Get FalconHost - CrowdStrike/psfalcon GitHub Wiki

Get-FalconHost

SYNOPSIS

Search for hosts

DESCRIPTION

Requires 'Hosts: Read' plus related permission(s) for 'Include' selection(s).

PARAMETERS

Name Type Description Min Max Allowed Pipeline PipelineByName
Id String[] Host identifier X X
Filter String Falcon Query Language expression to limit results

agent_load_flags
agent_version
bios_manufacturer
bios_version
cid
config_id_base
config_id_build
config_id_platform
cpu_signature
device_id
external_ip
first_seen
groups
hostname
instance_id
kernel_version
last_login_timestamp
last_seen
local_ip
local_ip.raw
mac_address
machine_domain
major_version
minor_version
modified_timestamp
os_version
ou
platform_id
platform_name
product_type_desc
reduced_functionality_mode
release_group
serial_number
site_name
status
system_manufacturer
system_product_name
tags
Sort String Property and direction to sort results device_id.asc
device_id.desc
agent_load_flags.asc
agent_load_flags.desc
agent_version.asc
agent_version.desc
bios_manufacturer.asc
bios_manufacturer.desc
bios_version.asc
bios_version.desc
config_id_base.asc
config_id_base.desc
config_id_build.asc
config_id_build.desc
config_id_platform.asc
config_id_platform.desc
cpu_signature.asc
cpu_signature.desc
external_ip.asc
external_ip.desc
filesystem_containment_status.asc
filesystem_containment_status.desc
first_seen.asc
first_seen.desc
hostname.asc
hostname.desc
instance_id.asc
instance_id.desc
last_login_timestamp.asc
last_login_timestamp.desc
last_seen.asc
last_seen.desc
local_ip.asc
local_ip.desc
local_ip.raw.asc
local_ip.raw.desc
mac_address.asc
mac_address.desc
machine_domain.asc
machine_domain.desc
major_version.asc
major_version.desc
minor_version.asc
minor_version.desc
modified_timestamp.asc
modified_timestamp.desc
os_version.asc
os_version.desc
ou.asc
ou.desc
platform_id.asc
platform_id.desc
platform_name.asc
platform_name.desc
product_type_desc.asc
product_type_desc.desc
reduced_functionality_mode.asc
reduced_functionality_mode.desc
release_group.asc
release_group.desc
serial_number.asc
serial_number.desc
site_name.asc
site_name.desc
status.asc
status.desc
system_manufacturer.asc
system_manufacturer.desc
system_product_name.asc
system_product_name.desc
Limit Int32 Maximum number of results per request [default: 100] 1 10000
Include String[] Include additional properties content_state
group_names
login_history
network_history
online_state
policy_names
zero_trust_assessment
Field String[] Host properties to include in response
Offset String Position to begin retrieving results
Hidden Switch Restrict search to 'hidden' hosts
Login Switch Retrieve user login history
Network Switch Retrieve network address history
State Switch Retrieve online status
Detailed Switch Retrieve detailed information
All Switch Repeat requests until all available results are retrieved
Total Switch Display total result count instead of results

SYNTAX

Get-FalconHost [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <String>] [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost -Id <String[]> -State [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost -Id <String[]> -Network [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost -Id <String[]> -Login [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost -Id <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [[-Field] <String[]>] [-Offset <String>] -Hidden -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [[-Field] <String[]>] [-Offset <String>] -Detailed [-All] [-WhatIf] [-Confirm] [<CommonParameters>]
Get-FalconHost [[-Filter] <String>] [[-Sort] <String>] [[-Limit] <Int32>] [[-Include] <String[]>] [-Offset <String>] -Hidden [-All] [-Total] [-WhatIf] [-Confirm] [<CommonParameters>]

REFERENCE

Endpoints

GET /devices/combined/devices-hidden/v1
GET /devices/combined/devices/v1
GET /devices/entities/online-state/v1
GET /devices/queries/devices-hidden/v1
GET /devices/queries/devices-scroll/v1
POST /devices/combined/devices/login-history/v2
POST /devices/combined/devices/network-address-history/v1
POST /devices/entities/devices/v2

falconpy

QueryDevicesByFilterScroll
GetOnlineState_V1
QueryGetNetworkAddressHistoryV1
QueryDeviceLoginHistoryV2
PostDeviceDetailsV2
CombinedHiddenDevicesByFilter
CombinedDevicesByFilter
QueryHiddenDevices

USAGE

NOTE: The Include parameter can be used to append additional output to a Get-FalconHost result.

Finding all Windows hosts

Get-FalconHost -Filter "platform_name:'Windows'" [-Detailed] [-All]

Finding all hosts in last # of days

Get-FalconHost -Filter "last_seen:>'last 3 days'" [-Detailed] [-All]

Finding Falcon hosts that match a given AWS instance ID

Get-FalconHost -Filter "instance_id:'<instance_id>'" [-Detailed] [-All]

Finding hosts based on multiple query criteria

Get-FalconHost -Filter "product_type_desc:'Workstation'+status:'normal'+platform_name:['Windows','Mac']+last_seen:>='2020-07-04'" [-Detailed] [-All]

See Find-FalconHostname.

Retrieving a list of the first 100 hosts in your environment

Get-FalconHost [-Detailed]

Getting host details

Get-FalconHost -Id <id>, <id>

Retrieving host NIC history

Get-FalconHost -Id <id>, <id> -Network

Retrieving info about last logged in users

Get-FalconHost -Id <id>, <id> -Login

Finding hosts that have been deleted

Get-FalconHost -Hidden [-Detailed] [-All]

2025-09-19: PSFalcon v2.2.9

⚠️ **GitHub.com Fallback** ⚠️