest;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = ApiRuleVersionReportRequest { report_format: Some("string".to_string()), search: Default::default(), ..Default::default() };
let response = entities_rule_versions_export_post_v1( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CorrelationRules.new
body = Falcon::CorrelationrulesapiRuleVersionReportRequest.new( get_latest: boolean, report_format: 'string', search: { filter: 'string', sort: 'string' })
response = api.entities_rule_versions_export_post_v1(body)
puts responseentities_rule_versions_import_post_v1
Section titled “entities_rule_versions_import_post_v1”Import rule versions.
POST /correlation-rules/entities/rule-versions/import/v1
PEP 8
import_ruleParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Rule to be imported. Not required if using the rule keyword. |
| rule | body | dictionary | Rule to be imported (Service Class only). |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.import_rule(rule={})print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.entities_rule_versions_import_post_v1(rule={})print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("entities_rule_versions_import_post_v1")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesRuleVersionsImportPostV1( &correlation_rules.EntitiesRuleVersionsImportPostV1Params{ Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRuleVersionsImportPostV1();
console.log(response);use rusty_falcon::apis::correlation_rules_api::entities_rule_versions_import_post_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = entities_rule_versions_import_post_v1(&falcon.cfg).await.expect("API call failed"); // configuration
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CorrelationRules.new
response = api.entities_rule_versions_import_post_v1
puts responseentities_rule_versions_publish_patch_v1
Section titled “entities_rule_versions_publish_patch_v1”Publish existing rule version.
PATCH /correlation-rules/entities/rule-versions/publish/v1
PEP 8
publish_rule_versionParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload provided as a dictionary. |
| id | body | string | Correlation rule version ID to publish. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.publish_rule_version(id="string")print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.entities_rule_versions_publish_patch_v1(id="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "id": "string"}
response = falcon.command("entities_rule_versions_publish_patch_v1", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
id := "string"
response, err := client.CorrelationRules.EntitiesRuleVersionsPublishPatchV1( &correlation_rules.EntitiesRuleVersionsPublishPatchV1Params{ Body: &models.CorrelationrulesapiRuleVersionPublishRequestV1{ ID: &id, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRuleVersionsPublishPatchV1( { id: "string"} // body);
console.log(response);use rusty_falcon::apis::correlation_rules_api::entities_rule_versions_publish_patch_v1;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::ApiRuleVersionPublishRequestV1;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = ApiRuleVersionPublishRequestV1 { id: Some("string".to_string()), ..Default::default() };
let response = entities_rule_versions_publish_patch_v1( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CorrelationRules.new
body = Falcon::CorrelationrulesapiRuleVersionPublishRequestV1.new( id: 'string')
response = api.entities_rule_versions_publish_patch_v1(body)
puts responseentities_rule_versions_delete_v1
Section titled “entities_rule_versions_delete_v1”Delete versions by IDs.
DELETE /correlation-rules/entities/rule-versions/v1
PEP 8
delete_rule_versionsParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | The rule version IDs to be deleted. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rule_versions(ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_rule_versions_delete_v1(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_rule_versions_delete_v1", ids=id_list)print(response)Remove-FalconCorrelationRule -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesRuleVersionsDeleteV1( &correlation_rules.EntitiesRuleVersionsDeleteV1Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRuleVersionsDeleteV1(["ID1", "ID2", "ID3"]); // ids
console.log(response);use rusty_falcon::apis::correlation_rules_api::entities_rule_versions_delete_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = entities_rule_versions_delete_v1( &falcon.cfg, // configuration vec!["string".to_string()], // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::CorrelationRules.new
response = api.entities_rule_versions_delete_v1(['ID1', 'ID2', 'ID3'])
puts responseentities_rules_get_v1
Section titled “entities_rules_get_v1”Retrieve rules by IDs.
GET /correlation-rules/entities/rules/v1
PEP 8
get_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | The rule IDs to be retrieved. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules(ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_rules_get_v1(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_rules_get_v1", ids=id_list)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesRulesGetV1( &correlation_rules.EntitiesRulesGetV1Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRulesGetV1(["ID1", "ID2", "ID3"]); // ids
console.log(response);Examples coming soon.
Examples coming soon.
entities_rules_post_v1
Section titled “entities_rules_post_v1”Create a correlation rule.
POST /correlation-rules/entities/rules/v1
PEP 8
create_ruleParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload provided as a dictionary. |
| comment | body | string | Correlation rule comment. |
| customer_id | body | string | CID for the tenant. |
| description | body | string | Correlation rule description. |
| name | body | string | Correlation rule name. |
| notifications | body | list of dictionaries | List of notifications to implement. |
| operation | body | dictionary | Operation to perform. |
| search | body | dictionary | Search to perform. |
| severity | body | integer | Correlation severity. |
| status | body | string | Correlation rule status. |
| tactic | body | string | Identified tactic. |
| technique | body | string | Identified technique. |
| trigger_on_create | body | boolean | Flag indicating if the rule triggers on creation. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.create_rule(anomaly={}, comment="string", customer_id="string", description="string", guardrail_notifications=[{"key": "value"}], mitre_attack=[{"key": "value"}], name="string", notifications=[{"key": "value"}], operation={}, search={}, severity=integer, status="string", tactic="string", technique="string", template_id="string", trigger_on_create=boolean)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.entities_rules_post_v1(anomaly={}, comment="string", customer_id="string", description="string", guardrail_notifications=[{"key": "value"}], mitre_attack=[{"key": "value"}], name="string", notifications=[{"key": "value"}], operation={}, search={}, severity=integer, status="string", tactic="string", technique="string", template_id="string", trigger_on_create=boolean)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "anomaly": { "event_field_names": ["string"], "lookback_timeframe": "string", "scope": "string", "type": "string", "use_established_entity_only": boolean }, "comment": "string", "customer_id": "string", "description": "string", "guardrail_notifications": [ { "config": { "cid": "string", "config_id": "string", "plugin_id": "string", "recipients": ["string"], "severity": "string" }, "options": {}, "type": "string" } ], "mitre_attack": [ { "tactic_id": "string", "technique_id": "string" } ], "name": "string", "notifications": [ { "config": { "cid": "string", "config_id": "string", "plugin_id": "string", "recipients": ["string"], "severity": "string" }, "options": {}, "type": "string" } ], "operation": { "schedule": { "definition": "string" }, "start_on": "string", "stop_on": "string", "suppression": { "filter": {}, "suppression_period": "string" } }, "search": { "case_template_id": "string", "execution_mode": "string", "filter": "string", "lookback": "string", "outcome": "string", "trigger_mode": "string", "use_ingest_time": boolean }, "severity": integer, "status": "string", "tactic": "string", "technique": "string", "template_id": "string", "trigger_on_create": boolean}
response = falcon.command("entities_rules_post_v1", body=body_payload)print(response)New-FalconCorrelationRule -Name "string" ` -Severity integer ` -Search @{} ` -Operation @{} ` -Status "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
comment := "string" customer_id := "string" description := "string" type := "string" tactic_id := "string" technique_id := "string" name := "string" severity := integer status := "string" tactic := "string" technique := "string" template_id := "string" trigger_on_create := boolean
response, err := client.CorrelationRules.EntitiesRulesPostV1( &correlation_rules.EntitiesRulesPostV1Params{ Body: &models.CorrelationrulesapiRuleCreateRequestV1{ Anomaly: &struct{}{}, Comment: &comment, CustomerID: &customer_id, Description: &description, GuardrailNotifications: []interface{}{ { Config: &struct{}{}, Options: &struct{}{}, Type: &type, }, }, MitreAttack: []interface{}{ { TacticID: &tactic_id, TechniqueID: &technique_id, }, }, Name: &name, Notifications: []interface{}{ { Config: &struct{}{}, Options: &struct{}{}, Type: &type, }, }, Operation: &struct{}{}, Search: &struct{}{}, Severity: &severity, Status: &status, Tactic: &tactic, Technique: &technique, TemplateID: &template_id, TriggerOnCreate: &trigger_on_create, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRulesPostV1( { anomaly: { eventFieldNames: [], lookbackTimeframe: "string", scope: "string", type: "string", useEstablishedEntityOnly: boolean }, comment: "string", customerId: "string", description: "string", guardrailNotifications: [{ config: { cid: "string", configId: "string", pluginId: "string", recipients: [], severity: "string" }, options: {}, type: "string" }], mitreAttack: [{ tacticId: "string", techniqueId: "string" }], name: "string", notifications: [{ config: { cid: "string", configId: "string", pluginId: "string", recipients: [], severity: "string" }, options: {}, type: "string" }], operation: { schedule: { definition: "string" }, startOn: "string", stopOn: "string", suppression: { filter: {}, suppressionPeriod: "string" } }, search: { caseTemplateId: "string", executionMode: "string", filter: "string", lookback: "string", outcome: "string", triggerMode: "string", useIngestTime: boolean }, severity: integer, status: "string", tactic: "string", technique: "string", templateId: "string", triggerOnCreate: boolean} // body);
console.log(response);Examples coming soon.
Examples coming soon.
entities_rules_delete_v1
Section titled “entities_rules_delete_v1”Delete rules by IDs.
DELETE /correlation-rules/entities/rules/v1
PEP 8
delete_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | The rule IDs to be deleted. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_rules(ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_rules_delete_v1(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_rules_delete_v1", ids=id_list)print(response)Remove-FalconCorrelationRule -RuleId @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesRulesDeleteV1( &correlation_rules.EntitiesRulesDeleteV1Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRulesDeleteV1(["ID1", "ID2", "ID3"]); // ids
console.log(response);Examples coming soon.
Examples coming soon.
entities_rules_patch_v1
Section titled “entities_rules_patch_v1”Update a correlation rule.
PATCH /correlation-rules/entities/rules/v1
PEP 8
update_ruleParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload provided as a dictionary. |
| comment | body | string | Correlation rule comment. |
| customer_id | body | string | CID for the tenant. |
| description | body | string | Correlation rule description. |
| id | body | string | Correlation rule ID to update. |
| name | body | string | Correlation rule name. |
| notifications | body | list of dictionaries | List of notifications to implement. |
| operation | body | dictionary | Operation to perform. |
| search | body | dictionary | Search to perform. |
| severity | body | integer | Correlation severity. |
| status | body | string | Correlation rule status. |
| tactic | body | string | Identified tactic. |
| technique | body | string | Identified technique. |
| trigger_on_create | body | boolean | Flag indicating if the rule triggers on creation. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.update_rule(anomaly={}, comment="string", customer_id="string", description="string", guardrail_notifications=[{"key": "value"}], id="string", mitre_attack=[{"key": "value"}], name="string", notifications=[{"key": "value"}], operation={}, search={}, severity=integer, status="string", tactic="string", technique="string", template_id="string", trigger_on_create=boolean)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.entities_rules_patch_v1(anomaly={}, comment="string", customer_id="string", description="string", guardrail_notifications=[{"key": "value"}], id="string", mitre_attack=[{"key": "value"}], name="string", notifications=[{"key": "value"}], operation={}, search={}, severity=integer, status="string", tactic="string", technique="string", template_id="string", trigger_on_create=boolean)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = [ { "anomaly": { "event_field_names": ["string"], "lookback_timeframe": "string", "scope": "string", "type": "string", "use_established_entity_only": boolean }, "comment": "string", "description": "string", "guardrail_notifications": [ { "config": {}, "options": {}, "type": "string" } ], "id": "string", "mitre_attack": [ { "tactic_id": "string", "technique_id": "string" } ], "name": "string", "notifications": [ { "config": {}, "options": {}, "type": "string" } ], "operation": { "schedule": {}, "start_on": "string", "stop_on": "string", "suppression": {} }, "search": { "case_template_id": "string", "filter": "string", "lookback": "string", "outcome": "string", "trigger_mode": "string", "use_ingest_time": boolean }, "severity": integer, "state": "string", "status": "string", "tactic": "string", "technique": "string" }]
response = falcon.command("entities_rules_patch_v1", body=body_payload)print(response)Edit-FalconCorrelationRule -Id "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
comment := "string" description := "string" type := "string" id := "string" tactic_id := "string" technique_id := "string" name := "string" severity := integer state := "string" status := "string" tactic := "string" technique := "string"
response, err := client.CorrelationRules.EntitiesRulesPatchV1( &correlation_rules.EntitiesRulesPatchV1Params{ Body: []*models.CorrelationrulesapiRulePatchRequestV1{ { Anomaly: &struct{}{}, Comment: &comment, Description: &description, GuardrailNotifications: []interface{}{ { Config: &struct{}{}, Options: &struct{}{}, Type: &type, }, }, ID: &id, MitreAttack: []interface{}{ { TacticID: &tactic_id, TechniqueID: &technique_id, }, }, Name: &name, Notifications: []interface{}{ { Config: &struct{}{}, Options: &struct{}{}, Type: &type, }, }, Operation: &struct{}{}, Search: &struct{}{}, Severity: &severity, State: &state, Status: &status, Tactic: &tactic, Technique: &technique, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRulesPatchV1( [{ anomaly: { eventFieldNames: [], lookbackTimeframe: "string", scope: "string", type: "string", useEstablishedEntityOnly: boolean }, comment: "string", description: "string", guardrailNotifications: [{ config: { cid: "string", configId: "string", pluginId: "string", recipients: [], severity: "string" }, options: {}, type: "string" }], id: "string", mitreAttack: [{ tacticId: "string", techniqueId: "string" }], name: "string", notifications: [{ config: { cid: "string", configId: "string", pluginId: "string", recipients: [], severity: "string" }, options: {}, type: "string" }], operation: { schedule: { definition: "string" }, startOn: "string", stopOn: "string", suppression: { filter: {}, suppressionPeriod: "string" } }, search: { caseTemplateId: "string", filter: "string", lookback: "string", outcome: "string", triggerMode: "string", useIngestTime: boolean }, severity: integer, state: "string", status: "string", tactic: "string", technique: "string"}] // body);
console.log(response);Examples coming soon.
Examples coming soon.
entities_rules_get_v2
Section titled “entities_rules_get_v2”Retrieve rule versions by IDs.
GET /correlation-rules/entities/rules/v2
PEP 8
get_rules_v2Parameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | The rule IDs to be retrieved. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rules_v2(ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_rules_get_v2(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_rules_get_v2", ids=id_list)print(response)Get-FalconCorrelationRule -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesRulesGetV2( &correlation_rules.EntitiesRulesGetV2Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesRulesGetV2(["ID1", "ID2", "ID3"]); // ids
console.log(response);Examples coming soon.
Examples coming soon.
queries_rules_get_v1
Section titled “queries_rules_get_v1”Find all rule IDs matching the query and filter.
GET /correlation-rules/queries/rules/v1
PEP 8
query_rulesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Available filters: customer_id, user_id, user_uuid, status, name, created_on, last_updated_on. Ranged filters: created_on, last_updated_on. |
| q | query | string | Match query criteria, which includes all the filter string fields. |
| sort | query | string | Rule property to sort on. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| limit | query | integer | Number of IDs to return. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_rules(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.queries_rules_get_v1(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("queries_rules_get_v1", filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" q := "string" sort := "string" offset := int64(0) limit := int64(0)
response, err := client.CorrelationRules.QueriesRulesGetV1( &correlation_rules.QueriesRulesGetV1Params{ Filter: &filter, Q: &q, Sort: &sort, Offset: &offset, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.queriesRulesGetV1( "string", // filter "string", // q "string", // sort integer, // offset integer // limit);
console.log(response);Examples coming soon.
Examples coming soon.
queries_rules_get_v2
Section titled “queries_rules_get_v2”Find all rule version IDs matching the query and filter.
GET /correlation-rules/queries/rules/v2
PEP 8
query_rules_v2Parameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Available filters: customer_id, user_id, user_uuid, status, name, created_on, last_updated_on. Ranged filters: created_on, last_updated_on. |
| q | query | string | Match query criteria, which includes all the filter string fields. |
| sort | query | string | Rule property to sort on. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| limit | query | integer | Number of IDs to return. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.query_rules_v2(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.queries_rules_get_v2(filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("queries_rules_get_v2", filter="string", q="string", sort="string", offset=integer, limit=integer)print(response)Get-FalconCorrelationRule -Filter "string" ` -Query "string" ` -Sort "string" ` -Limit integer ` -Offset integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" q := "string" sort := "string" offset := int64(0) limit := int64(0)
response, err := client.CorrelationRules.QueriesRulesGetV2( &correlation_rules.QueriesRulesGetV2Params{ Filter: &filter, Q: &q, Sort: &sort, Offset: &offset, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.queriesRulesGetV2( "string", // filter "string", // q "string", // sort integer, // offset integer // limit);
console.log(response);Examples coming soon.
Examples coming soon.
queries_templates_get_v1Mixin0
Section titled “queries_templates_get_v1Mixin0”Search rule template IDs matching the filter.
GET /correlation-rules/queries/templates/v1
PEP 8
query_templatesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| filter | query | string | FQL query specifying the filter parameters. Available filters: name, description, vendor, outcome, mitre_attack.tactic_id, mitre_attack.technique_id, type. Ranged filters: created_on, last_updated_on. |
| sort | query | string | Rule property to sort on. |
| offset | query | integer | Starting index of overall result set from which to return IDs. |
| limit | query | integer | Number of IDs to return. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.search_rule_template_ids(filter="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.queries_templates_get_v1Mixin0(filter="string", sort="string", offset=integer, limit=integer)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("queries_templates_get_v1Mixin0", filter="string", sort="string", offset=integer, limit=integer)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
filter := "string" sort := "string" offset := int64(0) limit := int64(0)
response, err := client.CorrelationRules.QueriesTemplatesGetV1Mixin0( &correlation_rules.QueriesTemplatesGetV1Mixin0Params{ Filter: &filter, Sort: &sort, Offset: &offset, Limit: &limit, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.queriesTemplatesGetV1Mixin0( "string", // filter "string", // sort integer, // offset integer // limit);
console.log(response);Examples coming soon.
Examples coming soon.
entities_templates_rules_post_v1
Section titled “entities_templates_rules_post_v1”Create rule from template.
POST /correlation-rules/entities/templates/rules/v1
PEP 8
create_rule_from_templateParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload provided as a dictionary. |
| customer_id | body | string | CID for the tenant. |
| templates | body | list of dictionaries | List of template rule definitions to create. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.create_rule_from_template(customer_id="string", templates=[{"key": "value"}])print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.entities_templates_rules_post_v1(customer_id="string", templates=[{"key": "value"}])print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = [ { "customer_id": "string", "templates": [ { "comment": "string", "description": "string", "guardrail_notifications": ["string"], "mitre_attack": ["string"], "name": "string", "notifications": ["string"], "operation": {}, "search": {}, "severity": integer, "status": "string", "template_id": "string", "trigger_on_create": boolean } ] }]
response = falcon.command("entities_templates_rules_post_v1", body=body_payload)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
customer_id := "string" comment := "string" description := "string" type := "string" tactic_id := "string" technique_id := "string" name := "string" severity := integer status := "string" template_id := "string" trigger_on_create := boolean
response, err := client.CorrelationRules.EntitiesTemplatesRulesPostV1( &correlation_rules.EntitiesTemplatesRulesPostV1Params{ Body: []*models.CorrelationrulesapiDeployTemplateRequestV1{ { CustomerID: &customer_id, Templates: []interface{}{ { Comment: &comment, Description: &description, GuardrailNotifications: []interface{}{ { Config: &struct{}{}, Options: &struct{}{}, Type: &type, }, }, MitreAttack: []interface{}{ { TacticID: &tactic_id, TechniqueID: &technique_id, }, }, Name: &name, Notifications: []interface{}{ { Config: &struct{}{}, Options: &struct{}{}, Type: &type, }, }, Operation: &struct{}{}, Search: &struct{}{}, Severity: &severity, Status: &status, TemplateID: &template_id, TriggerOnCreate: &trigger_on_create, }, }, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesTemplatesRulesPostV1( [{ customerId: "string", templates: [{ comment: "string", description: "string", guardrailNotifications: [{ config: {}, options: {}, type: "string" }], mitreAttack: [{ tacticId: "string", techniqueId: "string" }], name: "string", notifications: [{ config: {}, options: {}, type: "string" }], operation: { schedule: {}, startOn: "string", stopOn: "string", suppression: {} }, search: { caseTemplateId: "string", executionMode: "string", filter: "string", lookback: "string", outcome: "string", triggerMode: "string", useIngestTime: boolean }, severity: integer, status: "string", templateId: "string", triggerOnCreate: boolean }]}] // body);
console.log(response);Examples coming soon.
Examples coming soon.
entities_templates_get_v1Mixin0
Section titled “entities_templates_get_v1Mixin0”Retrieve rule templates by IDs.
GET /correlation-rules/entities/templates/v1
PEP 8
get_rule_templates_by_idParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | The template IDs to retrieve. |
| parameters | query | dictionary | Full query parameters payload as a dictionary, not required when using other keywords. |
Code Examples
Section titled “Code Examples”from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_rule_templates_by_id(ids=id_list)print(response)from falconpy import CorrelationRules
falcon = CorrelationRules(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.entities_templates_get_v1Mixin0(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("entities_templates_get_v1Mixin0", ids=id_list)print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/correlation_rules")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.CorrelationRules.EntitiesTemplatesGetV1Mixin0( &correlation_rules.EntitiesTemplatesGetV1Mixin0Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.correlationRules.entitiesTemplatesGetV1Mixin0(["ID1", "ID2", "ID3"]); // ids
console.log(response);Examples coming soon.
Examples coming soon.