correlation_rule_info
Returns detailed information for one or more NG-SIEM correlation rules. Some of the details returned include rule name, description, severity, status,
Added in version 4.12.0
Parameters
Section titled “Parameters”| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
filter | str | No | FQL (Falcon Query Language) filter expression to limit results. “Supported fields: C(customer_id), C(user_id), C(user_uuid), C(status), C(name), “Examples: C(name:‘brute’), C(status:‘enabled’), C(created_on:>=‘2024-01-01’).” Cannot be used together with I(rule_ids). | |
include_latest_version | bool | No | false | Whether to include the latest published version information for each rule. When enabled, adds a C(latest_version) field to each rule with the latest published version details. This requires an additional API call per batch of rules. |
limit | int | No | 100 | Maximum number of correlation rules to return. Must be between 1 and 500. |
offset | int | No | 0 | Starting index for pagination. Use with I(limit) to paginate through large result sets. |
rule_ids | list | No | A list of correlation rule IDs to get information about. If not provided, rules will be returned based on filter and pagination settings. Cannot be used together with I(filter). | |
sort | str | No | Property to sort results by. Prefix with C(-) for descending order. “Examples: C(name), C(-created_on), C(last_updated_on).” |
Examples
Section titled “Examples”- name: Get all correlation rules crowdstrike.falcon.correlation_rule_info:
- name: Get specific correlation rules by ID crowdstrike.falcon.correlation_rule_info: rule_ids: - "12345678901234567890abcdef123456" - "abcdef123456789012345678901234"
- name: Search rules by name pattern crowdstrike.falcon.correlation_rule_info: filter: "name:'*brute*'" limit: 50
- name: Filter rules by status crowdstrike.falcon.correlation_rule_info: filter: "status:'enabled'" sort: "-last_updated_on"
- name: Get rules with latest version info crowdstrike.falcon.correlation_rule_info: filter: "status:'enabled'" include_latest_version: true
- name: Paginate through all correlation rules crowdstrike.falcon.correlation_rule_info: limit: 100 offset: "{{ page * 100 }}" loop: "{{ range(0, total_rules // 100 + 1) | list }}" loop_control: loop_var: pageReturn Values
Section titled “Return Values”| Key | Type | Description |
|---|---|---|
correlation_rules | - | |
meta | M |