{"id":19121629,"url":"https://github.com/maximewewer/falcon_bulk_actions","last_synced_at":"2026-06-12T23:32:49.182Z","repository":{"id":187545190,"uuid":"677049999","full_name":"MaximeWewer/Falcon_bulk_actions","owner":"MaximeWewer","description":"Execute bulk actions on your hosts using falconpy SDK of Crowdstrike (RTR/RTRA).","archived":false,"fork":false,"pushed_at":"2023-08-19T12:35:22.000Z","size":34,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-22T12:47:00.797Z","etag":null,"topics":["crowdstrike","crowdstrike-api","crowdstrike-falcon","crowdstrike-falcon-api","falcon","falconpy"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MaximeWewer.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-10T16:07:52.000Z","updated_at":"2023-08-12T09:46:53.000Z","dependencies_parsed_at":null,"dependency_job_id":"9e9075bf-38bb-4da3-9a46-feba5f007dac","html_url":"https://github.com/MaximeWewer/Falcon_bulk_actions","commit_stats":null,"previous_names":["maximewewer/falcon_bulk_actions"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/MaximeWewer/Falcon_bulk_actions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MaximeWewer%2FFalcon_bulk_actions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MaximeWewer%2FFalcon_bulk_actions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MaximeWewer%2FFalcon_bulk_actions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MaximeWewer%2FFalcon_bulk_actions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MaximeWewer","download_url":"https://codeload.github.com/MaximeWewer/Falcon_bulk_actions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MaximeWewer%2FFalcon_bulk_actions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34266915,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-12T02:00:06.859Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crowdstrike","crowdstrike-api","crowdstrike-falcon","crowdstrike-falcon-api","falcon","falconpy"],"created_at":"2024-11-09T05:17:58.340Z","updated_at":"2026-06-12T23:32:49.157Z","avatar_url":"https://github.com/MaximeWewer.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Falcon bulk actions\r\nPerform bulk actions on Falcon instance using falconpy SDK.\r\n\r\n### Purpose\r\nFalcon RTR with its web interface allows to execute commands remotely on a host. This is sufficient for one host but when you want to execute commands on several hosts this is not possible with the web interface.\r\nUsing the falconpy SDK allows you to launch actions on multiple machines with a single command.\r\nIn my case, I use ```batch_admin_command``` (details [here](https://www.falconpy.io/Service-Collections/Real-Time-Response-Admin.html?highlight=batch_admin_command#batchadmincmd)) to execute ```put``` and ```runscript```. It is perfect for running scripts or commands on all your hosts for your IT administrators or it will allow you to act on all your hosts in case of a cyber incident.\r\n\r\n### Requirements\r\n- Python and Pip (tested with Python 3.11+ and Pip 23+)\r\n- [crowdstrike-falconpy](https://github.com/CrowdStrike/falconpy) \r\n\r\n### Install Python libraries requirements\r\n- ```pip install -r requirements.txt```\r\n\r\n### Commands infos\r\n\r\n- You need to create API acces on your Falcon tenant (detail [here](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/)) with scopes \"Hosts\" in read, \"RTR\" in read/write and \"RTRA\" in write\r\n- You need to define your ```base_url``` (detail [here](https://www.falconpy.io/Usage/Environment-Configuration.html#base-url))\r\n- You can list your falcon RTR \"custom scripts\" (```--list_scripts show```), \"put files\" (```--list_putfiles show```) or both\r\n- You can choose to run script on platform (```--machines_plateform```), machine (```--machines_name```) or both\r\n- For querying platform and/or hostname you can choose condition for your parameters: AND ```+```, OR ```,``` detail ([here](https://falconpy.io/Usage/Falcon-Query-Language.html#filtering-using-multiple-properties-and-conditions)). Try your query when you choose platform and hostname\r\n- If you run Linux script on Windows, don't worry it's detected and not executed. Logic works on all platforms\r\n- In this script I using only the commands ```put```, ```runscript -CloudFile```, ```runscript -HostPath```, ```runscript -Raw```\r\n\r\nYou can adapt script to implement more RTR commands ;-)\r\n\r\n### Commands examples\r\n- List of scripts \u0026 putfiles :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --list_scripts show --list_putfiles show```\r\n\r\n- Execute script on specific hosts :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --condition + --machines_name HOSTNAME,*HOST,HOST* --scripts_name script1```\r\n\r\n- Execute script on hosts who match patterns :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --condition , --machines_name HOSTNAME,*HOST,HOST* --scripts_name script1```\r\n\r\n- Execute script on specific Windows hosts :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --condition + --machines_plateform Windows --machines_name HOST* --scripts_name script1```\r\n\r\n- Execute putfiles on Linux hosts :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --condition + --machines_plateform Linux --putfiles_name script1.sh,script2.sh```\r\n\r\n- Execute raw commands on Windows hosts :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --condition + --machines_plateform Windows --raw_commands \"[System.Security.Principal.WindowsIdentity]::GetCurrent().Name\"```\r\n\r\n- Execute raw commands on Linux hosts :\r\n  \r\n```python.exe .\\falcon_bulk_actions.py --client_id \u003cclient_id\u003e --client_secret \u003cclient_secret\u003e --base_url \u003cbase_url\u003e --condition + --machines_plateform Linux --raw_commands \"ls -la\"```\r\n\r\n### Log execution\r\nIn order to know if everything went well, a JSON log file is generated at each steps.\r\n\r\nExamples :\r\n- Init session : \r\n```\r\n[\r\n  {\r\n    \"nb_true\": 1,\r\n    \"nb_false\": 0,\r\n    \"list_false\": []\r\n  },\r\n  {\r\n    \"devide_id\": \"DEVICE_ID\",\r\n    \"hostname\": \"HOSTNAME\",\r\n    \"complete\": true,\r\n    \"stdout\": \"C:\\\\\",\r\n    \"stderr\": \"\"\r\n  }\r\n]\r\n```\r\n\r\n- Runscript :\r\n```\r\n[\r\n  {\r\n    \"nb_true\": 1,\r\n    \"nb_false\": 0,\r\n    \"list_false\": []\r\n  },\r\n  {\r\n    \"devide_id\": \"DEVICE_ID\",\r\n    \"hostname\": \"HOSTNAME\",\r\n    \"complete\": true,\r\n    \"stdout\": \"Uninstalling...\",\r\n    \"stderr\": \"\"\r\n  }\r\n]\r\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaximewewer%2Ffalcon_bulk_actions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmaximewewer%2Ffalcon_bulk_actions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmaximewewer%2Ffalcon_bulk_actions/lists"}