Error 401 on MSSP / Child Tenant

[nlee-462]

Hello!

I'm utilizing an MSSP tenant to build a SOC in a Parent / Child architecture. I'm trying to use a Falconpy script to identify correlation rules in the parent tenant and then pass them down to a child tenant. Crowdstrike support informed that I would need to create a script to accomplish this. I have written a script, however it's getting an error 401 when trying to create the rule within the child. I have API's setup in both the parent and child. I have also confirmed the Client Secret and Client ID are correct for both environments and I have also ensured they have all read and write permissions for testing. I initially started with Falcon Console: Read, Write; Correlation Rules Read, Write. but later expanded permissions. Attached below is a copy of my script as well as the output I'm receiving:

Initializing parent tenant...
Fetched 200 parent rules.

--- Syncing rules to [CHILD TENANT NAME HERE] (https://api.us-2.crowdstrike.com) ---
Created (401): [Parent] Microsoft - Entra ID - Service Principal Anomalous PowerShell Usage (Synced)
/Users/[USER]/Documents/ParentRuleExport.py:158: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
"Timestamp": datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S UTC")
Created (401): [Parent] Microsoft - Entra ID - Potential Brute Force Attack through Azure Powershell (Synced)
Created (401): [Parent] Mimecast - Email Security - DLP Policy Violation for Outbound Message (Synced)
Created (401): [Parent] Microsoft - M365 SharePoint - Downloaded Files Added to Removable Storage (Synced)
Created (401): [Parent] Microsoft - Entra ID - Impossible Travel (Synced)
Created (400): [Parent] Mimecast - Email Security - Spam Message Delivered (Synced)
Created (400): [Parent] Mimecast - Email Security - Spam Message Delivered (Synced)
Created (401): [Parent] Zscaler - ZIA - Firewall Filtering Rule Deleted (Synced)
Created (401): [Parent] Microsoft - M365 Exchange Online - Email Forwarding Inbox Rule (Synced)

ParentRuleExportGithub.py

[crowdstrikedcs]

Hi @nlee-462 thanks for the question!

A 401 error will typically indicate that the client in use did not have the proper authorization to make the request.

From my experience with correlation rules, this is sometimes due to the new rule having the CID present from the old CID.

For example rule X from the parent CID has a column included in it for customer_id. If this is added to the child CID with the column unchanged for the target CID the operation is denied with a 401 error.

I would recommend you check the rule before you add it to the target CID by printing it and checking this value. Updating it as needed. If may be useful as well to print the response text in addition to the status_code.

As a a side note, the 'member_cid' parameter when provided to the OAuth2 service collection will let a clientid/secret pair perform actions in a child CID. This would allow you to perform operations from the parent API key without needing to create one in the child CID. Here is an example

Let us know how things go.

[nlee-462]

I was able to get pull a copy of the JSON of the rule payload itself:

 "lookback": "0h5m",
    "trigger_mode": "summary",
    "execution_mode": "scheduled"
},
"operation": {
    "schedule": {
        "definition": "@every 0h5m"
    },
    "start_on": "2025-12-09T21:45:00Z"
},
"api_client_id": "",
"user_uuid": "USER UUID HERE",
"user_id": "[email protected]",
"updated_by_api_client_id": "",
"updated_by_user_uuid": "USER UUID HERE",
"updated_by_user_id": "[email protected]",
"last_updated_on": "2025-12-09T21:22:53.993917Z",
"created_on": "2025-12-09T21:22:53.993917Z",
"status": "active",
"status_msg": "",
"template_id": "406926b6-baf5-4bc6-af8e-2bee884c3cd2",
"rule_id": "05d0bb0df66041e7b566b7dcd99b13e2",
"executor_rule_id": "05d0bb0df66041e7b566b7dcd99b13e2",
"state": "published",
"version": 1,
"next_execution_on": "2026-01-06T20:35:00Z",
"last_execution": {
    "status_display": "Running...",
    "result_metadata": {
        "execution_start": "2026-01-06T20:31:45Z",
        "search_window_end": "2026-01-06T18:50:00Z",
        "result_count": 0,
        "execution_duration": 0,
        "use_ingest_time": false
    }
},
"notifications": [
    {
        "type": "email",
        "config": {
            "recipients": [
                "[email protected]"
            ],
            "plugin_id": "",
            "config_id": "",
            "cid": "PARENT CID HERE",
            "severity": ""
        },
        "options": {
            "attach_report": "false",
            "send_on_failure": "always",
            "send_on_success": "never"
        }
    }
]

}

I then had my script try both:
A. Removing the parent cid entirely so the child could it's own cid automatically once the new rule is created
B. Explicitly specifying in the script to remove the parent cid listed and then add the cid of the child tenant.

Both of these approaches are still giving me the 401 error:
401 Unauthorized — refreshing token and retrying (1/3)...
401 Unauthorized — refreshing token and retrying (2/3)...
401 Unauthorized — refreshing token and retrying (3/3)...
Error: Failed after 3 retries.: [Parent] Microsoft - Entra ID - Potential Brute Force Attack through Azure Powershell (Synced)
401 Unauthorized — refreshing token and retrying (1/3)...
401 Unauthorized — refreshing token and retrying (2/3)...
401 Unauthorized — refreshing token and retrying (3/3)...
Error: Failed after 3 retries.: [Parent] Mimecast - Email Security - DLP Policy Violation for Outbound Message (Synced)
401 Unauthorized — refreshing token and retrying (1/3)...
401 Unauthorized — refreshing token and retrying (2/3)...
401 Unauthorized — refreshing token and retrying (3/3)...
Error: Failed after 3 retries.: [Parent] Microsoft - M365 SharePoint - Downloaded Files Added to Removable Storage (Synced)

[crowdstrikedcs]

Was there any detail in the response.text when getting the 401 back?

[nlee-462]

I didn't see anything more than what I sent over. Here's a new copy of the script. I essentially had it:

1. Locate and Parse the JSON from the parent
2. identify "cid" and replace it with the child CID
3. Create the rule within the child tenant.

That's when I ran it and received the errors above. I CTRL+C cancelled out of it after the first several 401 errors, I didn't let it run through 200 it identified in the parent before cancelling.
ParentRuleExportGithub2.py

[nlee-462]

If it helps, I can give you the ticket number with Crowdstrike support. If you comment on the internal support ticket, I can give you the script with all of the info between the client and parent to test on your end.

[crowdstrikedcs]

I would think the support team would be better to assist with this one, they should be able to see the reason for the 401 errors.