crowdstrike.falcon.host_info module – Get information about Falcon hosts

Note

This module is part of the crowdstrike.falcon collection (version 4.7.2).

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.host_info.

New in crowdstrike.falcon 4.4.0

Synopsis

• Returns detailed information for one or more hosts.

• Some of the details returned include software information, such as platform, OS version, kernel version, and OS build ID (OS build ID available for Windows and macOS only); network information, such as IP addresses and MAC addresses; sensor information, such as its version; status information, such as last seen time and network containment status; and more.

Requirements

The below requirements are needed on the host that executes this module.

• Hosts [READ] API scope

• crowdstrike-falconpy >= 1.3.0

• python >= 3.6

Parameters

Parameter	Comments
auth dictionary	The registered result of the crowdstrike.falcon.auth module, or a dictionary containing the access_token and cloud keys. If provided, the client_id, client_secret, member_cid, and cloud options are ignored. Useful when needing to make multiple API calls to avoid rate limiting issues.
access_token string	The OAuth2 access token to use for authentication.
cloud string	The CrowdStrike cloud region to use. This can differ from the module’s cloud argument due to autodiscovery.
client_id aliases: falcon_client_id string	The CrowdStrike API client ID to use. See the Falcon documentation for more information about API clients. The FALCON_CLIENT_ID environment variable can also be used.
client_secret aliases: falcon_client_secret string	The CrowdStrike API secret that corresponds to the client ID. See the Falcon documentation for more information about API clients. The FALCON_CLIENT_SECRET environment variable can also be used.
cloud string	The CrowdStrike cloud region to use. All clouds are automatically discovered if not specified, except for the us-gov-1 cloud. The FALCON_CLOUD environment variable can also be used. Choices: "us-1" ← (default) "us-2" "us-gov-1" "eu-1"
ext_headers dictionary	Extended headers that are prepended to the default headers dictionary.
hosts list / elements=string / required	A list of host agent IDs (AIDs) to get information about. Use the crowdstrike.falcon.host_ids lookup plugin to get a list of host IDs matching specific criteria.
member_cid string	The CrowdStrike member CID for MSSP authentication. See the Falcon documentation for more information about API clients. The FALCON_MEMBER_CID environment variable can also be used.
user_agent string	Custom User-Agent string to use for requests to the API. The user agent string is prepended to the default user agent string (crowdstrike-ansible/<version>). See RFC 7231 for more information. The FALCON_USER_AGENT environment variable can also be used.

Examples

- name: Get information about a single host
  crowdstrike.falcon.host_info:
    hosts: "12345678901234567890"

- name: Get information about more than one host
  crowdstrike.falcon.host_info:
    hosts:
      - "12345678901234567890"
      - "09876543210987654321"

- name: Get information about all Windows hosts (using host_ids lookup)
  crowdstrike.falcon.host_info:
    hosts: "{{ lookup('crowdstrike.falcon.host_ids', windows_host_filter) }}"
  vars:
    windows_host_filter: 'platform_name:"Windows"'

- name: Get information about all Linux hosts in reduced functionality mode (using host_ids lookup)
  crowdstrike.falcon.host_info:
    hosts: >
      {{
        lookup('crowdstrike.falcon.host_ids',
          'platform_name:"Linux"
          + reduced_functionality_mode:"yes"')
      }}

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
hosts list / elements=dictionary	A list of host IDs (AIDs) that match the search criteria. Returned: success
agent_load_flags string	Flags indicating the load state of the agent. Returned: success Sample: "0"
agent_local_time string	The local time of the agent. Returned: success Sample: "2024-03-15T03:06:29.257Z"
agent_version string	The version of the agent. Returned: success Sample: "7.11.16405.0"
bios_manufacturer string	The manufacturer of the BIOS. Returned: success Sample: "Xen"
bios_version string	The version of the BIOS. Returned: success Sample: "4.11.amazon"
chassis_type string	The type of chassis. Returned: success Sample: "1"
chassis_type_desc string	The description of the chassis type. Returned: success Sample: "Other"
cid string	The unique identifier of the customer. Returned: success Sample: "d78cd791785442a98ec75249d8c385dd"
config_id_base string	The base configuration ID. Returned: success Sample: "65994763"
config_id_build string	The build configuration ID. Returned: success Sample: "16405"
config_id_platform string	The platform configuration ID. Returned: success Sample: "8"
connection_ip string	The IP address used for connection. Returned: success Sample: "10.10.10.10"
connection_mac_address string	The MAC address used for connection. Returned: success Sample: "11-11-b0-44-4e-a5"
cpu_signature string	The signature of the CPU. Returned: success Sample: "198386"
cpu_vendor string	The vendor of the CPU. Returned: success Sample: "0"
default_gateway_ip string	The IP address of the default gateway. Returned: success Sample: "10.10.10.10"
deployment_type string	The type of Linux deployment. Returned: success Sample: "Standard"
device_id string	The host ID (AID). Returned: success Sample: "d78cd791785442a98ec75249d8c385dd"
device_policies dictionary	The policies applied to the device. Returned: success Sample: {"prevention": {"applied": true, "applied_date": "2017-09-14T13:03:45.823683755Z", "assigned_date": "2017-09-14T13:03:33.038805882Z", "policy_id": "aaabbbdddcccddd", "policy_type": "prevention", "settings_hash": "ed4a7460"}, "sensor_update": {"applied": true, "applied_date": "2017-09-14T05:16:20.847887649Z", "assigned_date": "2017-09-14T05:15:40.878196578Z", "policy_id": "aaabbbdddcccddd", "policy_type": "sensor-update", "settings_hash": "65994753|3|2|automatic"}}
external_ip string	The external IP address of the host. Returned: success Sample: "10.10.10.10"
first_seen string	The timestamp of when the host was first seen. Returned: success Sample: "2024-03-15T03:06:30Z"
group_hash string	The hash of the groups the host belongs to. Returned: success Sample: "aaabbbdddcccdddeeefff"
groups list / elements=string	The list of groups the host belongs to. Returned: success Sample: []
hostname string	The hostname of the host. Returned: success Sample: "example.local"
instance_id string	The cloud ID of the instance. This field is only available for cloud-based hosts. Returned: success Sample: "i-ab89723sdf87"
kernel_version string	The version of the kernel. Returned: success Sample: "6.1.79-99.164.amzn2023.x86_64"
last_seen string	The timestamp of when the host was last seen. Returned: success Sample: "2024-03-15T03:06:41Z"
linux_sensor_mode string	The mode of the Linux sensor. Returned: success Sample: "Kernel Mode"
local_ip string	The local IP address of the host. Returned: success Sample: "10.10.10.10"
mac_address string	The MAC address of the host. Returned: success Sample: "11-11-b0-44-4e-a5"
major_version string	The major version of the host. Returned: success Sample: "6"
meta dictionary	Additional metadata about the host. Returned: success
version string	Version metadata. Returned: success Sample: "6"
version_string string	Version string metadata. Returned: success Sample: "1:1239010923"
minor_version string	The minor version of the host. Returned: success Sample: "1"
modified_timestamp string	The timestamp of when the host was last modified. Returned: success Sample: "2024-03-15T03:08:21Z"
os_version string	The version of the operating system. Returned: success Sample: "Amazon Linux 2023"
platform_id string	The platform ID of the host. Returned: success Sample: "3"
platform_name string	The platform name of the host. Returned: success Sample: "Linux"
policies list / elements=dictionary	The list of policies applied to the host. Returned: success
applied boolean	Indicates if the policy is applied. Returned: success Sample: false
applied_date string	The timestamp of when the policy was applied. Returned: success
assigned_date string	The timestamp of when the policy was assigned. Returned: success Sample: "2024-03-15T03:06:41.651213667Z"
policy_id string	The ID of the policy. Returned: success Sample: "aaabbbdddcccddd"
policy_type string	The type of policy. Returned: success Sample: "prevention"
rule_groups list / elements=string	The list of rule groups within the policy. Returned: success Sample: []
settings_hash string	The hash of the policy settings. Returned: success Sample: "aaabbbdddcccdddeee"
product_type_desc string	The description of the product type. Returned: success Sample: "Server"
reduced_functionality_mode string	Indicates if the host is in reduced functionality mode. Returned: success Sample: "yes"
serial_number string	The serial number of the host. Returned: success Sample: "aaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
service_provider string	The cloud service provider of the host. Returned: success Sample: "AWS_EC2_V2"
service_provider_account_id string	The account ID of the cloud service provider. Returned: success Sample: "112233445566"
status string	The containment status of the host. Returned: success Sample: "normal"
system_manufacturer string	The manufacturer of the system. Returned: success Sample: "VMware, Inc."
system_product_name string	The product name of the system. Returned: success Sample: "VMware Virtual Platform"
tags list / elements=string	The list of tags associated with the host. Returned: success Sample: ["Example/tag1", "Example/tag2"]
zone_group string	The cloud zone the host belongs to. This field is only available for cloud-based hosts. Returned: success Sample: "us-west-2a"

Authors

• Carlos Matos (@carlosmmatos)

Collection links

Issue Tracker Repository (Sources)