crowdstrike.falcon.host_info module – Get information about Falcon hosts

Note

This module is part of the crowdstrike.falcon collection (version 4.7.0).

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.host_info.

New in crowdstrike.falcon 4.4.0

Synopsis

  • Returns detailed information for one or more hosts.

  • Some of the details returned include software information, such as platform, OS version, kernel version, and OS build ID (OS build ID available for Windows and macOS only); network information, such as IP addresses and MAC addresses; sensor information, such as its version; status information, such as last seen time and network containment status; and more.

Requirements

The below requirements are needed on the host that executes this module.

  • Hosts [READ] API scope

  • crowdstrike-falconpy >= 1.3.0

  • python >= 3.6

Parameters

Parameter

Comments

auth

dictionary

The registered result of the crowdstrike.falcon.auth module, or a dictionary containing the access_token and cloud keys.

If provided, the client_id, client_secret, member_cid, and cloud options are ignored.

Useful when needing to make multiple API calls to avoid rate limiting issues.

access_token

string

The OAuth2 access token to use for authentication.

cloud

string

The CrowdStrike cloud region to use.

This can differ from the module’s cloud argument due to autodiscovery.

client_id

aliases: falcon_client_id

string

The CrowdStrike API client ID to use.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_ID environment variable can also be used.

client_secret

aliases: falcon_client_secret

string

The CrowdStrike API secret that corresponds to the client ID.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_SECRET environment variable can also be used.

cloud

string

The CrowdStrike cloud region to use.

All clouds are automatically discovered if not specified, except for the us-gov-1 cloud.

The FALCON_CLOUD environment variable can also be used.

Choices:

  • "us-1" ← (default)

  • "us-2"

  • "us-gov-1"

  • "eu-1"

ext_headers

dictionary

Extended headers that are prepended to the default headers dictionary.

hosts

list / elements=string / required

A list of host agent IDs (AIDs) to get information about.

Use the crowdstrike.falcon.host_ids lookup plugin to get a list of host IDs matching specific criteria.

member_cid

string

The CrowdStrike member CID for MSSP authentication.

See the Falcon documentation for more information about API clients.

The FALCON_MEMBER_CID environment variable can also be used.

user_agent

string

Custom User-Agent string to use for requests to the API.

The user agent string is prepended to the default user agent string (crowdstrike-ansible/<version>).

See RFC 7231 for more information.

The FALCON_USER_AGENT environment variable can also be used.

Examples

- name: Get information about a single host
  crowdstrike.falcon.host_info:
    hosts: "12345678901234567890"

- name: Get information about more than one host
  crowdstrike.falcon.host_info:
    hosts:
      - "12345678901234567890"
      - "09876543210987654321"

- name: Get information about all Windows hosts (using host_ids lookup)
  crowdstrike.falcon.host_info:
    hosts: "{{ lookup('crowdstrike.falcon.host_ids', windows_host_filter) }}"
  vars:
    windows_host_filter: 'platform_name:"Windows"'

- name: Get information about all Linux hosts in reduced functionality mode (using host_ids lookup)
  crowdstrike.falcon.host_info:
    hosts: >
      {{
        lookup('crowdstrike.falcon.host_ids',
          'platform_name:"Linux"
          + reduced_functionality_mode:"yes"')
      }}

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

hosts

list / elements=dictionary

A list of host IDs (AIDs) that match the search criteria.

Returned: success

agent_load_flags

string

Flags indicating the load state of the agent.

Returned: success

Sample: "0"

agent_local_time

string

The local time of the agent.

Returned: success

Sample: "2024-03-15T03:06:29.257Z"

agent_version

string

The version of the agent.

Returned: success

Sample: "7.11.16405.0"

bios_manufacturer

string

The manufacturer of the BIOS.

Returned: success

Sample: "Xen"

bios_version

string

The version of the BIOS.

Returned: success

Sample: "4.11.amazon"

chassis_type

string

The type of chassis.

Returned: success

Sample: "1"

chassis_type_desc

string

The description of the chassis type.

Returned: success

Sample: "Other"

cid

string

The unique identifier of the customer.

Returned: success

Sample: "d78cd791785442a98ec75249d8c385dd"

config_id_base

string

The base configuration ID.

Returned: success

Sample: "65994763"

config_id_build

string

The build configuration ID.

Returned: success

Sample: "16405"

config_id_platform

string

The platform configuration ID.

Returned: success

Sample: "8"

connection_ip

string

The IP address used for connection.

Returned: success

Sample: "10.10.10.10"

connection_mac_address

string

The MAC address used for connection.

Returned: success

Sample: "11-11-b0-44-4e-a5"

cpu_signature

string

The signature of the CPU.

Returned: success

Sample: "198386"

cpu_vendor

string

The vendor of the CPU.

Returned: success

Sample: "0"

default_gateway_ip

string

The IP address of the default gateway.

Returned: success

Sample: "10.10.10.10"

deployment_type

string

The type of Linux deployment.

Returned: success

Sample: "Standard"

device_id

string

The host ID (AID).

Returned: success

Sample: "d78cd791785442a98ec75249d8c385dd"

device_policies

dictionary

The policies applied to the device.

Returned: success

Sample: {"prevention": {"applied": true, "applied_date": "2017-09-14T13:03:45.823683755Z", "assigned_date": "2017-09-14T13:03:33.038805882Z", "policy_id": "aaabbbdddcccddd", "policy_type": "prevention", "settings_hash": "ed4a7460"}, "sensor_update": {"applied": true, "applied_date": "2017-09-14T05:16:20.847887649Z", "assigned_date": "2017-09-14T05:15:40.878196578Z", "policy_id": "aaabbbdddcccddd", "policy_type": "sensor-update", "settings_hash": "65994753|3|2|automatic"}}

external_ip

string

The external IP address of the host.

Returned: success

Sample: "10.10.10.10"

first_seen

string

The timestamp of when the host was first seen.

Returned: success

Sample: "2024-03-15T03:06:30Z"

group_hash

string

The hash of the groups the host belongs to.

Returned: success

Sample: "aaabbbdddcccdddeeefff"

groups

list / elements=string

The list of groups the host belongs to.

Returned: success

Sample: []

hostname

string

The hostname of the host.

Returned: success

Sample: "example.local"

instance_id

string

The cloud ID of the instance.

This field is only available for cloud-based hosts.

Returned: success

Sample: "i-ab89723sdf87"

kernel_version

string

The version of the kernel.

Returned: success

Sample: "6.1.79-99.164.amzn2023.x86_64"

last_seen

string

The timestamp of when the host was last seen.

Returned: success

Sample: "2024-03-15T03:06:41Z"

linux_sensor_mode

string

The mode of the Linux sensor.

Returned: success

Sample: "Kernel Mode"

local_ip

string

The local IP address of the host.

Returned: success

Sample: "10.10.10.10"

mac_address

string

The MAC address of the host.

Returned: success

Sample: "11-11-b0-44-4e-a5"

major_version

string

The major version of the host.

Returned: success

Sample: "6"

meta

dictionary

Additional metadata about the host.

Returned: success

version

string

Version metadata.

Returned: success

Sample: "6"

version_string

string

Version string metadata.

Returned: success

Sample: "1:1239010923"

minor_version

string

The minor version of the host.

Returned: success

Sample: "1"

modified_timestamp

string

The timestamp of when the host was last modified.

Returned: success

Sample: "2024-03-15T03:08:21Z"

os_version

string

The version of the operating system.

Returned: success

Sample: "Amazon Linux 2023"

platform_id

string

The platform ID of the host.

Returned: success

Sample: "3"

platform_name

string

The platform name of the host.

Returned: success

Sample: "Linux"

policies

list / elements=dictionary

The list of policies applied to the host.

Returned: success

applied

boolean

Indicates if the policy is applied.

Returned: success

Sample: false

applied_date

string

The timestamp of when the policy was applied.

Returned: success

assigned_date

string

The timestamp of when the policy was assigned.

Returned: success

Sample: "2024-03-15T03:06:41.651213667Z"

policy_id

string

The ID of the policy.

Returned: success

Sample: "aaabbbdddcccddd"

policy_type

string

The type of policy.

Returned: success

Sample: "prevention"

rule_groups

list / elements=string

The list of rule groups within the policy.

Returned: success

Sample: []

settings_hash

string

The hash of the policy settings.

Returned: success

Sample: "aaabbbdddcccdddeee"

product_type_desc

string

The description of the product type.

Returned: success

Sample: "Server"

reduced_functionality_mode

string

Indicates if the host is in reduced functionality mode.

Returned: success

Sample: "yes"

serial_number

string

The serial number of the host.

Returned: success

Sample: "aaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"

service_provider

string

The cloud service provider of the host.

Returned: success

Sample: "AWS_EC2_V2"

service_provider_account_id

string

The account ID of the cloud service provider.

Returned: success

Sample: "112233445566"

status

string

The containment status of the host.

Returned: success

Sample: "normal"

system_manufacturer

string

The manufacturer of the system.

Returned: success

Sample: "VMware, Inc."

system_product_name

string

The product name of the system.

Returned: success

Sample: "VMware Virtual Platform"

tags

list / elements=string

The list of tags associated with the host.

Returned: success

Sample: ["Example/tag1", "Example/tag2"]

zone_group

string

The cloud zone the host belongs to.

This field is only available for cloud-based hosts.

Returned: success

Sample: "us-west-2a"

Authors

  • Carlos Matos (@carlosmmatos)