Skip to main content
SensorGroupingTags are locally stored tags on the Falcon sensor that persist across sensor reinstalls and are synchronized with the cloud. These cmdlets use Real-time Response to manage tags via scripts executed on the host.For cloud-managed FalconGroupingTags, see Devices.

Get-FalconSensorTag

Display SensorGroupingTags assigned to hosts. 
Get-FalconSensorTag -Id <String[]>
Id
string[]
required
Host identifier(s) to retrieve sensor tags fromAliases: ids, device_id, host_ids, aid
Required Permission: Hosts: Read

Examples

# Get sensor tags for a single host
Get-FalconSensorTag -Id "abc123def456..."

# Get sensor tags for multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Get-FalconSensorTag -Id $HostIds

Output

Returns objects with the following properties:
  • cid - Customer ID
  • device_id - Host identifier
  • tags - Comma-separated list of SensorGroupingTags (without the SensorGroupingTags/ prefix)

Add-FalconSensorTag

Add SensorGroupingTags to hosts using Real-time Response. 
Add-FalconSensorTag -Tag <String[]> [-QueueOffline <Boolean>] -Id <String[]>
Tag
string[]
required
SensorGroupingTag value(s) to addTags will be appended to any existing tags. Use Set-FalconSensorTag to overwrite existing tags.Valid characters: Letters, numbers, hyphens, underscores, forward slashes
Note: The SensorGroupingTags/ prefix is automatically handledAliases: Tags
QueueOffline
boolean
Add command request to the offline queue if the host is not onlineDefault: $false
Id
string[]
required
Host identifier(s) to add tags toAliases: ids, device_id, host_ids, aid
Required Permissions: Hosts: Read, Sensor update policies: Write, Real time response: Read, Real time response (admin): Write

Examples

# Add a single tag to a host
Add-FalconSensorTag -Tag "Production" -Id "abc123def456..."

# Add multiple tags to a host
Add-FalconSensorTag -Tag "Production","WebServer" -Id "abc123def456..."

# Add tags to multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Add-FalconSensorTag -Tag "Database" -Id $HostIds

Return Values

Returns an object with the following properties:
  • cid - Customer ID
  • device_id - Host identifier
  • tags - Updated comma-separated list of tags
  • offline_queued - Boolean indicating if command was queued
  • session_id - RTR session identifier
  • cloud_request_id - Request identifier
  • status - Operation status (TAG_ADDED, TAG_NOT_ADDED, PENDING_QUEUE, HOST_OFFLINE_AND_NOT_QUEUED, etc.)
This cmdlet uses Real-time Response to execute scripts on the host. The operation requires an active RTR session or the ability to queue commands for offline hosts.

Remove-FalconSensorTag

Remove SensorGroupingTags from hosts using Real-time Response. 
Remove-FalconSensorTag [[-Tag] <String[]>] [-QueueOffline <Boolean>] -Id <String[]>
Tag
string[]
SensorGroupingTag value(s) to removeWhen provided, only specified tags are removed and others remain. If no tags are provided, all existing tags will be removed.Valid characters: Letters, numbers, hyphens, underscores, forward slashes
Note: The SensorGroupingTags/ prefix is automatically handledAliases: Tags
QueueOffline
boolean
Add command request to the offline queue if the host is not onlineDefault: $false
Id
string[]
required
Host identifier(s) to remove tags fromAliases: ids, device_id, host_ids, aid
Required Permissions: Hosts: Read, Sensor update policies: Write, Real time response: Read, Real time response (admin): Write

Examples

# Remove a single tag from a host
Remove-FalconSensorTag -Tag "Production" -Id "abc123def456..."

# Remove multiple tags from a host
Remove-FalconSensorTag -Tag "Production","WebServer" -Id "abc123def456..."

# Remove tags from multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Remove-FalconSensorTag -Tag "Decommissioned" -Id $HostIds

Return Values

Returns an object with the following properties:
  • cid - Customer ID
  • device_id - Host identifier
  • tags - Updated comma-separated list of remaining tags
  • offline_queued - Boolean indicating if command was queued
  • session_id - RTR session identifier
  • cloud_request_id - Request identifier
  • status - Operation status (TAG_REMOVED, TAG_NOT_REMOVED, NO_TAG_SET, TAG_NOT_PRESENT, etc.)
Calling Remove-FalconSensorTag without specifying any tags will remove all SensorGroupingTags from the host.

Set-FalconSensorTag

Set SensorGroupingTags on hosts using Real-time Response (overwrites existing tags). 
Set-FalconSensorTag -Tag <String[]> [-QueueOffline <Boolean>] -Id <String[]>
Tag
string[]
required
SensorGroupingTag value(s) to setProvided tags will overwrite any existing tags. To append to existing tags, use Add-FalconSensorTag.Valid characters: Letters, numbers, hyphens, underscores, forward slashes
Note: The SensorGroupingTags/ prefix is automatically handledAliases: Tags
QueueOffline
boolean
Add command request to the offline queue if the host is not onlineDefault: $false
Id
string[]
required
Host identifier(s) to set tags onAliases: ids, device_id, host_ids, aid
Required Permissions: Hosts: Read, Sensor update policies: Write, Real time response: Read, Real time response (admin): Write

Examples

# Set a single tag (removes any existing tags)
Set-FalconSensorTag -Tag "Production" -Id "abc123def456..."

# Set multiple tags
Set-FalconSensorTag -Tag "Production","WebServer","Critical" -Id "abc123def456..."

# Set tags on multiple hosts
$HostIds = @("abc123def456...","def456ghi789...")
Set-FalconSensorTag -Tag "Database" -Id $HostIds

Return Values

Returns an object with the following properties:
  • cid - Customer ID
  • device_id - Host identifier
  • tags - New comma-separated list of tags
  • offline_queued - Boolean indicating if command was queued
  • session_id - RTR session identifier
  • cloud_request_id - Request identifier
  • status - Operation status (TAG_SET, TAG_NOT_SET, PENDING_QUEUE, HOST_OFFLINE_AND_NOT_QUEUED, etc.)
Set-FalconSensorTag overwrites all existing tags on the host. Use Add-FalconSensorTag to preserve existing tags.

Uninstall-FalconSensor

Uninstall the Falcon sensor from a host using Real-time Response. 
Uninstall-FalconSensor [-QueueOffline <Boolean>] [-Include <String[]>] -Id <String>
QueueOffline
boolean
Add command request to the offline queue if the host is not onlineDefault: $false
Include
string[]
Include additional host properties in the responseValid values: agent_version, cid, external_ip, first_seen, hostname, last_seen, local_ip, mac_address, os_build, os_version, platform_name, product_type, product_type_desc, serial_number, system_manufacturer, system_product_name, tags
Id
string
required
Host identifier to uninstall sensor from (single host per request)Aliases: HostId, device_id, host_ids, aid
Required Permissions: Hosts: Read, Sensor update policies: Write, Real time response: Read, Real time response (admin): Write

Examples

# Uninstall sensor from a host
Uninstall-FalconSensor -Id "abc123def456..."

# Uninstall and include additional properties
Uninstall-FalconSensor -Id "abc123def456..." -Include hostname,os_version,tags

Return Values

Returns an object with the following properties:
  • cid - Customer ID
  • device_id - Host identifier
  • status - Uninstall status message
  • Additional properties based on Include parameter
This operation permanently uninstalls the Falcon sensor from the host. The sensor will stop protecting the endpoint and reporting to the console. Only Windows and Linux hosts are currently supported.
The uninstall operation automatically retrieves the maintenance token if uninstall protection is enabled. For hosts in maintenance mode, the operation uses the maintenance token. The operation is executed via Real-time Response scripts specific to the host’s operating system.

Tag Type Comparison

PSFalcon supports two types of host tags:
FeatureFalconGroupingTagsSensorGroupingTags
ManagementCloud API-basedReal-time Response scripts
StorageCloud-basedLocal on sensor
CmdletsAdd-FalconGroupingTag
Remove-FalconGroupingTag		Add-FalconSensorTag
Remove-FalconSensorTag
Set-FalconSensorTag
Get-FalconSensorTag
PermissionsHosts: WriteHosts: Read
Sensor update policies: Write
RTR: Read
RTR (Admin): Write
Use CasesQuick tagging
Cloud-managed		Persistent tagging
Survives reinstalls
RequirementsAPI accessActive RTR session or offline queue
Use FalconGroupingTags for quick, cloud-managed tagging. Use SensorGroupingTags when you need tags to persist locally on the sensor and survive reinstalls.

Build docs developers (and LLMs) love

Get started for freeTalk to us