Skip to content
CrowdStrike Developer Center

Ansible Collection

The crowdstrike.falcon Ansible collection provides roles, modules, inventory plugins, lookup plugins, and event sources for managing CrowdStrike Falcon deployments. Install and configure sensors across Linux, macOS, and Windows, interact with the Falcon API, and integrate with Event Driven Ansible for real-time security response.

View on GitHub

Installation

Section titled “Installation”
Terminal window
ansible-galaxy collection install crowdstrike.falcon

Requirements: Ansible Core 2.15+, Python 3.7+, CrowdStrike FalconPy SDK.

Authentication

Section titled “Authentication”
Authentication Guide Configure Falcon API credentials via environment variables or module arguments. Covers credential passing, environment variables, and Flight Control (MSSP).

Roles

Section titled “Roles”

Pre-built roles for sensor lifecycle management across all platforms.

falcon_install Deploy Falcon sensors via API, local file, or remote URL to Linux, macOS, and Windows.
falcon_configure Configure installed sensors with CID, proxy settings, tags, and backend options.
falcon_uninstall Remove Falcon sensors with maintenance token support and optional host cleanup.

Modules

Section titled “Modules”

22 modules for interacting with the CrowdStrike Falcon platform API — host management, sensor operations, policy management, threat intelligence, and Next-Gen SIEM queries.

auth Generate a reusable access token for Falcon API authentication.
host_contain Network contain or lift containment on Falcon hosts.
host_group Manage Falcon host groups.
host_hide Hide or unhide hosts from the Falcon console.
sensor_download Download Falcon sensor packages via the API.
sensor_update_policy Manage sensor update policies.
ngsiem_search Execute CQL queries against Next-Gen SIEM.
correlation_rule Manage Next-Gen SIEM correlation rules.
falconctl Manage Falcon sensor settings via falconctl.
intel_rule_download Download threat intelligence rules.

View all 22 modules →

Inventory Plugins

Section titled “Inventory Plugins”

Dynamically build Ansible inventories from CrowdStrike Falcon data.

falcon_hosts Query managed hosts with the Falcon sensor installed. Supports FQL filtering, dynamic groups, and caching.
falcon_discover Find assets discovered through Falcon Discover (Exposure Management), including unmanaged systems.

Lookup Plugins

Section titled “Lookup Plugins”

Retrieve data from the Falcon API during playbook execution for use in variables, conditionals, and loops.

host_ids Fetch host IDs (AIDs) matching a Falcon Query Language filter.
maintenance_token Fetch maintenance tokens for sensor operations on protected hosts.
fctl_child_cids Fetch Flight Control child CIDs for MSSP environments.

Event Driven Ansible

Section titled “Event Driven Ansible”
eventstream Stream events from the Falcon Event Stream API for real-time automated response via EDA rulebooks.
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use