Skip to main content

Perform Host Action

Perform various actions on the hosts in your environment.

Basic Parameters

ParameterDescription
Action NameSpecify one of these actions:
  • contain - This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your Containment Policy.
  • lift_containment - This action lifts containment on the host, which returns its network communications to normal.
  • hide_host - This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs.
  • unhide_host - This action will restore a host. Detection reporting will resume after the host is restored.
Host IDsA comma-separated list of host IDs to perform the action on. Can be obtained via the List Devices action.

Advanced Parameters

ParameterDescription
Action ParametersA comma-separated list of the parameters for the prospective action.Example value: {"name": "name1", "value": "value1"}, {"name": "name2", "value": "value2"}

Example Output

{
"meta": {
"query_time": 0.0000000001,
"powered_by": "device-api",
"trace_id": ""0000000-00000-0000-0000-000000000000""
},
"resources": [
{
"id": "00000000001111112222233334444",
"path": "/path/to/device"
}
],
"errors": []
}

Workflow Library Example

Isolate or Unisolate Device on Crowdstrike

Workflow LibraryPreview this Workflow on desktop