zeroex00: Tool to Pull Falcon Host Alerts for Multiple Instances

Crowdstrike has an agent-based, cloud-processed endpoint monitoring tool known as Falcon Host (or various other Falcon-esque extensions). To view alerts within the UI, you must navigate to the proper window and tab. If there is more than one customer, this becomes a pain to click the drop down and manually iterate through each customer instance.

I wrote a quick script called toruk that iterates through all of the instances automatically to pull the alert information, without messing with the UI. It can easily be extended to pull whatever additional information is available (which is usually in a structured format (JSON) due to Crowdstrike using their back end API's). View the source code here: https://github.com/brokensound77/toruk

usage: toruk.py [-h] [-a] [-s] [-i INSTANCE] [-o OUTFILE] [-c CONFIG_FILE]
                [-l {1,2,3,4,5,6,7,8,9,10,11,12}]

optional arguments:
  -h, --help            show this help message and exit
  -a, --alerts          retrieves new alerts
  -s, --systems         retrieves systems information; ss for FULL details in JSON (NOISY!)
  -i INSTANCE, --instance INSTANCE
                        cid for specific customer instance
  -o OUTFILE, --outfile OUTFILE
                        write output to the selected file, rather than to stdout
  -c CONFIG_FILE, --config-file CONFIG_FILE
                        select a config file with user credentials
  -l {1,2,3,4,5,6,7,8,9,10,11,12}, --loop {1,2,3,4,5,6,7,8,9,10,11,12}
                        runs toruk in a loop, for the number of hours passed, running every minute

sample output:

python toruk.py -a -c /location/of/config.cfg
.
.
[*] Credentials read from config file
[$] Enter FH 2FA: 123456
[*] 500 customer instances detected
[*] Performing search (01:10:41L)...
Customer A
**********
[!] 2 alert(s) detected!

Customer D
**********
[!] 5 alert(s) detected!

Customer Z
**********
[!] 1 alert(s) detected!

[*] Search complete (01:12:58L)

python toruk.py -s -c /location/of/config.cfg
.
.
[*] Credentials read from config file
[$] Enter FH 2FA: 555777
[*] 500 customer instances detected
[*] Performing search (01:14:29L)...

Joe's Widgets                         
*************                         
Hosts                                 Operating System          Public IP       Last Seen
-----                                 ----------------          ---------       ---------
12345e-web                            Windows Server 2012 R2    50.123.456.20   2017-04-16T09:49:54Z
145gt5-db7                            Windows Server 2012 R2    50.123.456.21   2017-04-16T09:48:08Z
4asr47-Db1                            Windows Server 2012 R2    50.123.456.202  2017-04-16T09:47:46Z
4avs54-APP3                           Windows Server 2012 R2    50.123.45.93    2017-04-16T09:47:06Z
abcd21-Db6                            Windows Server 2012 R2    50.123.45.94    2017-04-16T09:46:37Z
123a47-db2                            Windows Server 2012 R2    50.123.45.205   2017-04-16T09:44:45Z
asas85-web                            Windows Server 2012 R2    50.123.45.96    2017-04-16T09:44:35Z
asfs43-web                            Windows Server 2012 R2    50.123.456.177  2017-04-01T09:45:44Z
4asr47-Db1                            Windows Server 2012 R2    50.123.456.88   2017-04-16T09:47:46Z
4avs54-APP3                           Windows Server 2012 R2    50.123.45.209   2017-04-16T09:47:06Z
abcd21-Db6                            Windows Server 2012 R2    50.123.45.210   2017-04-16T09:46:37Z
123a47-db2                            Windows Server 2012 R2    50.123.456.11   2017-04-16T09:44:45Z
                                      
Workers United                        
**************                        
Hosts                                 Operating System          Public IP       Last Seen
-----                                 ----------------          ---------       ---------
asas85-web                            Windows Server 2012 R2    50.123.45.96    2017-04-16T09:44:35Z
asfs43-web                            Windows Server 2012 R2    50.123.456.177  2017-04-01T09:45:44Z
4asr47-Db1                            Windows Server 2012 R2    50.123.456.88   2017-04-16T09:47:46Z
4avs54-APP3                           Windows Server 2012 R2    50.123.45.209   2017-04-16T09:47:06Z
                                                                            
Joe's Plumbing Co                     
*****************                     
Hosts                                 Operating System          Public IP       Last Seen
-----                                 ----------------          ---------       ---------
145gt5-db7                            Windows Server 2012 R2    50.123.456.21   2017-04-16T09:48:08Z
4asr47-Db1                            Windows Server 2012 R2    50.123.456.202  2017-04-16T09:47:46Z
4avs54-APP3                           Windows Server 2012 R2    50.123.45.93    2017-04-16T09:47:06Z
abcd21-Db6                            Windows Server 2012 R2    50.123.45.94    2017-04-16T09:46:37Z
123a47-db2                            Windows Server 2012 R2    50.123.45.205   2017-04-16T09:44:45Z
asas85-web                            Windows Server 2012 R2    50.123.45.96    2017-04-16T09:44:35Z
asfs43-web                            Windows Server 2012 R2    50.123.456.177  2017-04-01T09:45:44Z
4asr47-Db1                            Windows Server 2012 R2    50.123.456.88   2017-04-16T09:47:46Z
                                      
[*] Search complete (01:19:29L)

I am actively developing this and so adding new features regularly.

It is worth mentioning that, while they do have an API that can pull these alerts, it is much simpler to use this script as it is only dependent on user credentials and 2fa, whereas the API requires every single instance API key.

zeroex00

Pages

14 April 2017

Tool to Pull Falcon Host Alerts for Multiple Instances