correlation_rule
Create, update, and delete NG-SIEM correlation rules in the CrowdStrike Falcon platform. Supports idempotent operations that only make changes when necessary. Can optionally publish a rule version after create or update. The customer ID (CID) is automatically resolved from the authenticated API session.
Added in version 4.12.0
Parameters
Section titled “Parameters”| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
comment | str | No | A comment associated with the rule change. | |
description | str | No | A description for the correlation rule. | |
name | str | No | The name of the correlation rule. Required when creating a new rule and I(rule_id) is not provided. Used to look up an existing rule when I(rule_id) is not specified. | |
notifications | list | No | List of notification configurations for the rule. | |
operation | str | No | ISO 8601 datetime string for when the rule stops being active. | |
publish | bool | No | false | Whether to publish the rule version after a create or update operation. When C(true), the module will retrieve the latest rule version and publish it. |
rule_id | str | No | The ID of an existing correlation rule. Preferred for identifying existing rules during update or delete operations. If provided with I(state=present), the module will update the existing rule. If provided with I(state=absent), the module will delete the rule by ID. | |
search | str | No | Trigger mode for the rule. | |
severity | int | No | The severity level of the rule. “Valid values: C(10) (informational), C(30) (low), C(50) (medium), C(70) (high), C(90) (critical).” | |
state | str | No | present | The desired state of the correlation rule. C(present) ensures the rule exists with the specified configuration. C(absent) ensures the rule does not exist. |
status | str | No | The operational status of the rule. C(active) enables the rule. C(inactive) disables the rule without deleting it. | |
tactic | str | No | The MITRE ATT&CK tactic associated with the rule. | |
technique | str | No | The MITRE ATT&CK technique associated with the rule. | |
trigger_on_create | bool | No | false | Whether the rule triggers on creation. Only applicable when creating a new rule. |
Examples
Section titled “Examples”- name: Create a correlation rule crowdstrike.falcon.correlation_rule: name: "Detect suspicious logins" description: "Alert on multiple failed logins followed by success" severity: 50 status: active search: filter: "#event_simpleName=UserLogon" lookback: "10m" outcome: "detection" operation: schedule: definition: "*/5 * * * *"
- name: Create a rule with MITRE ATT&CK mapping crowdstrike.falcon.correlation_rule: name: "Brute Force Detection" description: "Detects brute force login attempts" severity: 70 status: active tactic: "Credential Access" technique: "Brute Force" search: filter: "#event_simpleName=UserLogon" lookback: "10m" outcome: "detection" operation: schedule: definition: "*/5 * * * *"
- name: Update an existing rule by name crowdstrike.falcon.correlation_rule: name: "Detect suspicious logins" description: "Updated description for suspicious login detection" severity: 70
- name: Update a rule by ID crowdstrike.falcon.correlation_rule: rule_id: "a1b2c3d4e5f6789012345678901234ab" status: inactive comment: "Disabling temporarily for maintenance"
- name: Delete a rule by name crowdstrike.falcon.correlation_rule: name: "Detect suspicious logins" state: absent
- name: Delete a rule by ID crowdstrike.falcon.correlation_rule: rule_id: "a1b2c3d4e5f6789012345678901234ab" state: absent
- name: Create and publish a rule crowdstrike.falcon.correlation_rule: name: "Lateral Movement Detection" description: "Detects potential lateral movement activity" severity: 70 status: active tactic: "Lateral Movement" search: filter: "#event_simpleName=NetworkConnectIP4" lookback: "15m" outcome: "detection" operation: schedule: definition: "*/10 * * * *" publish: trueReturn Values
Section titled “Return Values”| Key | Type | Description |
|---|---|---|
correlation_rule | - |