Skip to main content

Get-FalconHost

Search for hosts in your environment. 
Get-FalconHost [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [[-Field] <String[]>] [[-Offset] <String>] [-Hidden] [-Detailed] [-All] [-Total]
Get-FalconHost -Id <String[]> [-Login] [-Network] [-State] [-Include <String[]>]
Id
string[]
Host identifier(s) to retrieve specific device detailsAliases: ids, device_id, host_ids, aid
Filter
string
Falcon Query Language (FQL) expression to limit resultsExample: hostname:'*DESKTOP*'+platform_name:'Windows'
Sort
string
Property and direction to sort resultsValid values: device_id.asc, device_id.desc, hostname.asc, hostname.desc, first_seen.asc, first_seen.desc, last_seen.asc, last_seen.desc, platform_name.asc, platform_name.desc, and more
Limit
int32
Maximum number of results per request (1-10000, default: 100)
Include
string[]
Include additional properties in the responseValid values: content_state, group_names, login_history, network_history, online_state, policy_names, zero_trust_assessment
Offset
string
Position to begin retrieving results (pagination token)
Field
string[]
Specific host properties to include in the response (when using -Detailed)
Hidden
switch
Restrict search to ‘hidden’ hosts
Login
switch
Retrieve user login history for specified hosts
Network
switch
Retrieve network address history for specified hosts
State
switch
Retrieve online status for specified hosts
Detailed
switch
Retrieve detailed information for hosts
All
switch
Repeat requests until all available results are retrieved
Total
switch
Display total result count instead of results
Required Permission: Hosts: Read (plus related permissions for specific Include selections)

Examples

# Get all Windows hosts
Get-FalconHost -Filter "platform_name:'Windows'" -All

# Get detailed information for all hosts
Get-FalconHost -Detailed -All

# Get hosts with additional properties
Get-FalconHost -Include group_names,policy_names -All

Invoke-FalconHostAction

Perform containment and visibility actions on hosts. 
Invoke-FalconHostAction -Name <String> [-Include <String[]>] -Id <String[]>
Name
string
required
Action to perform on the host(s)Valid values:
  • contain - Network contain the host
  • lift_containment - Release network containment
  • hide_host - Hide host from console
  • unhide_host - Unhide host in console
  • detection_suppress - Suppress detections on host
  • detection_unsuppress - Unsuppress detections on host
  • lift_filesystem_containment_all - Release filesystem containment
Aliases: action_name
Include
string[]
Include additional host properties in the responseValid values: agent_version, cid, external_ip, filesystem_containment_status, first_seen, host_hidden_status, hostname, last_seen, local_ip, mac_address, os_build, os_version, platform_name, product_type, product_type_desc, reduced_functionality_mode, serial_number, system_manufacturer, system_product_name, tags
Id
string[]
required
Host identifier(s) to perform the action onAliases: ids, device_id
Required Permission: Hosts: Write (plus related permissions for specific Include selections)

Examples

# Network contain a host
Invoke-FalconHostAction -Name contain -Id "abc123def456..."

# Lift network containment
Invoke-FalconHostAction -Name lift_containment -Id "abc123def456..."

# Contain multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Invoke-FalconHostAction -Name contain -Id $HostIds

Add-FalconGroupingTag

Add FalconGroupingTags to hosts. 
Add-FalconGroupingTag -Tag <String[]> -Id <String[]>
Tag
string[]
required
FalconGroupingTag value(s) to add (must start with FalconGroupingTags/)Pattern: FalconGroupingTags/<string>
Valid characters: Letters, numbers, hyphens, underscores, forward slashesAliases: Tags
Id
string[]
required
Host identifier(s) to tagAliases: device_ids, device_id, ids
Required Permission: Hosts: Write

Examples

# Add a single tag to a host
Add-FalconGroupingTag -Tag "FalconGroupingTags/Production" -Id "abc123def456..."

# Add multiple tags to a host
Add-FalconGroupingTag -Tag "FalconGroupingTags/Production","FalconGroupingTags/WebServer" -Id "abc123def456..."

# Add tags to multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Add-FalconGroupingTag -Tag "FalconGroupingTags/Database" -Id $HostIds
FalconGroupingTags are visible tags that can be used for grouping and filtering hosts. They persist across sensor reinstalls and are visible in the Falcon console.

Remove-FalconGroupingTag

Remove FalconGroupingTags from hosts. 
Remove-FalconGroupingTag -Tag <String[]> -Id <String[]>
Tag
string[]
required
FalconGroupingTag value(s) to remove (must start with FalconGroupingTags/)Pattern: FalconGroupingTags/<string>
Valid characters: Letters, numbers, hyphens, underscores, forward slashesAliases: Tags
Id
string[]
required
Host identifier(s) to remove tags fromAliases: device_ids, device_id, ids
Required Permission: Hosts: Write

Examples

# Remove a tag from a host
Remove-FalconGroupingTag -Tag "FalconGroupingTags/Production" -Id "abc123def456..."

# Remove multiple tags from a host
Remove-FalconGroupingTag -Tag "FalconGroupingTags/Production","FalconGroupingTags/WebServer" -Id "abc123def456..."

# Remove tag from multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Remove-FalconGroupingTag -Tag "FalconGroupingTags/Decommissioned" -Id $HostIds

Build docs developers (and LLMs) love

Get started for freeTalk to us