Sensor Update Policies

Overview

Sensor Update policies control which version of the Falcon sensor is deployed to endpoints and when updates occur. These policies allow you to manage sensor versions across your environment, ensuring controlled rollouts and maintenance windows.

Required API Scope: Sensor update policies: Read (for read operations) or Sensor update policies: Write (for write operations)

Get Sensor Update Policies

Search for and retrieve Sensor Update policies.

Get-FalconSensorUpdatePolicy

Get-FalconSensorUpdatePolicy [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Include] <string[]>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

string[]

Policy identifier(s). Pattern: ^[a-fA-F0-9]{32}$

Filter

string

Falcon Query Language (FQL) expression to limit resultsExample: platform_name:'Windows'+enabled:true

Sort

string

Property and direction to sort resultsValid values: created_by.asc, created_by.desc, created_timestamp.asc, created_timestamp.desc, enabled.asc, enabled.desc, modified_by.asc, modified_by.desc, modified_timestamp.asc, modified_timestamp.desc, name.asc, name.desc, platform_name.asc, platform_name.desc, precedence.asc, precedence.desc

Limit

int32

Maximum number of results per request (1-5000)

Include

string[]

Include additional propertiesValid values: members

Offset

int32

Position to begin retrieving results

Detailed

switch

Retrieve detailed information

All

switch

Repeat requests until all available results are retrieved

Total

switch

Display total result count instead of results

Examples

Get-FalconSensorUpdatePolicy -All -Detailed

Create Sensor Update Policy

Create new Sensor Update policies.

New-FalconSensorUpdatePolicy

New-FalconSensorUpdatePolicy -Name <string> -PlatformName <string> [[-Description] <string>] [[-Setting] <object>]

Parameters

Name

string

required

Policy name

PlatformName

string

required

Operating system platformValid values: Windows, Mac, Linux

Description

string

Policy description

Setting

object

Policy settings controlling sensor version and update scheduleCommon properties:

build: Sensor build version to deploy
scheduler: Update scheduling configuration (enabled, timezone, start/end times)
uninstall_protection: Enable/disable uninstall protection

InputObject

object[]

One or more policies to create in a single request (for batch operations, max 100 per request)

Examples

$Settings = @{
    build = '15507|n-1'
    uninstall_protection = 'ENABLED'
}
New-FalconSensorUpdatePolicy -Name 'Windows Production' -PlatformName 'Windows' -Description 'N-1 build for production' -Setting $Settings

Edit Sensor Update Policy

Modify existing Sensor Update policies.

Edit-FalconSensorUpdatePolicy

Edit-FalconSensorUpdatePolicy -Id <string> [[-Name] <string>] [[-Description] <string>] [[-Setting] <object>]

Parameters

string

required

Policy identifier. Pattern: ^[a-fA-F0-9]{32}$

Name

string

Policy name

Description

string

Policy description

Setting

object

Policy settings to update

InputObject

object[]

One or more policies to modify in a single request (for batch operations, max 100 per request)

Examples

$UpdatedSettings = @{ build = '15508' }
Edit-FalconSensorUpdatePolicy -Id <policy_id> -Setting $UpdatedSettings

Remove Sensor Update Policy

Remove Sensor Update policies.

Remove-FalconSensorUpdatePolicy

Remove-FalconSensorUpdatePolicy -Id <string[]>

Parameters

string[]

required

Policy identifier(s) to remove. Pattern: ^[a-fA-F0-9]{32}$

Example

Remove-FalconSensorUpdatePolicy -Id <policy_id>

Policy Actions

Perform actions on Sensor Update policies such as enabling/disabling or assigning to host groups.

Invoke-FalconSensorUpdatePolicyAction

Invoke-FalconSensorUpdatePolicyAction -Name <string> [[-GroupId] <string>] -Id <string>

Parameters

Name

string

required

Action to performValid values: add-host-group, disable, enable, remove-host-group

GroupId

string

Host group identifier. Pattern: ^[a-fA-F0-9]{32}$Required for: add-host-group, remove-host-group

string

required

Policy identifier. Pattern: ^[a-fA-F0-9]{32}$

Examples

Invoke-FalconSensorUpdatePolicyAction -Name enable -Id <policy_id>

Get Policy Members

Search for members (hosts) assigned to Sensor Update policies.

Get-FalconSensorUpdatePolicyMember

Get-FalconSensorUpdatePolicyMember [[-Id] <string>] [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Offset] <int>] [-Detailed] [-All] [-Total]

Parameters

string

Policy identifier. Pattern: ^[a-fA-F0-9]{32}$

Filter

string

Falcon Query Language expression to limit results

Sort

string

Property and direction to sort results

Limit

int32

Maximum number of results per request (1-5000)

Offset

int32

Position to begin retrieving results

Detailed

switch

Retrieve detailed information

All

switch

Repeat requests until all available results are retrieved

Total

switch

Display total result count instead of results

Example

Get-FalconSensorUpdatePolicyMember -Id <policy_id> -Detailed -All

Set Policy Precedence

Set Sensor Update policy precedence order for a specific platform.

Set-FalconSensorUpdatePrecedence

Set-FalconSensorUpdatePrecedence -PlatformName <string> -Id <string[]>

Parameters

PlatformName

string

required

Operating system platformValid values: Windows, Mac, Linux

string[]

required

Policy identifiers in desired precedence order (highest to lowest priority). Pattern: ^[a-fA-F0-9]{32}$

All policy identifiers must be supplied in order, with the exception of the platform_default policy.

Example

$PolicyOrder = @('<policy_id_1>', '<policy_id_2>', '<policy_id_3>')
Set-FalconSensorUpdatePrecedence -PlatformName 'Windows' -Id $PolicyOrder

Get Available Sensor Builds

Retrieve available Falcon Sensor builds for assignment in policies.

Get-FalconBuild

Get-FalconBuild [[-Platform] <string>] [[-Stage] <string[]>]

Parameters

Platform

string

Operating system platformValid values: linux, mac, windows (case-sensitive)

Stage

string[]

Sensor release stageValid values: early_adopter, prod

Examples

Get-FalconBuild

Get Kernel Compatibility

Search for Falcon kernel compatibility information for Sensor builds (Linux).

Get-FalconKernel

Get-FalconKernel [[-Field] <string>] [[-Filter] <string>] [[-Sort] <string>] [[-Limit] <int>] [[-Offset] <int>] [-All] [-Total]

Parameters

Field

string

Return values for a specific fieldValid values: architecture, base_package_supported_sensor_versions, distro, distro_version, flavor, release, vendor, version, ztl_supported_sensor_versions

Filter

string

Falcon Query Language expression to limit results

Sort

string

Property and direction to sort results

Limit

int32

Maximum number of results per request (1-500)

Offset

int32

Position to begin retrieving results

All

switch

Repeat requests until all available results are retrieved

Total

switch

Display total result count instead of results

Example

Get-FalconKernel -Filter "distro:'Ubuntu'" -All

Get Uninstall Token

Retrieve an uninstallation or maintenance token for a host.

Get-FalconUninstallToken

Get-FalconUninstallToken [[-AuditMessage] <string>] [[-Include] <string[]>] -Id <string>

Parameters

AuditMessage

string

Audit log comment for token retrieval

Include

string[]

Include additional host propertiesValid values: agent_version, cid, external_ip, first_seen, hostname, last_seen, local_ip, mac_address, os_build, os_version, platform_name, product_type, product_type_desc, serial_number, system_manufacturer, system_product_name, tags

string

required

Host identifier or MAINTENANCE for maintenance token. Pattern: ^([a-fA-F0-9]{32}|MAINTENANCE)$

Examples

Get-FalconUninstallToken -Id <device_id> -AuditMessage 'Decommissioning server'

Uninstall tokens allow removal of the Falcon sensor. Store and use them securely. Maintenance tokens provide temporary uninstall protection bypass.

Prevention Policies

Manage Prevention policies

Device Control Policies

Control USB and Bluetooth device usage

Overview

Authentication

Alerts & Detections

Host Management

Real-time Response

Threat Intelligence

Policy Management

Cloud Security

Identity & Access

Security Operations

Monitoring & Analysis

Utilities

​Overview

​Get Sensor Update Policies

​Parameters

​Examples

​Create Sensor Update Policy

​Parameters

​Examples

​Edit Sensor Update Policy

​Parameters

​Examples

​Remove Sensor Update Policy

​Parameters

​Example

​Policy Actions

​Parameters

​Examples

​Get Policy Members

​Parameters

​Example

​Set Policy Precedence

​Parameters

​Example

​Get Available Sensor Builds

​Parameters

​Examples

​Get Kernel Compatibility

​Parameters

​Example

​Get Uninstall Token

​Parameters

​Examples

​Related Resources

Prevention Policies

Device Control Policies

Build docs developers (and LLMs) love

Overview

Get Sensor Update Policies

Parameters

Examples

Create Sensor Update Policy

Parameters

Examples

Edit Sensor Update Policy

Parameters

Examples

Remove Sensor Update Policy

Parameters

Example

Policy Actions

Parameters

Examples

Get Policy Members

Parameters

Example

Set Policy Precedence

Parameters

Example

Get Available Sensor Builds

Parameters

Examples

Get Kernel Compatibility

Parameters

Example

Get Uninstall Token

Parameters

Examples

Related Resources