{"id":15953430,"url":"https://github.com/brokensound77/toruk","last_synced_at":"2025-07-22T06:06:02.589Z","repository":{"id":116007191,"uuid":"78095460","full_name":"brokensound77/toruk","owner":"brokensound77","description":"Crowdstrike Falcon Host script for iterating through instances to get alert and other relevant data","archived":false,"fork":false,"pushed_at":"2019-07-16T12:14:24.000Z","size":105,"stargazers_count":13,"open_issues_count":4,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-04-02T11:11:11.658Z","etag":null,"topics":["crowdstrike","endpoint","falconhost"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/brokensound77.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-01-05T08:41:15.000Z","updated_at":"2024-08-06T08:05:22.000Z","dependencies_parsed_at":null,"dependency_job_id":"079c4b8d-fa59-490b-bbf5-65b5cbdb57b9","html_url":"https://github.com/brokensound77/toruk","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/brokensound77/toruk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brokensound77%2Ftoruk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brokensound77%2Ftoruk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brokensound77%2Ftoruk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brokensound77%2Ftoruk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/brokensound77","download_url":"https://codeload.github.com/brokensound77/toruk/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/brokensound77%2Ftoruk/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266437372,"owners_count":23928235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-22T02:00:09.085Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crowdstrike","endpoint","falconhost"],"created_at":"2024-10-07T13:12:19.670Z","updated_at":"2025-07-22T06:06:02.577Z","avatar_url":"https://github.com/brokensound77.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# toruk\n\nCrowdstrike Falcon Host script for iterating through instances to get alert data and system information. Can easily be extended to pull any info within each instance. Primarily designed for multi-tenant customers with more than one instance. (Searches across all instances, which the user has rights to)\n\n```\n `/`\n -/-.\n `:o+.:\n `+s.+/o\n /hs+s/d`\n . `/o+`so/--\n -- `: -oy- +++ s/\n +- +. `:osooo+o/+`h` `\n -+-` ./` -/oo+/++++sdso- .:+y-\n +ss. +/` `/ssso++++oyho:` `--:s///`\n `hmm-.o: .oyssso++oss+-` `.-/+soo:os//`\n `omd.+h: .oyysssyys+:...:+ossoo++s/::oo.\n `+dh-dm. . `` -syyyyso/--:+oyyyyso++///+s+:y:\n `ody/No`/. `.-: -shysoo/+osyyyssssossssssooss+-`\n `odsyy os- /s`-oyysssyyhhhyyyssoo+++/:-.....---..:--/:\n `odyh`yNm- -hNhhhysoosso/::::::::://///+osyy-/++:od+/-`\n `odyo+mm+ `:+sdmNNmmdhhyyyyssssssssoooo++++++oh/-/oo+:.`\n `ohdmmd. `sddhdddhyhhhhhddddhsoo+ooooo++oooooosh+:-.`\n `+hmd++ooyyo . `oNmdddyyysssssssysyyhddddddhyysso+///:-.\n .:+shdmmmmmm` `.:os. /dNmddhhyyyyyssssossssssyyyyyhhhyyhhhdmd-\n +- `:yNdmmmN+:+:::::. `+hmmmmdddddhyyyssssssssssssssssssssoosyh-\n . .sddmmNh+` .odNNmmmddddddddhhyyyysssssssssssssooooyh.\n `ohmdmmh` .smmNmmmmmddhdddhhhhhhhysssssssoooooooshs.\n `:-oddmdNh` `/ymdmNmddddhyysyyhhyyyyyhhhyssssooooooyy/`\n ./:sysyyhdmy. ./hmdmmNmddhhhhhyysssyyhhysssyhhhysooosys:`\n `shNdmmmmmmmhs-` `-oydmmmNNmdddhhhhhhyyyysssyyyysssssyyhyyo-\n .:sdmdddysosyddmmdo+++osydddmNmmNmmdddddhyyyyhyyssssssyhyyyyyo/-`\n ``.-:/+sdNmNms:..` ``:sdmmmmNNNmmmmmNNNNmdddddhhdhhyyyyyyysyyyyyho:-`\n .--:/+sydNdhyNs` /ddhhyhdhdmmNNNNmddmmddhhyyhhhhyyyhyys+-.`\n `-/oshNNmdddNs- sydhhmyhdysydmmmdddddyyyyhhyhddhyo/.`\n `/hmNmmoshMmy+` /yhhhhhhdhysyhdddhhdhysssossshs:`\n /o/-. smNhs+: /myhhddmdhyhyyyhhhyyssooooossssso:.\n .dNhs+/:. `/+:-:dhdhdmddhyssyyssysooooooooosssssss-\n `++:-.`..`/hhddhhdhymmdddhssoo+/++oooooooosso/-.`\n `ohydddhdhmNhhhdhhhho+///++oooos+-`\n +hyd-/shyydddmddhhhyso+/++ooso.\n .yyh `+ydddhhhhhhdhyyso+ooys\n -/. :hy .sddhsoyhhhhhhdhhhysosh.\n `///oo` `sy`smdh+ ./ssyyyhhhhhysoy\n `+my-`+d.hdhy. `/syyyyyyyyssy-\n .hhyhh-hdy- .syyhhyyyyyys\n `o -dh. .ohhhhoyhyyy/\n ` .ds /yhh-`:oyyy:\n -do `ohh- -osy+`\n `:yh: -sh+` `:sy+`\n `/yd/ :yho. -oy+`\n :shd/ -+y+. `:s+:`\n .++.y o: -oo-` `:o+.\n +- s- / -+/. `:+:\n `` .//- ./:\n .::. `-\n\n\n\n **********************************************************\n ______ ______ ______ __ __ __ __\n /\\__ _\\ /\\ __ \\ /\\ == \\ /\\ \\/\\ \\ /\\ \\/ /\n \\/_/\\ \\/ \\ \\ \\/\\ \\ \\ \\ __\u003c \\ \\ \\_\\ \\ \\ \\ _\"-.\n \\ \\_\\ \\ \\_____\\ \\ \\_\\ \\_\\ \\ \\_____\\ \\ \\_\\ \\_\\\n \\/_/ \\/_____/ \\/_/ /_/ \\/_____/ \\/_/\\/_/\n\n\n ***** F a l c o n T o o l S u i t e *****\n zeroex00\n **********************************************************\n```\n\n## Setup\n\ndownload and unzip or git clone\n\n```\ncd toruk-master\npip install .\ntoruk -a\n```\nOR\n```\ncd toruk-master/toruk\npython toruk -a\n```\n\n\n## Usage\n\n```\nusage: toruk.py [-h] [-a] [-s] [-i INSTANCE] [-o OUTFILE] [-c CONFIG_FILE]\n [-l {1,2,3,4,5,6,7,8,9,10,11,12}] [-f FREQUENCY] [-q]\n\noptional arguments:\n -h, --help show this help message and exit\n -a, --alerts retrieves new alerts\n -s, --systems retrieves systems information; ss for FULL details in\n JSON (NOISY!)\n -i INSTANCE, --instance INSTANCE\n cid for specific customer instance\n -o OUTFILE, --outfile OUTFILE\n write output to the selected file, rather than to\n stdout\n -c CONFIG_FILE, --config-file CONFIG_FILE\n select a config file with user credentials\n -l {1,2,3,4,5,6,7,8,9,10,11,12}, --loop {1,2,3,4,5,6,7,8,9,10,11,12}\n runs toruk in a loop, for the number of hours passed\n -f FREQUENCY, --frequency FREQUENCY\n frequency (in minutes) for the loop to resume\n -q, --quiet suppresses errors from alert retrieval failures\n```\nYou will then be prompted to enter creds and 2fa\n\n## sample output:\n\n### Alerts\n```\npython toruk.py -a -l 1 -c /location/of/config.cfg\n.\n.\n[*] Credentials read from config file\n[$] Enter FH 2FA: 123456\n[*] 201 customer instances detected\n[*] Performing search (11:24:15L)...\n[*] ********************************\n[!] Low alert on Joes-Desktop for suspicious_activity (2017-07-20T13:11:08Z)!\n----\u003e Joe's Widget Company\n[!] Low alert on Martha-Laptop for suspicious_activity (2017-07-20T14:10:12Z)!\n----\u003e Workers United\n[*] Search complete (10:16:17L)\n[-] Sleeping for 1 minute(s)\n```\n\n### System Info\n```\npython toruk.py -s -c /location/of/config.cfg\n.\n.\n[*] Credentials read from config file\n[$] Enter FH 2FA: 555777\n[*] 500 customer instances detected\n[*] Performing search (01:14:29L)...\n\nJoe's Widgets \n============= \nHosts Operating System Public IP Last Seen\n----- ---------------- --------- ---------\n12345e-web Windows Server 2012 R2 50.123.456.20 2017-04-16T09:49:54Z\n145gt5-db7 Windows Server 2012 R2 50.123.456.21 2017-04-16T09:48:08Z\n4asr47-Db1 Windows Server 2012 R2 50.123.456.202 2017-04-16T09:47:46Z\n4avs54-APP3 Windows Server 2012 R2 50.123.45.93 2017-04-16T09:47:06Z\nabcd21-Db6 Windows Server 2012 R2 50.123.45.94 2017-04-16T09:46:37Z\n123a47-db2 Windows Server 2012 R2 50.123.45.205 2017-04-16T09:44:45Z\nasas85-web Windows Server 2012 R2 50.123.45.96 2017-04-16T09:44:35Z\nasfs43-web Windows Server 2012 R2 50.123.456.177 2017-04-01T09:45:44Z\n4asr47-Db1 Windows Server 2012 R2 50.123.456.88 2017-04-16T09:47:46Z\n4avs54-APP3 Windows Server 2012 R2 50.123.45.209 2017-04-16T09:47:06Z\nabcd21-Db6 Windows Server 2012 R2 50.123.45.210 2017-04-16T09:46:37Z\n123a47-db2 Windows Server 2012 R2 50.123.456.11 2017-04-16T09:44:45Z\n \nWorkers United \n============== \nHosts Operating System Public IP Last Seen\n----- ---------------- --------- ---------\nasas85-web Windows Server 2012 R2 50.123.45.96 2017-04-16T09:44:35Z\nasfs43-web Windows Server 2012 R2 50.123.456.177 2017-04-01T09:45:44Z\n4asr47-Db1 Windows Server 2012 R2 50.123.456.88 2017-04-16T09:47:46Z\n4avs54-APP3 Windows Server 2012 R2 50.123.45.209 2017-04-16T09:47:06Z\n \nJoe's Plumbing Co \n================= \nHosts Operating System Public IP Last Seen\n----- ---------------- --------- ---------\n145gt5-db7 Windows Server 2012 R2 50.123.456.21 2017-04-16T09:48:08Z\n4asr47-Db1 Windows Server 2012 R2 50.123.456.202 2017-04-16T09:47:46Z\n4avs54-APP3 Windows Server 2012 R2 50.123.45.93 2017-04-16T09:47:06Z\nabcd21-Db6 Windows Server 2012 R2 50.123.45.94 2017-04-16T09:46:37Z\n123a47-db2 Windows Server 2012 R2 50.123.45.205 2017-04-16T09:44:45Z\nasas85-web Windows Server 2012 R2 50.123.45.96 2017-04-16T09:44:35Z\nasfs43-web Windows Server 2012 R2 50.123.456.177 2017-04-01T09:45:44Z\n4asr47-Db1 Windows Server 2012 R2 50.123.456.88 2017-04-16T09:47:46Z\n \n[*] Search complete (01:19:29L)\n```\n\n## Detailed Usage\n\n### Config File\n\n```\ntoruk -c path/to/config.cfg\n```\n\n### Configuration File\n\nUsage of all fields within the config file are optional. Instructions for setting up for use with OTP can be found in the [sample](https://github.com/brokensound77/toruk/blob/master/toruk/sample-toruk-cfg.cfg) config file.\n\nUpdating the `ignore` field with comma (no space) separated CID's will force toruk to skip over those instances\n\nex:\n\nconfig file:\n\n`ignore=1234567890abcdef01234567890abcde,12abc67890abcdef01234abc890abcde`\n\n```\ntoruk -c /path/to/config.cfg\n```\n\n### Detailed Alerts\n\n`toruk -ad`\n\n```\n[!] NEW Bob's Widget Company - High alert on BOB-W-12-1 for NGAV (2017-10-12T10:20:10Z)!\n cid: abcd123aceae439da8559b066cdef321 aid: cd7d0daabcdef77c45bb49b887654321\n SYSTEM INFO:\n username: bob.widgeter (S-1-5-21-1232980321-2341652234-1233843123-1004)\n os: Windows Server 2008 R2\n description: Server\n domain: Widget.Widget\n ou: [u'Widget', u'Servers']\n victim IPs:\n private: 10.1.2.34\n public: 123.45.67.89\n ALERT INFO:\n filename: SuspectFile.exe\n hashes:\n sha256: abc12365de31ca6adf41d7e1e91f50daabcdb48966a56509c2421d123dcdef77\n md5: abcdef6bd89a11a03846f396dcd12345\n cmdline: \"C:\\Windows\\System32\\LegitFolder\\SuspectFile.exe\"\n ALERT PARENT INFO:\n cmdline: C:\\Windows\\system32\\svchost.exe -k netsvcs\n hashes:\n sha256: 11122234565c33a47baa3ddfa089fad17bc8e362f21e835d7123456789abcdef\n md5: ab436cd5e24105b35e986c0987654321\n```\n\n### Status\n\nCan specify one or two statuses to search for: 'new' or 'in_progress'\n\n`toruk -a --status new in_progress`\n\n### Whitelist\n\nIf Falcon Host is failing to implement the instance whitelist policy (common occurrence) then the whitelist is pulled, \nverified, and all matching alerts marked as false positive\n\n`toruk -a -wl`\n\n\n## Tools\n\nstandalone scripts / tools\n\n### audit_falcon\n\n```\nusage: audit_falcon_policy.py [-h] [-i INSTANCE] [-c CONFIG_FILE] [-csv CSV]\n\nAudit policies of all customers\n\noptional arguments:\n -h, --help show this help message and exit\n -i INSTANCE, --instance INSTANCE\n cid for specific customer instance\n -c CONFIG_FILE, --config-file CONFIG_FILE\n select a config file with user credentials\n -csv CSV output to specified csv file\n ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrokensound77%2Ftoruk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbrokensound77%2Ftoruk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbrokensound77%2Ftoruk/lists"}