Fleet operations
Fleet operations let you execute actions across groups of devices simultaneously — scoped by device IDs, platform, label, or compliance status. Essential for large-scale incident response and proactive hardening.
Trigger a fleet action
bash
POST /v1/sentinel/fleet/actions| Name | Type | Required | Description |
|---|---|---|---|
| action | string | Yes | isolate | scan | force_update | collect_inventory | run_query |
| reason | string | Yes | Why this fleet action is being triggered. Written to audit trail. |
| device_ids | array | No | Explicit list of device IDs. Use this OR filter, not both. |
| filter | object | No | Target devices matching criteria. Supports platform, label, compliance_status. |
| params | object | No | Action-specific parameters (e.g. scan_type for scan actions). |
Target by filter
bash
# Isolate all non-compliant Windows devices
curl -X POST https://api.hldgroup.org/v1/sentinel/fleet/actions \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"action": "isolate",
"reason": "Zero-day containment — isolating all non-compliant Windows devices.",
"filter": {
"platform": "windows",
"compliance_status": "non_compliant"
}
}'Target by explicit IDs
bash
curl -X POST https://api.hldgroup.org/v1/sentinel/fleet/actions \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"action": "scan",
"reason": "Post-incident sweep on affected finance team devices.",
"device_ids": ["dev_01hxyz", "dev_02hxyz", "dev_03hxyz"],
"params": { "scan_type": "full" }
}'Fleet job response
json
{
"data": {
"job": {
"id": "flj_01hxyz",
"action": "scan",
"device_count": 47,
"status": "queued",
"triggered_by": "usr_01hxyz",
"created_at": "2025-06-01T03:14:00Z"
},
"device_count": 47
}
}Warning:Fleet actions are limited to 500 devices per request. For larger fleets, paginate with explicit
device_ids or use multiple filter-scoped requests. Isolation at scale should be approved by a senior analyst — it will cause significant operational disruption.Available fleet actions
| Name | Type | Required | Description |
|---|---|---|---|
| isolate | action | No | Network-isolate all targeted devices simultaneously. |
| scan | action | No | Trigger AV/EDR scan across the fleet. Supports scan_type param. |
| force_update | action | No | Force agent and definition update on all targeted devices. |
| collect_inventory | action | No | Refresh full software, process, and hardware inventory. |
| run_query | action | No | Execute an osquery statement across all targeted devices. Requires query param. |