Skip to content
CrowdStrike Developer Center

Sensor Update Policy

The Sensor Update Policy service collection provides operations for managing Sensor Update Policies in your CrowdStrike Falcon environment. Reveal and increment uninstall tokens, retrieve available sensor builds and kernel compatibility information, manage policy members, create and update policies with support for uninstall protection, and set policy precedence.

LanguageLast Update
Pythonv1.6.1
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
revealUninstallToken
reveal_uninstall_token		Reveals an uninstall token for a specific device. To retrieve the bulk maintenance token pass the value ‘MAINTENANCE’ as the value for ‘device_id’.
incrementUninstallToken
increment_uninstall_token		Increment a bulk maintenance token.
queryCombinedSensorUpdateBuilds
query_combined_builds		Retrieve available builds for use with Sensor Update Policies.
queryCombinedSensorUpdateKernels
query_combined_kernels		Retrieve kernel compatibility info for Sensor Update Builds.
queryCombinedSensorUpdatePolicyMembers
query_combined_policy_members		Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria.
queryCombinedSensorUpdatePolicies
query_combined_policies		Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.
queryCombinedSensorUpdatePoliciesV2
query_combined_policies_v2		Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.
performSensorUpdatePoliciesAction
perform_policies_action		Perform the specified action on the Sensor Update Policies specified in the request.
setSensorUpdatePoliciesPrecedence
set_policies_precedence		Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.
getSensorUpdatePolicies
get_policies		Retrieve a set of Sensor Update Policies by specifying their IDs.
createSensorUpdatePolicies
create_policies		Create Sensor Update Policies by specifying details about the policy to create.
deleteSensorUpdatePolicies
delete_policies		Delete a set of Sensor Update Policies by specifying their IDs.
updateSensorUpdatePolicies
update_policies		Update Sensor Update Policies by specifying the ID of the policy and details to update.
getSensorUpdatePoliciesV2
get_policies_v2		Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs.
createSensorUpdatePoliciesV2
create_policies_v2		Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection.
updateSensorUpdatePoliciesV2
update_policies_v2		Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection.
querySensorUpdateKernelsDistinct
query_kernels		Retrieve kernel compatibility info for Sensor Update Builds.
querySensorUpdatePolicyMembers
query_policy_members		Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.
querySensorUpdatePolicies
query_policies		Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria.

revealUninstallToken

Section titled “revealUninstallToken”

Reveals an uninstall token for a specific device or the bulk maintenance token.

To retrieve the bulk maintenance token pass the value MAINTENANCE as the value for device_id.

POST /policy/combined/reveal-uninstall-token/v1
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 reveal_uninstall_token

Parameters

Section titled “Parameters”
NameTypeData typeDescription
audit_messagebodystringMessage to list in the audit log for this action.
bodybodydictionaryFull body payload in JSON format.
device_idbodystringDevice ID to retrieve the uninstall token for. Pass the value MAINTENANCE here to retrieve the bulk maintenance token.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.reveal_uninstall_token(audit_message=["string"],
                                         device_id="string")
print(response)

incrementUninstallToken

Section titled “incrementUninstallToken”

Increment a bulk maintenance token.

POST /policy/combined/increment-uninstall-token/v1
Scope Maintenance Token: WRITE Consumes · Produces application/json
PEP 8 increment_uninstall_token

Parameters

Section titled “Parameters”
NameTypeData typeDescription
audit_messagebodystringThe audit message for the token increment operation.
bodybodydictionaryFull body payload as a JSON formatted dictionary.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.increment_uninstall_token(audit_message="string")
print(response)

queryCombinedSensorUpdateBuilds

Section titled “queryCombinedSensorUpdateBuilds”

Retrieve available builds for use with Sensor Update Policies.

GET /policy/combined/sensor-update-builds/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_combined_builds

Parameters

Section titled “Parameters”
NameTypeData typeDescription
platformquerystringThe platform to return builds for. Allowed values: linux, mac, windows.
parametersquerydictionaryFull query string parameters payload in JSON format.
stagequerystring or list of stringsThe stages to return builds for.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.query_combined_builds(platform="string", stage=id_list)
print(response)

queryCombinedSensorUpdateKernels

Section titled “queryCombinedSensorUpdateKernels”

Retrieve kernel compatibility info for Sensor Update Builds.

GET /policy/combined/sensor-update-kernels/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_combined_kernels

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-500]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_combined_kernels(filter="string",
                                         limit=integer,
                                         offset=integer)
print(response)

queryCombinedSensorUpdatePolicyMembers

Section titled “queryCombinedSensorUpdatePolicyMembers”

Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of host details which match the filter criteria.

GET /policy/combined/sensor-update-members/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_combined_policy_members

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringThe ID of the Sensor Update Policy to search for members of.
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-5000]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort by in FQL syntax. Supports asc or desc. Available sort options: created_by, created_timestamp, enabled, modified_by, modified_timestamp, name, platform_name, precedence.
Available Filters
Section titled “Available Filters”

The following fields can be used to filter results retrieved from the API.

NameDescription
created_byThe username, email, or API client ID of the person who created the policy, as identified in the policy object.

When specifying an email address, use a letter p as an operator so that the @ sign is accepted.

You can also search by using the email username or the domain as the value.

For example, to filter on policies created by the email address diana.hudson@email.com:
filter=created_by:p’diana.hudson@email.com (correct)
filter=created_by:‘diana.hudson’ (correct)
filter=created_by:‘email.com’ (correct)

filter=created_by:‘diana’ (incorrect)

Enter only the alphanumeric value when providing an API client ID. For example, to filter on api-client-id:7a1284d634af196bff5988fb1775721b:
filter=created_by:‘7a12…721b’ (correct)

filter=created_by:‘api-client-id:7a12…721b’ (incorrect)
filter=created_by:‘api-client-id’ (incorrect)
created_timestampThe full timestamp of when the policy was created in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss.sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

filter=created_timestamp:‘2020-11-23T19:36:24.129652084Z’
descriptionSearch for a term found in the policy description. The value must be entered in lowercase.

filter=description:‘policy’
enabledFind policies by their enabled status. Specify true to find enabled policies or false to find disabled policies.

filter=enabled:‘true’
groupsEnter a host group ID to find the policy it’s been assigned to.

filter=groups:‘1ef3…b0fe’
modified_byThe username, email, or API client ID of the person who modified the policy, as identified in the policy object.

Values for this field follow the same rules as the created_by filter.
modified_timestampThe full timestamp of when the policy was modified in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss. sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

Values for this field follow the same rules as the created_timestamp filter.
namePerforms a free text search on single words found in a policy name.

Values must be entered as lowercase and enclosed in single quotes.

You can provide multiple name values separated by an &.

filter=name:‘test’
name.rawFilters on exact matches to the full policy name.

Searches on this field are case-sensitive and require the correct input of uppercase and lowercase letters.

filter=name.raw:‘Test sensor update Policy’
platform_nameThe name of the operating system listed in the policy.

One of: Windows, Mac, Linux

filter=platform_name:‘Windows’

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_combined_policy_members(id="string",
                                                filter="string",
                                                limit=integer,
                                                offset=integer,
                                                sort="string")
print(response)

queryCombinedSensorUpdatePolicies

Section titled “queryCombinedSensorUpdatePolicies”

Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.

GET /policy/combined/sensor-update/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_combined_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-5000]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort by in FQL syntax. Supports asc or desc. Available sort options: created_by, created_timestamp, enabled, modified_by, modified_timestamp, name, platform_name, precedence.
Available Filters
Section titled “Available Filters”

The following fields can be used to filter results retrieved from the API.

NameDescription
created_byThe username, email, or API client ID of the person who created the policy, as identified in the policy object.

When specifying an email address, use a letter p as an operator so that the @ sign is accepted.

You can also search by using the email username or the domain as the value.

For example, to filter on policies created by the email address diana.hudson@email.com:
filter=created_by:p’diana.hudson@email.com (correct)
filter=created_by:‘diana.hudson’ (correct)
filter=created_by:‘email.com’ (correct)

filter=created_by:‘diana’ (incorrect)

Enter only the alphanumeric value when providing an API client ID. For example, to filter on api-client-id:7a1284d634af196bff5988fb1775721b:
filter=created_by:‘7a12…721b’ (correct)

filter=created_by:‘api-client-id:7a12…721b’ (incorrect)
filter=created_by:‘api-client-id’ (incorrect)
created_timestampThe full timestamp of when the policy was created in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss.sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

filter=created_timestamp:‘2020-11-23T19:36:24.129652084Z’
descriptionSearch for a term found in the policy description. The value must be entered in lowercase.

filter=description:‘policy’
enabledFind policies by their enabled status. Specify true to find enabled policies or false to find disabled policies.

filter=enabled:‘true’
groupsEnter a host group ID to find the policy it’s been assigned to.

filter=groups:‘1ef3…b0fe’
modified_byThe username, email, or API client ID of the person who modified the policy, as identified in the policy object.

Values for this field follow the same rules as the created_by filter.
modified_timestampThe full timestamp of when the policy was modified in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss. sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

Values for this field follow the same rules as the created_timestamp filter.
namePerforms a free text search on single words found in a policy name.

Values must be entered as lowercase and enclosed in single quotes.

You can provide multiple name values separated by an &.

filter=name:‘test’
name.rawFilters on exact matches to the full policy name.

Searches on this field are case-sensitive and require the correct input of uppercase and lowercase letters.

filter=name.raw:‘Test sensor update Policy’
platform_nameThe name of the operating system listed in the policy.

One of: Windows, Mac, Linux

filter=platform_name:‘Windows’

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_combined_policies(filter="string",
                                          limit=integer,
                                          offset=integer,
                                          sort="string")
print(response)

queryCombinedSensorUpdatePoliciesV2

Section titled “queryCombinedSensorUpdatePoliciesV2”

Search for Sensor Update Policies with additional support for uninstall protection in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policies which match the filter criteria.

GET /policy/combined/sensor-update/v2
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_combined_policies_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-5000]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort by in FQL syntax. Supports asc or desc. Available sort options: created_by, created_timestamp, enabled, modified_by, modified_timestamp, name, platform_name, precedence.
Available Filters
Section titled “Available Filters”

The following fields can be used to filter results retrieved from the API.

NameDescription
created_byThe username, email, or API client ID of the person who created the policy, as identified in the policy object.

When specifying an email address, use a letter p as an operator so that the @ sign is accepted.

You can also search by using the email username or the domain as the value.

For example, to filter on policies created by the email address diana.hudson@email.com:
filter=created_by:p’diana.hudson@email.com (correct)
filter=created_by:‘diana.hudson’ (correct)
filter=created_by:‘email.com’ (correct)

filter=created_by:‘diana’ (incorrect)

Enter only the alphanumeric value when providing an API client ID. For example, to filter on api-client-id:7a1284d634af196bff5988fb1775721b:
filter=created_by:‘7a12…721b’ (correct)

filter=created_by:‘api-client-id:7a12…721b’ (incorrect)
filter=created_by:‘api-client-id’ (incorrect)
created_timestampThe full timestamp of when the policy was created in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss.sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

filter=created_timestamp:‘2020-11-23T19:36:24.129652084Z’
descriptionSearch for a term found in the policy description. The value must be entered in lowercase.

filter=description:‘policy’
enabledFind policies by their enabled status. Specify true to find enabled policies or false to find disabled policies.

filter=enabled:‘true’
groupsEnter a host group ID to find the policy it’s been assigned to.

filter=groups:‘1ef3…b0fe’
modified_byThe username, email, or API client ID of the person who modified the policy, as identified in the policy object.

Values for this field follow the same rules as the created_by filter.
modified_timestampThe full timestamp of when the policy was modified in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss. sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

Values for this field follow the same rules as the created_timestamp filter.
namePerforms a free text search on single words found in a policy name.

Values must be entered as lowercase and enclosed in single quotes.

You can provide multiple name values separated by an &.

filter=name:‘test’
name.rawFilters on exact matches to the full policy name.

Searches on this field are case-sensitive and require the correct input of uppercase and lowercase letters.

filter=name.raw:‘Test sensor update Policy’
platform_nameThe name of the operating system listed in the policy.

One of: Windows, Mac, Linux

filter=platform_name:‘Windows’

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_combined_policies_v2(filter="string",
                                             limit=integer,
                                             offset=integer,
                                             sort="string")
print(response)

performSensorUpdatePoliciesAction

Section titled “performSensorUpdatePoliciesAction”

Perform the specified action on the Sensor Update Policies specified in the request.

POST /policy/entities/sensor-update-actions/v1
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 perform_policies_action

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_namequerystringSpecify one of these actions: add-host-group, add-rule-group, disable, enable, remove-host-group, remove-rule-group.
action_parametersbodylist of dictionariesAction specific parameter options.

{
    “name”: “string”,
    “value”: “string”
}
bodybodydictionaryFull body payload in JSON format.
group_idbody
action_parameters		stringHost Group ID to apply the policy to. Overridden if action_parameters is specified.
idsbodystring or list of stringsThe ID of the Sensor Update Policy you want to impact. If you provide IDs to the method using this keyword, you do not have to provide a body payload. (Service class usage only)
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.perform_policies_action(action_name="string",
                                          action_parameters=[{"key": "value"}],
                                          group_id="string",
                                          ids=id_list)
print(response)

setSensorUpdatePoliciesPrecedence

Section titled “setSensorUpdatePoliciesPrecedence”

Sets the precedence of Sensor Update Policies based on the order of IDs specified in the request. The first ID specified will have the highest precedence and the last ID specified will have the lowest. You must specify all non-Default Policies for a platform when updating precedence.

POST /policy/entities/sensor-update-precedence/v1
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 set_policies_precedence

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
idsbodystring or list of stringsThe ID of the Sensor Update Policy you want to impact. If you provide IDs to the method using this keyword, you do not have to provide a body payload. (Service class usage only)
platform_namebodystringOperating System platform name.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.set_policies_precedence(ids=id_list, platform_name="string")
print(response)

getSensorUpdatePolicies

Section titled “getSensorUpdatePolicies”

Retrieve a set of Sensor Update Policies by specifying their IDs.

GET /policy/entities/sensor-update/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 get_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe IDs of the Sensor Update Policy to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_policies(ids=id_list)
print(response)

createSensorUpdatePolicies

Section titled “createSensorUpdatePolicies”

Create Sensor Update Policies by specifying details about the policy to create.

POST /policy/entities/sensor-update/v1
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 create_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
buildbodystringBuild this Sensor update policy applies to.
descriptionbodystringSensor update policy description.
namebodystringName of the Sensor Update policy.
platform_namebodystringName of the OS platform the Sensor Update policy applies to.
settingsbodydictionarySensor Update policy specific settings. Overrides the value of build if present.

{
    “build”: “string”
}

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.create_policies(build="string",
                                  description="string",
                                  name="string",
                                  platform_name="string",
                                  settings={})
print(response)

deleteSensorUpdatePolicies

Section titled “deleteSensorUpdatePolicies”

Delete a set of Sensor Update Policies by specifying their IDs.

DELETE /policy/entities/sensor-update/v1
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 delete_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe IDs of the Sensor Update policies to delete.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_policies(ids=id_list)
print(response)

updateSensorUpdatePolicies

Section titled “updateSensorUpdatePolicies”

Update Sensor Update Policies by specifying the ID of the policy and details to update.

PATCH /policy/entities/sensor-update/v1
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 update_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
buildbodystringBuild this Sensor update policy applies to.
descriptionbodystringSensor update policy description.
idbodystringID the Sensor Update policy to update.
namebodystringName of the Sensor Update policy.
settingsbodydictionarySensor Update policy specific settings. Overrides the value of build if present.

{
    “build”: “string”
}

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.update_policies(build="string",
                                  description="string",
                                  id="string",
                                  name="string",
                                  settings={})
print(response)

getSensorUpdatePoliciesV2

Section titled “getSensorUpdatePoliciesV2”

Retrieve a set of Sensor Update Policies with additional support for uninstall protection by specifying their IDs.

GET /policy/entities/sensor-update/v2
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 get_policies_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsThe IDs of the Sensor Update policies to retrieve.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_policies_v2(ids=id_list)
print(response)

createSensorUpdatePoliciesV2

Section titled “createSensorUpdatePoliciesV2”

Create Sensor Update Policies by specifying details about the policy to create with additional support for uninstall protection.

POST /policy/entities/sensor-update/v2
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 create_policies_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
buildbodystringBuild this Sensor update policy applies to. Ignored if settings is provided.
descriptionbodystringSensor update policy description.
namebodystringName of the Sensor Update policy.
platform_namebodystringName of the OS platform the Sensor Update policy applies to.
schedulerbodydictionaryDictionary containing details for the schedule. Ignored if settings is provided.
settingsbodydictionarySensor Update policy specific settings. Overrides the value of build, scheduler, show_early_adopter_builds, uninstall_protection, and variants if present.
show_early_adopter_buildsbodybooleanFlag indicating if early adopter builds should be shown as part of this policy. Ignored if settings is provided.
uninstall_protectionbodystringBoolean indicating if uninstall protection should be enabled. Ignored if settings is provided. Allowed values: ENABLED, DISABLED.
variantsbodylist of dictionariesList of dictionaries containing details for variants to include in the policy. Ignored if settings is provided.

[{
    “build”: “string”,
    “platform”: “string”
}]

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.create_policies_v2(build="string",
                                     description="string",
                                     name="string",
                                     platform_name="string",
                                     scheduler={},
                                     settings={},
                                     show_early_adopter_builds=boolean,
                                     uninstall_protection=boolean,
                                     variants=[{"key": "value"}])
print(response)

updateSensorUpdatePoliciesV2

Section titled “updateSensorUpdatePoliciesV2”

Update Sensor Update Policies by specifying the ID of the policy and details to update with additional support for uninstall protection.

PATCH /policy/entities/sensor-update/v2
Scope Sensor Update Policies: WRITE Consumes · Produces application/json
PEP 8 update_policies_v2

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
buildbodystringBuild this Sensor update policy applies to. Ignored if settings is provided.
descriptionbodystringSensor update policy description.
idbodystringID of the Sensor Update policy to update.
namebodystringName of the Sensor Update policy.
schedulerbodydictionaryDictionary containing details for the schedule. Ignored if settings is provided.
settingsbodydictionarySensor Update policy specific settings. Overrides the value of build, scheduler, show_early_adopter_builds, uninstall_protection, and variants if present.
show_early_adopter_buildsbodybooleanFlag indicating if early adopter builds should be shown as part of this policy. Ignored if settings is provided.
uninstall_protectionbodystringBoolean indicating if uninstall protection should be enabled. Ignored if settings is provided. Allowed values: ENABLED, DISABLED.
variantsbodylist of dictionariesList of dictionaries containing details for variants to include in the policy. Ignored if settings is provided.

[{
    “build”: “string”,
    “platform”: “string”
}]

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.update_policies_v2(build="string",
                                     description="string",
                                     id="string",
                                     name="string",
                                     scheduler={},
                                     settings={},
                                     show_early_adopter_builds=boolean,
                                     uninstall_protection=boolean,
                                     variants=[{"key": "value"}])
print(response)

querySensorUpdateKernelsDistinct

Section titled “querySensorUpdateKernelsDistinct”

Retrieve kernel compatibility info for Sensor Update Builds.

GET /policy/queries/sensor-update-kernels/{}/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_kernels

Parameters

Section titled “Parameters”
NameTypeData typeDescription
distinct_fieldpathstringThe field name to get distinct values for. Default: id.
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-500]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_kernels(distinct_field="string",
                                filter="string",
                                limit=integer,
                                offset=integer)
print(response)

querySensorUpdatePolicyMembers

Section titled “querySensorUpdatePolicyMembers”

Search for members of a Sensor Update Policy in your environment by providing a FQL filter and paging details. Returns a set of Agent IDs which match the filter criteria.

GET /policy/queries/sensor-update-members/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_policy_members

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idquerystringThe ID of the Sensor Update Policy to search for members of.
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-5000]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort by in FQL syntax. Supports asc or desc. Available sort options: created_by, created_timestamp, enabled, modified_by, modified_timestamp, name, platform_name, precedence.
Available Filters
Section titled “Available Filters”

The following fields can be used to filter results retrieved from the API.

NameDescription
created_byThe username, email, or API client ID of the person who created the policy, as identified in the policy object.

When specifying an email address, use a letter p as an operator so that the @ sign is accepted.

You can also search by using the email username or the domain as the value.

For example, to filter on policies created by the email address diana.hudson@email.com:
filter=created_by:p’diana.hudson@email.com (correct)
filter=created_by:‘diana.hudson’ (correct)
filter=created_by:‘email.com’ (correct)

filter=created_by:‘diana’ (incorrect)

Enter only the alphanumeric value when providing an API client ID. For example, to filter on api-client-id:7a1284d634af196bff5988fb1775721b:
filter=created_by:‘7a12…721b’ (correct)

filter=created_by:‘api-client-id:7a12…721b’ (incorrect)
filter=created_by:‘api-client-id’ (incorrect)
created_timestampThe full timestamp of when the policy was created in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss.sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

filter=created_timestamp:‘2020-11-23T19:36:24.129652084Z’
descriptionSearch for a term found in the policy description. The value must be entered in lowercase.

filter=description:‘policy’
enabledFind policies by their enabled status. Specify true to find enabled policies or false to find disabled policies.

filter=enabled:‘true’
groupsEnter a host group ID to find the policy it’s been assigned to.

filter=groups:‘1ef3…b0fe’
modified_byThe username, email, or API client ID of the person who modified the policy, as identified in the policy object.

Values for this field follow the same rules as the created_by filter.
modified_timestampThe full timestamp of when the policy was modified in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss. sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

Values for this field follow the same rules as the created_timestamp filter.
namePerforms a free text search on single words found in a policy name.

Values must be entered as lowercase and enclosed in single quotes.

You can provide multiple name values separated by an &.

filter=name:‘test’
name.rawFilters on exact matches to the full policy name.

Searches on this field are case-sensitive and require the correct input of uppercase and lowercase letters.

filter=name.raw:‘Test sensor update Policy’
platform_nameThe name of the operating system listed in the policy.

One of: Windows, Mac, Linux

filter=platform_name:‘Windows’

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_policy_members(id="string",
                                       filter="string",
                                       limit=integer,
                                       offset=integer,
                                       sort="string")
print(response)

querySensorUpdatePolicies

Section titled “querySensorUpdatePolicies”

Search for Sensor Update Policies in your environment by providing a FQL filter and paging details. Returns a set of Sensor Update Policy IDs which match the filter criteria.

GET /policy/queries/sensor-update/v1
Scope Sensor Update Policies: READ Consumes · Produces application/json
PEP 8 query_policies

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringThe filter expression that should be used to limit the results using FQL syntax.
limitqueryintegerThe maximum number of records to return. [1-5000]
offsetqueryintegerThe offset to start retrieving records from.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort by in FQL syntax. Supports asc or desc. Available sort options: created_by, created_timestamp, enabled, modified_by, modified_timestamp, name, platform_name, precedence.
Available Filters
Section titled “Available Filters”

The following fields can be used to filter results retrieved from the API.

NameDescription
created_byThe username, email, or API client ID of the person who created the policy, as identified in the policy object.

When specifying an email address, use a letter p as an operator so that the @ sign is accepted.

You can also search by using the email username or the domain as the value.

For example, to filter on policies created by the email address diana.hudson@email.com:
filter=created_by:p’diana.hudson@email.com (correct)
filter=created_by:‘diana.hudson’ (correct)
filter=created_by:‘email.com’ (correct)

filter=created_by:‘diana’ (incorrect)

Enter only the alphanumeric value when providing an API client ID. For example, to filter on api-client-id:7a1284d634af196bff5988fb1775721b:
filter=created_by:‘7a12…721b’ (correct)

filter=created_by:‘api-client-id:7a12…721b’ (incorrect)
filter=created_by:‘api-client-id’ (incorrect)
created_timestampThe full timestamp of when the policy was created in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss.sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

filter=created_timestamp:‘2020-11-23T19:36:24.129652084Z’
descriptionSearch for a term found in the policy description. The value must be entered in lowercase.

filter=description:‘policy’
enabledFind policies by their enabled status. Specify true to find enabled policies or false to find disabled policies.

filter=enabled:‘true’
groupsEnter a host group ID to find the policy it’s been assigned to.

filter=groups:‘1ef3…b0fe’
modified_byThe username, email, or API client ID of the person who modified the policy, as identified in the policy object.

Values for this field follow the same rules as the created_by filter.
modified_timestampThe full timestamp of when the policy was modified in ISO 8601 format. (YYYY-MM-DDTHH:mm:ss. sssZ)

The timezone is always UTC as denoted by the suffix “Z”.

Values for this field follow the same rules as the created_timestamp filter.
namePerforms a free text search on single words found in a policy name.

Values must be entered as lowercase and enclosed in single quotes.

You can provide multiple name values separated by an &.

filter=name:‘test’
name.rawFilters on exact matches to the full policy name.

Searches on this field are case-sensitive and require the correct input of uppercase and lowercase letters.

filter=name.raw:‘Test sensor update Policy’
platform_nameThe name of the operating system listed in the policy.

One of: Windows, Mac, Linux

filter=platform_name:‘Windows’

Code Examples

Section titled “Code Examples”
from falconpy import SensorUpdatePolicy


falcon = SensorUpdatePolicy(client_id=CLIENT_ID,
                            client_secret=CLIENT_SECRET
                            )


response = falcon.query_policies(filter="string",
                                 limit=integer,
                                 offset=integer,
                                 sort="string")
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use