search

Detection Rules as Code

This repository contains tooling to manage CrowdStrike Correlation Rules as code, enabling version control and automated deployment of detection rules.

hashtag
Overview

The project provides a Python-based solution for managing CrowdStrike Correlation Detection Rules through code, supporting:

  • Synchronization between local rules and the API

  • Creation of new rules

  • Updates to existing rules

  • Deletion of rules

  • Version control through Git

hashtag
Prerequisites

  • Python 3.x

  • CrowdStrike API Credential for read & write permission on the Correlation Rules scope

  • Required Python packages: crowdstrike-falconpyarrow-up-right

    pip install crowdstrike-falconpy

hashtag
Setup

  • Clone the repository:

  • Set up environment variables:

hashtag
Usage

hashtag
Initial Sync

To perform initial synchronization with the API:

This will create/update rules/rules.json with the current state from the API.

hashtag
Creating New Rules

  1. Add a new rule to rules.json without an ID:

  1. Run the sync script to create the rule in the API.

hashtag
Updating Rules

  1. Modify the desired rule in rules.json

  2. Run the sync script to apply changes

hashtag
Deleting Rules

  1. Add "deleted": true to the rule in rules.json

  2. Run the sync script to delete the rule from the API

hashtag
File Structure

hashtag
GitHub Actions

This repository includes a GitHub Actions workflow that:

  • Runs on changes to rules.json

  • Validates and syncs rules with the API

hashtag
Required GitHub Secrets

  • FALCON_CLIENT_ID

  • FALCON_CLIENT_SECRET

  • FALCON_BASE_URL (optional)

  • LOG_LEVEL (optional)

Previouscorrelation_rulesNexttests

Last updated

Was this helpful?