Error 401 on MSSP / Child Tenant #1418
Description
Hello!
I'm utilizing an MSSP tenant to build a SOC in a Parent / Child architecture. I'm trying to use a Falconpy script to identify correlation rules in the parent tenant and then pass them down to a child tenant. Crowdstrike support informed that I would need to create a script to accomplish this. I have written a script, however it's getting an error 401 when trying to create the rule within the child. I have API's setup in both the parent and child. I have also confirmed the Client Secret and Client ID are correct for both environments and I have also ensured they have all read and write permissions for testing. I initially started with Falcon Console: Read, Write; Correlation Rules Read, Write. but later expanded permissions. Attached below is a copy of my script as well as the output I'm receiving:
Initializing parent tenant...
Fetched 200 parent rules.
--- Syncing rules to [CHILD TENANT NAME HERE] (https://api.us-2.crowdstrike.com) ---
Created (401): [Parent] Microsoft - Entra ID - Service Principal Anomalous PowerShell Usage (Synced)
/Users/[USER]/Documents/ParentRuleExport.py:158: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
"Timestamp": datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S UTC")
Created (401): [Parent] Microsoft - Entra ID - Potential Brute Force Attack through Azure Powershell (Synced)
Created (401): [Parent] Mimecast - Email Security - DLP Policy Violation for Outbound Message (Synced)
Created (401): [Parent] Microsoft - M365 SharePoint - Downloaded Files Added to Removable Storage (Synced)
Created (401): [Parent] Microsoft - Entra ID - Impossible Travel (Synced)
Created (400): [Parent] Mimecast - Email Security - Spam Message Delivered (Synced)
Created (400): [Parent] Mimecast - Email Security - Spam Message Delivered (Synced)
Created (401): [Parent] Zscaler - ZIA - Firewall Filtering Rule Deleted (Synced)
Created (401): [Parent] Microsoft - M365 Exchange Online - Email Forwarding Inbox Rule (Synced)