Skip to content
CrowdStrike Developer Center

Hosts

The Hosts service collection provides operations for managing and investigating endpoints across your CrowdStrike Falcon environment. Search for devices using FQL formatted filters. Retrieve detailed host information, check online status, and review login and network address history. Take action on hosts by containing compromised endpoints, suppressing detections, or hiding and restoring devices. Manage Falcon Grouping Tags to organize your fleet.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

Table of Contents

Section titled “Table of Contents”
OperationDescription
CombinedDevicesByFilter
query_devices_by_filter_combined		Search for hosts. Returns full device records.
CombinedHiddenDevicesByFilter
query_hidden_devices_combined		Search for hidden hosts. Returns full device records.
entities_perform_action
perform_group_action		Perform actions on prevention policy IDs.
GetDeviceDetails
get_device_details		Get details on one or more hosts by AID.
redirect recommended
GetDeviceDetailsV1
get_device_details_v1		Get details on one or more hosts by AID.
deprecated
GetDeviceDetailsV2
get_device_details_v2		Get details on one or more hosts by AID.
GetOnlineState_V1
get_online_state		Get online status for one or more hosts.
PerformActionV2
perform_action		Contain, lift containment, delete, or restore a host.
PostDeviceDetailsV2
post_device_details_v2		Get details on one or more hosts by AID.
QueryDeviceLoginHistory
query_device_login_history_v1		Retrieve recent login sessions (v1).
QueryDeviceLoginHistoryV2
query_device_login_history_v2		Retrieve recent login sessions for devices.
QueryDevicesByFilter
query_devices_by_filter		Search for hosts by platform, hostname, IP, and other criteria.
QueryDevicesByFilterScroll
query_devices_by_filter_scroll		Search for hosts with continuous pagination.
QueryGetNetworkAddressHistoryV1
query_network_address_history		Retrieve IP and MAC address history.
QueryHiddenDevices
query_hidden_devices		Retrieve hidden hosts matching filter criteria.
UpdateDeviceTags
update_device_tags		Append or remove Falcon Grouping Tags.

CombinedDevicesByFilter

Section titled “CombinedDevicesByFilter”

Search for hosts in your environment by platform, hostname, IP, and other criteria. Returns full device records.

GET /devices/combined/devices/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_devices_by_filter_combined

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringThe filter expression that should be used to limit the results.
fieldsquerystringThe fields to return, comma delimited.
limitqueryintegerThe maximum records to return. [1-10000]
offsetquerystringThe offset to page from, provided from the previous call as the “next” value.
sortquerystringThe property to sort by (e.g. status.desc or hostname.asc).
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_devices_by_filter_combined(filter="string",
                                                   limit=integer,
                                                   offset="string",
                                                   sort="string")
print(response)

CombinedHiddenDevicesByFilter

Section titled “CombinedHiddenDevicesByFilter”

Search for hidden hosts in your environment by platform, hostname, IP, and other criteria. Returns full device records.

GET /devices/combined/devices-hidden/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_hidden_devices_combined

Parameters

Section titled “Parameters”
NameTypeData typeDescription
limitqueryintegerThe maximum records to return. [1-10000]
filterquerystringThe filter expression that should be used to limit the results.
fieldsquerystringThe fields to return, comma delimited.
offsetquerystringThe offset to page from, provided from the previous call as the “next” value.
sortquerystringThe property to sort by (e.g. status.desc or hostname.asc).
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_hidden_devices_combined(filter="string",
                                                fields="string",
                                                limit=integer,
                                                offset="string",
                                                sort="string")
print(response)
Not available in the PowerShell SDK.

entities_perform_action

Section titled “entities_perform_action”

Performs the specified action on the provided prevention policy IDs.

POST /devices/entities/group-actions/v1
Scope Hosts: WRITE Consumes · Produces application/json
PEP 8 perform_group_action

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_namequerystringAction to perform: add_group_member, remove_all, remove_group_member
action_parametersquerydictionaryDictionary containing the name and value for the action parameter.
bodybodydictionaryFull body payload in JSON format.
disablehostnamecheckquerybooleanFlag to skip hostname check when using add_group_member.
idsbodystring or list of stringsGroup ID(s) to perform action against.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


action_parameters = [
    {
        "name": "string",
        "value": "string"
    }
]


response = falcon.perform_group_action(action_name="string",
                                       action_parameters=action_parameters,
                                       disable_hostname_check=boolean,
                                       ids=id_list)
print(response)
This operation is available in the Python SDK only.

GetDeviceDetails

Section titled “GetDeviceDetails”

Get details on one or more hosts by providing agent IDs (AID). redirect recommended

Starting in v1.2.0 all methods for this operation redirect to the new PostDeviceDetailsV2 operation. In prior versions, this operation ID represented a GET operation, whereas now it is a POST operation.

POST /devices/entities/devices/v2
Scope Hosts: READ Consumes · Produces application/json
PEP 8 get_device_details (or post_device_details_v2)

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsThe host agent IDs used to get details on. Maximum: 5000.

Code Examples

Section titled “Code Examples”

Examples coming soon.
This operation is available in the Python SDK only.

GetDeviceDetailsV1

Section titled “GetDeviceDetailsV1”

Get details on one or more hosts by providing agent IDs (AID). deprecated

This operation is deprecated and scheduled to be removed from the API.

GET /devices/entities/devices/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 get_device_details_v1

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe host agent IDs used to get details on. Maximum: 500
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”

Examples coming soon.
Not available in the PowerShell SDK.

GetDeviceDetailsV2

Section titled “GetDeviceDetailsV2”

Get details on one or more hosts by providing agent IDs (AID).

GET /devices/entities/devices/v2
Scope Hosts: READ Consumes · Produces application/json
PEP 8 get_device_details_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe host agent IDs used to get details on. Maximum: 100
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_device_details_v2(ids=id_list)
print(response)

GetOnlineState_V1

Section titled “GetOnlineState_V1”

Get the online status for one or more hosts by specifying each host’s unique ID.

GET /devices/entities/online-state/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 get_online_state

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe host AIDs used to retrieve state details for.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_online_state(ids=id_list)
print(response)

PerformActionV2

Section titled “PerformActionV2”

Take various actions on the hosts in your environment. Contain or lift containment on a host. Delete or restore a host.

POST /devices/entities/devices-actions/v2
Scope Hosts: WRITE Consumes · Produces application/json
PEP 8 perform_action

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_namequerystringSpecify one of: contain, detection_suppress, detection_unsuppress, lift_containment, hide_host, unhide_host
bodybodydictionaryThe host agent ID (AID) of the host you want to impact. Provide in JSON format: “ids”: [“123456789”]
idsbodystring or list of stringsThe host agent IDs. Maximum: 100
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.perform_action(action_name="string",
                                 ids=id_list,
                                 note="string")
print(response)

PostDeviceDetailsV2

Section titled “PostDeviceDetailsV2”

Get details on one or more hosts by providing agent IDs (AID).

Starting in v1.2.0 this operation is redirected to from methods previously providing the GetDeviceDetails operation.

POST /devices/entities/devices/v2
Scope Hosts: READ Consumes · Produces application/json
PEP 8 post_device_details_v2 (or get_device_details)

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsThe host agent IDs used to get details on. Maximum: 5000

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_device_details(ids=id_list)
print(response)
Not available in the PowerShell SDK.

QueryDeviceLoginHistory

Section titled “QueryDeviceLoginHistory”

Retrieve details about recent login sessions for a set of devices (v1).

POST /devices/combined/devices/login-history/v1
Scope Devices: READ Consumes · Produces application/json
PEP 8 query_device_login_history_v1

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload as a JSON formatted dictionary.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_device_login_history_v1(ids=id_list)
print(response)

QueryDeviceLoginHistoryV2

Section titled “QueryDeviceLoginHistoryV2”

Retrieve details about recent login sessions for a set of devices.

POST /devices/combined/devices/login-history/v2
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_device_login_history_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload with ids array.
idsbodystring or list of stringsThe host agent IDs to query.
limitqueryintegerMaximum results to return. Default: 10, Max: 100
fromquerystringThe inclusive beginning of the time window.
toquerystringThe inclusive end of the time window.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_device_login_history_v2(ids=id_list,
                                                limit=integer,
                                                from="string",
                                                to="string")
print(response)
Not available in the PowerShell SDK.

QueryDevicesByFilter

Section titled “QueryDevicesByFilter”

Search for hosts in your environment by platform, hostname, IP, and other criteria.

GET /devices/queries/devices/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_devices_by_filter

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerThe offset to start retrieving records from.
limitqueryintegerThe maximum records to return. [1-5000]
sortquerystringThe property to sort by (e.g. status.desc or hostname.asc).
filterquerystringThe filter expression that should be used to limit the results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Available Filters

Section titled “Available Filters”

For more detail regarding filters and their usage, review the Falcon Query Language documentation.

NameTypeDescription
device_idStringThe ID of the device.
agent_versionStringCrowdStrike agent version.
bios_manufacturerStringBIOS manufacturer name.
bios_versionStringBIOS version.
cpu_signatureStringThe CPU signature of the device.
deployment_typeStringLinux deployment type: Standard, DaemonSet
external_ipIP AddressExternal IP of the device.
first_seenTimestampFirst connection to Falcon (UTC).
hostnameStringMachine name. Supports wildcard (*) search.
last_login_timestampTimestampUser logon event timestamp.
last_seenTimestampMost recent connection to Falcon (UTC).
linux_sensor_modeStringLinux sensor mode: Kernel Mode, User Mode
local_ipIP AddressDevice’s local IP address.
mac_addressStringMAC address of the device.
machine_domainStringActive Directory domain name.
modified_timestampTimestampLast machine record update.
os_versionStringOperating system version.
platform_nameStringOS platform: Windows, Mac, Linux
product_type_descStringProduct type: Workstation, Server, Domain Controller
reduced_functionality_modeStringRFM status: yes, no
serial_numberStringSerial number of the device.
statusStringContainment status: normal, containment_pending, contained, lift_containment_pending
tagsStringFalcon grouping tags.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_devices_by_filter(filter="string",
                                          limit=integer,
                                          offset=integer,
                                          sort="string")
print(response)

QueryDevicesByFilterScroll

Section titled “QueryDevicesByFilterScroll”

Search for hosts in your environment by platform, hostname, IP, and other criteria with continuous pagination capability (based on offset pointer which expires after 2 minutes with no maximum limit).

GET /devices/queries/devices-scroll/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_devices_by_filter_scroll

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetquerystringThe offset to page from, for the next result set.
limitqueryintegerThe maximum records to return. [1-10000]
sortquerystringThe property to sort by (e.g. status.desc or hostname.asc).
filterquerystringThe filter expression that should be used to limit the results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Available Filters

Section titled “Available Filters”

Same filter set as QueryDevicesByFilter.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_devices_by_filter_scroll(filter="string",
                                                 limit=integer,
                                                 offset="string",
                                                 sort="string")
print(response)

QueryGetNetworkAddressHistoryV1

Section titled “QueryGetNetworkAddressHistoryV1”

Retrieve history of IP and MAC addresses of devices.

POST /devices/combined/devices/network-address-history/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_network_address_history

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload with ids array.
idsbodystring or list of stringsThe host agent IDs to query.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_network_address_history(ids=id_list)
print(response)

QueryHiddenDevices

Section titled “QueryHiddenDevices”

Retrieve hidden hosts that match the provided filter criteria.

GET /devices/queries/devices-hidden/v1
Scope Hosts: READ Consumes · Produces application/json
PEP 8 query_hidden_devices

Parameters

Section titled “Parameters”
NameTypeData typeDescription
offsetqueryintegerThe offset to start retrieving records from.
limitqueryintegerThe maximum records to return. [1-5000]
sortquerystringThe property to sort by (e.g. status.desc or hostname.asc).
filterquerystringThe filter expression that should be used to limit the results.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


response = falcon.query_hidden_devices(filter="string",
                                       limit=integer,
                                       offset=integer,
                                       sort="string")
print(response)

UpdateDeviceTags

Section titled “UpdateDeviceTags”

Append or remove one or more Falcon Grouping Tags on one or more hosts.

PATCH /devices/entities/devices/tags/v1
Scope Hosts: WRITE Consumes · Produces application/json
PEP 8 update_device_tags

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload containing all parameters in JSON format. (Uber class only)
action_namebodystringThe action to perform: add or remove.
idsbodystring or list of stringsThe AID of the host(s) to update.
tagsbodystring or list of stringsThe tags to adjust on the host.

Code Examples

Section titled “Code Examples”
from falconpy import Hosts


falcon = Hosts(client_id=CLIENT_ID,
               client_secret=CLIENT_SECRET
               )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.update_device_tags(action_name="string",
                                     ids=id_list,
                                     tags=id_list)
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use