Devices
The Sentinel Devices API gives you full programmatic control over every enrolled endpoint — query inventory, trigger isolation, run live queries, and initiate scans — all with a complete audit trail.
List devices
bash
GET /v1/sentinel/devices| Name | Type | Required | Description |
|---|---|---|---|
| filter[platform] | string | No | windows | macos | linux | ios | android |
| filter[status] | string | No | online | offline | isolated | decommissioned |
| filter[compliance_status] | string | No | compliant | non_compliant | unknown |
| filter[label] | string | No | Filter by device label tag. |
| filter[risk_min] | integer | No | Minimum risk score (0–100). |
| filter[risk_max] | integer | No | Maximum risk score (0–100). |
bash
# Get all high-risk Windows devices
curl https://api.hldgroup.org/v1/sentinel/devices \
-H "Authorization: Bearer hld_live_xxxx" \
-H "x-tenant-id: ten_01hxyz" \
"?filter[platform]=windows&filter[risk_min]=75"Get a device
bash
GET /v1/sentinel/devices/:idIsolate a device
bash
POST /v1/sentinel/devices/:id/isolate| Name | Type | Required | Description |
|---|---|---|---|
| reason | string | Yes | Why the device is being isolated. Logged to the audit trail. |
| incident_id | string | No | Optional incident to associate this action with. |
bash
curl -X POST https://api.hldgroup.org/v1/sentinel/devices/dev_01hxyz/isolate \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{"reason": "Ransomware staging detected — isolating pending investigation.", "incident_id": "inc_01hxyz"}'Warning:Isolation cuts the device from the network immediately. The Sentinel agent maintains a management-only channel for de-isolation. Always provide a reason — it is written to the permanent incident timeline.
De-isolate a device
bash
POST /v1/sentinel/devices/:id/deisolateRun a scan
bash
POST /v1/sentinel/devices/:id/scan| Name | Type | Required | Description |
|---|---|---|---|
| scan_type | string | No | full | quick | custom | rootkit | memory. Defaults to full. |
Returns 202 Accepted with a scan job object. Poll GET /v1/sentinel/devices/scans/:scan_id for status.
Live query
Execute an osquery-compatible SQL statement against a device in real time.
bash
POST /v1/sentinel/devices/:id/query
{
"query": "SELECT pid, name, path FROM processes WHERE on_disk = 0;"
}json
{
"data": {
"query_id": "qry_01hxyz",
"status": "running",
"estimated_seconds": 3
}
}
// Poll for result
GET /v1/sentinel/devices/:id/query?query_id=qry_01hxyzTip:Useful queries: running processes without on-disk binaries (
on_disk = 0), open network connections, installed programs, user login history, startup items.