Skip to content

Correlation Rules Admin

Jump to bottom
Joshua Hiller edited this page Mar 6, 2026 · 1 revision

CrowdStrike Falcon CrowdStrike Subreddit

Using the Correlation Rules Admin service collection

Uber class support Service class support Documentation Version Page Updated

Table of Contents

Operation ID Description
entities_rules_ownership_put_v1
PEP 8 change_correlation_rule_owner
Change the owner of an existing Correlation Rule

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

entities_rules_ownership_put_v1

Change the owner of an existing Correlation Rule

PEP8 method name

change_correlation_rule_owner

Endpoint

Method Route
PUT /correlation-rules/entities/rules/ownership/v1

Required Scope

correlation-rules-admin:write

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body Service Class Support Uber Class Support body dictionary Full body payload in JSON format. Not required if using other keywords.
api_client_id Service Class Support No Uber Class Support body string The API client ID.
id Service Class Support No Uber Class Support body string The rule ID.
user_id Service Class Support No Uber Class Support body string The user ID.
user_uuid Service Class Support No Uber Class Support body string The user UUID.

Usage

Service class example (PEP8 syntax)
from falconpy import CorrelationRulesAdmin

# Do not hardcode API credentials!
falcon = CorrelationRulesAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.change_correlation_rule_owner(api_client_id="string",
                                                id="string",
                                                user_id="string",
                                                user_uuid="string"
                                                )

print(response)
Service class example (Operation ID syntax)
from falconpy import CorrelationRulesAdmin

# Do not hardcode API credentials!
falcon = CorrelationRulesAdmin(client_id=CLIENT_ID,
                               client_secret=CLIENT_SECRET
                               )

response = falcon.entities_rules_ownership_put_v1(api_client_id="string",
                                                  id="string",
                                                  user_id="string",
                                                  user_uuid="string"
                                                  )

print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

body_payload = {
    "api_client_id": "string",
    "id": "string",
    "user_id": "string",
    "user_uuid": "string"
}

response = falcon.command("entities_rules_ownership_put_v1", body=body_payload)

print(response)

Back to Table of Contents

CrowdStrike Falcon

Clone this wiki locally