Using the Falcon Intelligence Sandbox service collection
This service collection has code examples posted to the repository.
Table of Contents
| Operation ID | Description | ||||
|---|---|---|---|---|---|
| Download IOC packs, PCAP files, and other analysis artifacts. | ||||
| Get extracted strings from a memory dump. | ||||
| Get the hex view of a memory dump. | ||||
| Get memory dump content, as a binary. | ||||
| Get a short summary version of a sandbox report. | ||||
| Get a full sandbox report. | ||||
| Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. | ||||
| Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | ||||
| Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | ||||
| Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. | ||||
| Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. | ||||
| Retrieves the file associated with the given ID (SHA256) | ||||
| Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. | ||||
| Removes a sample, including file, meta and submissions from the collection | ||||
| Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 | ||||
Passing credentials
WARNING
client_idandclient_secretare keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
GetArtifacts
Download IOC packs, PCAP files, and other analysis artifacts.
PEP8 method name
get_artifacts
Endpoint
| Method | Route |
|---|---|
 | /falconx/entities/artifacts/v1 |
Required Scope
-READ-red?style=for-the-badge&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==){kind=icon}
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| headers |  |  | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | | | query | string | ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary. |
| name | | | query | string | The name given to your downloaded file. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_artifacts(id="string", name="string", stream=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetArtifacts(id="string", name="string", stream=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetArtifacts",
id="string",
name="string",
stream=boolean,
headers=HEADERS
)
print(response)
Back to Table of Contents
GetMemoryDumpExtractedStrings
Get extracted strings from a memory dump.
PEP8 method name
get_dump_extracted_strings
Endpoint
| Method | Route |
|---|---|
| /falconx/entities/memory-dump/extracted-strings/v1 |
Required Scope
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| headers | | | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | | | query | string | Extracted strings ID. |
| name | | | query | string | The name given to your downloaded file. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_dump_extracted_strings(id="string", name="string", stream=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDumpExtractedStrings(id="string", name="string", stream=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDumpExtractedStrings",
id="string",
name="string",
stream=boolean,
headers=HEADERS
)
print(response)
Back to Table of Contents
GetMemoryDumpHexDump
Get the hex view of a memory dump.
PEP8 method name
get_hex_dump
Endpoint
| Method | Route |
|---|---|
| /falconx/entities/memory-dump/hex-dump/v1 |
Required Scope
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| headers | | | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | | | query | string | Hex dump ID. |
| name | | | query | string | The name given to your downloaded file. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_hex_dump(id="string", name="string", stream=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDumpHexDump(id="string", name="string", stream=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDumpHexDump",
id="string",
name="string",
stream=boolean,
headers=HEADERS
)
print(response)
Back to Table of Contents
GetMemoryDump
Get memory dump content, as a binary.
PEP8 method name
get_memory_dump
Endpoint
| Method | Route |
|---|---|
| /falconx/entities/memory-dump/v1 |
Required Scope
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| headers | | | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | | | query | string | Memory dump ID. |
| name | | | query | string | The name given to your downloaded file. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_memory_dump(id="string", name="string", stream=boolean)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDump(id="string", name="string", stream=boolean)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDump",
id="string",
name="string",
stream=boolean,
headers=HEADERS
)
print(response)
Back to Table of Contents
GetSummaryReports
Get a short summary version of a sandbox report.
PEP8 method name
get_summary_reports
Endpoint
| Method | Route |
|---|---|
| /falconx/entities/report-summaries/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | ID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_summary_reports(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSummaryReports(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSummaryReports", ids=id_list)
print(response)
Back to Table of Contents
GetReports
Get a full sandbox report.
PEP8 method name
get_reports
Endpoint
| Method | Route |
|---|---|
| /falconx/entities/reports/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_reports(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetReports(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetReports", ids=id_list)
print(response)
Back to Table of Contents
DeleteReport
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
PEP8 method name
delete_report
Endpoint
| Method | Route |
|---|---|
 | /falconx/entities/reports/v1 |
Required Scope
-WRITE-maroon?style=for-the-badge&logo=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAAOCAYAAAAi2ky3AAABhWlDQ1BJQ0MgcHJvZmlsZQAAKJF9kT1Iw1AUhU9TpaIVBzuIOGSoDmJBVEQ3rUIRKoRaoVUHk5f+CE0akhQXR8G14ODPYtXBxVlXB1dBEPwBcXNzUnSREu9LCi1ifPB4H+e9c7jvXkColZhmtY0Cmm6bqURczGRXxNAruhAEMI1hmVnGrCQl4bu+7hHg512MZ/m/+3N1qzmLAQGReIYZpk28Tjy5aRuc94kjrCirxOfEIyYVSPzIdcXjN84FlwWeGTHTqTniCLFYaGGlhVnR1IgniKOqplO+kPFY5bzFWStVWKNO/sNwTl9e4jrtASSwgEVIEKGggg2UYCNGp06KhRTdx338/a5fIpdCrg0wcsyjDA2y6wefwe/eWvnxMS8pHAfaXxznYxAI7QL1quN8HztO/QQIPgNXetNfrgFTn6RXm1r0COjZBi6um5qyB1zuAH1PhmzKrsTnL+TzwPsZjSkL9N4Cnate3xr3OH0A0tSr5A1wcAgMFSh7zeffHa19+/dNo38/hq9yr+iELI0AAAAGYktHRAAAAAAAAPlDu38AAAAJcEhZcwAACxMAAAsTAQCanBgAAAAHdElNRQflDAsTByz7Va2cAAAAGXRFWHRDb21tZW50AENyZWF0ZWQgd2l0aCBHSU1QV4EOFwAAAYBJREFUKM+lkjFIlVEYht/zn3sFkYYUyUnIRcemhCtCU6JQOLiIU+QeJEQg6BBIm0s4RBCBLjq5OEvgJC1uOniJhivesLx17/97/vO9b4NK4g25157hfHCGB773/cA0HZIEAKiMj+LWiOxljG/i96pnCFP58XHnrWX2+9cj0dYl9Yu2FE9/9rXrcAAgs2eSyiBfOe/XRD503h/CuffOubQVUXL+Jh9BllzBbyJJBgDclVkO4Kukd8zzkXJbeUljIldFTstsmSHM6S81ma2KfPKlFdkGAMY4wzx/bbXapMy21My+YizdKNq5mDzLkrxafSxySFKjSWX2oTmjKzz4vN0r2lOFcL/Q3V0/mX95ILMXTTGYVfaut/aP2+oCMAvnZgCcsF5fcR0dg65YHAdwB+QApADvu0AuOe/ftlJAD7Nsgmm6yBjDtfWORJZlNtFyo/lR5Z7MyheKA5ktSur7sTAHazSG27pehjAiaVfkN8b4XFIJ/wOzbOx07VNRUuHy7w98CzCcGPyWywAAAABJRU5ErkJggg==){kind=icon}
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_report(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteReport(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteReport", ids=id_list)
print(response)
Back to Table of Contents
GetSubmissions
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
PEP8 method name
get_submissions
Endpoint
| Method | Route |
|---|---|
| /falconx/entities/submissions/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string or list of strings | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_submissions(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSubmissions(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSubmissions", ids=id_list)
print(response)
Back to Table of Contents
Submit
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
PEP8 method name
submit
Endpoint
| Method | Route |
|---|---|
 | /falconx/entities/submissions/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| action_script | |  | body | string | Runtime script for sandbox analysis. Accepted values:
|
| aid | | | query | string | Device AID. |
| body | | | body | dictionary | Full body payload in JSON format. |
| command_line | | | body | string | Command line script passed to the submitted file at runtime. Max length: 2048 characters |
| document_password | | | body | string | Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters |
| enable_tor | | | body | boolean | Deprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR. |
| environment_id | | | body | integer | Specifies the sandbox environment used for analysis. Accepted values:
|
| network_settings | | | body | string | Specifies the sandbox network_settings used for analysis. Accepted values:
|
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| send_email_notification | | | body | boolean | Boolean indicating if an email notification should be sent. |
| sha256 | | | body | string | ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample.The url keyword must be unset if this keyword is used. |
| submit_name | | | body | string | Name of the malware sample that's used for file type detection and analysis. |
| system_date | | | body | string | Set a custom date in the format yyyy-MM-dd for the sandbox environment. |
| system_time | | | body | string | Set a custom time in the format HH:mm for the sandbox environment. |
| url | | | body | string | A web page or file URL. It can be HTTP(S) or FTP. The sha256 keyword must be unset if this keyword is used. |
| user_tags | | | body | list of strings | User tags. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.submit(action_script="string",
aid="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notification=boolean,
sha256="string",
submit_name="string",
system_date="string",
system_time="string",
url="string",
user_tags=tags
)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.Submit(action_script="string",
aid="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notification=boolean,
sha256="string",
submit_name="string",
system_date="string",
system_time="string",
url="string",
user_tags=tags
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"sandbox": [
{
"action_script": "string",
"command_line": "string",
"document_password": "string",
"enable_tor": boolean,
"environment_id": integer,
"network_settings": "string",
"sha256": "string",
"submit_name": "string",
"system_date": "string",
"system_time": "string",
"url": "string"
}
],
"send_email_notification": boolean,
"user_tags": tags
}
response = falcon.command("Submit", aid="string", body=BODY)
print(response)
Back to Table of Contents
QueryReports
Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
PEP8 method name
query_reports
Endpoint
| Method | Route |
|---|---|
| /falconx/queries/reports/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Optional filter and sort criteria in the form of an FQL query. |
| limit | | | query | integer | The maximum records to return. (Max: 5000). |
| offset | | | query | integer | Starting index of overall result set from which to return ids. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_reports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryReports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryReports",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
QuerySubmissions
Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
PEP8 method name
query_submissions
Endpoint
| Method | Route |
|---|---|
| /falconx/queries/submissions/v1 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| filter | | | query | string | Optional filter and sort criteria in the form of an FQL query. |
| limit | | | query | integer | The maximum records to return. (Max: 5000). |
| offset | | | query | integer | Starting index of overall result set from which to return ids. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| sort | | | query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_submissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QuerySubmissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QuerySubmissions",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Back to Table of Contents
GetSampleV2
Retrieves the file associated with the given ID (SHA256)
PEP8 method name
get_sample
Endpoint
| Method | Route |
|---|---|
| /samples/entities/samples/v2 |
Required Scope
Content-Type
- Produces: application/octet-stream
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string | The file SHA256. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
| password_protected | | | query | boolean | Flag whether the sample should be zipped and password protected with password of infected. |
| stream | | | query | boolean | Enable streaming download of the returned file. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.get_sample(password_protected=boolean, ids=file_sha, stream=boolean)
with open(save_file, 'wb') as file_download:
file_download.write(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.GetSampleV2(password_protected=boolean, ids=file_sha, stream=boolean)
with open(save_file, 'wb') as file_download:
file_download.write(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.command("GetSampleV2", password_protected=boolean, ids=file_sha, stream=boolean)
with open(save_file, 'wb') as file_download:
file_download.write(response)
Back to Table of Contents
UploadSampleV2
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
PEP8 method name
upload_sample
Endpoint
| Method | Route |
|---|---|
| /samples/entities/samples/v2 |
Required Scope
Content-Type
- Consumes: multipart/form-data
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| comment | | | formData | string | A descriptive comment to identify the file for other users. |
| data | | | formData | file | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
|
| file_data or sample or upfile | | | formData | string | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
|
| file_name | | | formData | string | Name to use for the file. Uses current file name if not specified. |
| is_confidential | | | formData | boolean | Defines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console.
true. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.upload_sample(sample=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.UploadSampleV2(file_data=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.command("UploadSampleV2",
data=PAYLOAD,
file_name="string",
comment="string",
is_confidential=boolean,
content_type="application/octet-stream"
)
print(response)
Back to Table of Contents
DeleteSampleV2
Removes a sample, including file, meta and submissions from the collection
PEP8 method name
delete_sample
Endpoint
| Method | Route |
|---|---|
| /samples/entities/samples/v2 |
Required Scope
Content-Type
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| ids | | | query | string | The file SHA256. |
| parameters | | | query | dictionary | Full query string parameters payload in JSON format. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_sample(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteSampleV2(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)
Back to Table of Contents
QuerySampleV1
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
PEP8 method name
query_sample
Endpoint
| Method | Route |
|---|---|
| /samples/queries/samples/GET/v1 |
Required Scope
Content-Type
- Consumes: application/json
- Produces: application/json
Keyword Arguments
| Name | Service | Uber | Type | Data type | Description |
|---|---|---|---|---|---|
| body | | | body | dictionary | Full body payload in JSON format. |
| sha256s | | | body | string or list of strings | Pass a list of sha256s to check if the exist. You will be returned the list of existing hashes. |
Usage
Service class example (PEP8 syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.query_sample(sha256s=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.QuerySampleV1(sha256s=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"sha256s": [
"string"
]
}
response = falcon.command("QuerySampleV1", body=BODY)
print(response)
Back to Table of Contents