host_contain
Manages the network containment state of Falcon hosts. To restrict a host that may be compromised from making network connections, contain
Added in version 4.1.0
Parameters
Section titled “Parameters”| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
contained | bool | No | true | Whether to contain or lift containment on the hosts. |
hosts | list | Yes | A list of host agent IDs (AIDs) to perform the action on. Use the P(crowdstrike.falcon.host_ids#lookup) lookup plugin to get a list of host IDs matching |
Examples
Section titled “Examples”- name: Contain a single host crowdstrike.falcon.host_contain: hosts: "12345678901234567890"
- name: Lift containment on a list of hosts crowdstrike.falcon.host_contain: hosts: - "12345678901234567890" - "09876543210987654321" contained: false
- name: Contain all Linux hosts in RFM (using host_ids lookup) crowdstrike.falcon.host_contain: hosts: "{{ lookup('crowdstrike.falcon.host_ids', contain_filter) }}" contained: true vars: linux_rfm_filter: > platform_name:'Linux' + reduced_functionality_mode:'yes'
- name: Individually contain hosts within a list crowdstrike.falcon.host_contain: auth: "{{ falcon.auth }}" # Use auth saved from crowdstrike.falcon.auth module hosts: "{{ item }}" loop: "{{ host_ids }}" register: contain_results
- name: Fail if any hosts could not be contained fail: msg: "Hosts could not be contained: {{ contain_results.failed_hosts }}" when: contain_results.failed_hosts | length > 0Return Values
Section titled “Return Values”| Key | Type | Description |
|---|---|---|
hosts | - | |
failed_hosts | - |