Device Containment — CrowdStrike Falcon
Device Containment — CrowdStrike Falcon
Challenge contains or releases CrowdStrike Falcon hosts using the Hosts API. CrowdStrike does not support email-based device lookup in Challenge — use hostname or serial_number, or enable an MDM connector for email enrichment.
Credentials
- In the Falcon console, create an API client with Hosts read and write scopes for your region.
- Note your API base URL (for example,
https://api.crowdstrike.comorhttps://api.us-2.crowdstrike.com). - In Challenge, open Integrations → Device Containment → CrowdStrike Falcon.
- Set API base URL, API client ID, and API client secret.
- Enable the integration and save.
API calls Challenge makes
| Step | Method | Endpoint | Expected status |
|---|---|---|---|
| Auth | POST | /oauth2/token | 201 |
| Lookup | GET | /devices/queries/devices/v1?filter=hostname:'...' or serial_number:'...' | 200 |
| Details | POST | /devices/entities/devices/v2 | 200 |
| Contain | POST | /devices/entities/devices-actions/v2?action_name=contain | 202 |
| Release | POST | /devices/entities/devices-actions/v2?action_name=lift_containment | 202 |
Least-privilege guidance
OAuth scopes:
Hosts: READ— device lookupHosts: WRITE— contain and lift containment
See CrowdStrike PerformActionV2.
Lookup formats
| Lookup type | Supported |
|---|---|
hostname | Yes |
serial_number | Yes |
provider_device_id | Falcon agent ID (AID) |
user_email | No (use MDM enrichment or hostname/serial) |
Email enrichment
When you pass user_email and both MDM and CrowdStrike are enabled, Challenge resolves devices from MDM, then looks up matching hostnames or serials in Falcon.
Actions
| Challenge action | Falcon action |
|---|---|
network_contain | contain |
release_containment | lift_containment |
Troubleshooting
| Symptom | Check |
|---|---|
mdm_required_for_email_lookup | Enable MDM or use hostname/serial |
device_not_found | FQL filter; hostname case and wildcards |
http_403 | Missing Hosts WRITE scope |