Bulk Containment of the hosts.(possibly 1000 hosts or more)

[afroz1]

We are looking to quarantine (contain) multiple hosts at once using CrowdStrike Falcon. While we know the Falcon Console allows containment per host via the UI, we need to contain a large number of hosts (up to ~1,000) in one operation.

We would like guidance on:

How to use the CrowdStrike Falcon API (or Real Time Response) with Python to achieve bulk host containment.

Best practices to handle large-scale containment, including API rate limits, authentication, and error handling.

Sample scripts, code snippets, or references to official Python libraries for automating this task.

Our goal is to safely and efficiently quarantine multiple hosts at scale while following CrowdStrike best practices.

Any pointers, examples, or documentation references would be greatly appreciated!

[crowdstrikedcs]

Hi @afroz1

Thanks for the question! The Core Approch for this would be to use the Hosts service collection.

FalconPy is designed to make authentication and token management easy and supports multiple methods of providing your API credentials. When using FalconPy we handle the specifics of authentication so you can use the operations directly.

Standard API rate limits apply (typically 6000 requests/minute) but based on your use case of 1k devices I don't think you should encouter an issue

Your API key should be scoped with the hosts "Write" permission in order to apply the operation.

Here's an example of using the perform_action operation for your use case of containing hosts. I've also added a function to gather Host IDs.

from falconpy import Hosts
import time
import logging
from typing import List, Dict, Any

class BulkContainment:
    def __init__(self, client_id: str, client_secret: str):
        self.falcon = Hosts(
            client_id=client_id,
            client_secret=client_secret
        )

    
    def get_hosts_by_criteria(self, hostname_pattern: str = None) -> List[str]:
        """Get host IDs based on hostname pattern"""
        
        fql_filter = f"hostname:'{hostname_pattern}'" if hostname_pattern else None
        
        response = self.falcon.query_devices_by_filter(filter=fql_filter, limit=5000)
        return response["body"]["resources"] if response["status_code"] == 200 else []

    def contain_hosts_batch(self, host_ids: List[str], batch_size: int = 100) -> Dict[str, Any]:
            """Contain hosts in batches"""
            results = {"successful": [], "failed": []}
            
            # Process in batches
            for i in range(0, len(host_ids), batch_size):
                batch = host_ids[i:i + batch_size]
                
                try:
                    response = self.falcon.perform_action(
                        action_name="contain",
                        ids=batch
                    )
                    
                    if response["status_code"] == 202:
                        results["successful"].extend(batch)
                        logging.info(f"Successfully initiated containment for {len(batch)} hosts")
                    else:
                        results["failed"].extend(batch)
                        logging.error(f"Failed batch: {response}")
                        
                except Exception as e:
                    results["failed"].extend(batch)
                    logging.error(f"Exception in batch processing: {e}")
                
            return results

The contain_hosts_batch function takes a list of Host IDs, and performs the containment operation. The perform_action operation takes a maximum of 100 IDs per request so additionally I have batched the input to meet this requirement.

Let us know with any additional questions!