Perform various actions on the hosts in your environment. The following permission is required to run this action:
  • Hosts: Write.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
Action NameSpecify one of these actions:

- contain - This action contains the host, which stops any network communications to locations other than the CrowdStrike cloud and IPs specified in your Containment Policy.

- lift_containment - This action lifts containment on the host, which returns its network communications to normal.

- hide_host - This action will delete a host. After the host is deleted, no new detections for that host will be reported via UI or APIs.

- unhide_host - This action will restore a host. Detection reporting will resume after the host is restored.
Host IDsA comma-separated list of host IDs to perform the action on. Can be obtained via the List Devices action.

Advanced Parameters

ParameterDescription
Action ParametersA comma-separated list of the parameters for the prospective action.
Example value:
{“name”: “name1”, “value”: “value1”}, {“name”: “name2”, “value”: “value2”}

Example Output

{
	"meta": {
		"query_time": 0.0000000001,
		"powered_by": "device-api",
		"trace_id": "0000000-00000-0000-0000-000000000000"
	},
	"resources": [
		{
			"id": "00000000001111112222233334444",
			"path": "/path/to/device"
		}
	],
	"errors": []
}

Workflow Library Example

Isolate or Unisolate Device on Crowdstrike
Workflow LibraryPreview this Workflow on desktop