CrowdStrike Falcon CrowdStrike Subreddit

Using the Falcon Intelligence Sandbox service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation IDDescription
GetArtifacts
PEP 8get_artifacts
Download IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStrings
PEP 8get_dump_extracted_strings
Get extracted strings from a memory dump.
GetMemoryDumpHexDump
PEP 8get_hex_dump
Get the hex view of a memory dump.
GetMemoryDump
PEP 8get_memory_dump
Get memory dump content, as a binary.
GetSummaryReports
PEP 8get_summary_reports
Get a short summary version of a sandbox report.
GetReports
PEP 8get_reports
Get a full sandbox report.
DeleteReport
PEP 8delete_report
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissions
PEP 8get_submissions
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
Submit
PEP 8submit
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReports
PEP 8query_reports
Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissions
PEP 8query_submissions
Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2
PEP 8get_sample
Retrieves the file associated with the given ID (SHA256)
UploadSampleV2
PEP 8upload_sample
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
DeleteSampleV2
PEP 8delete_sample
Removes a sample, including file, meta and submissions from the collection
QuerySampleV1
PEP 8query_sample
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetArtifacts

Download IOC packs, PCAP files, and other analysis artifacts.

PEP8 method name

get_artifacts

Endpoint

MethodRoute
GET/falconx/entities/artifacts/v1

Required Scope

falconx-sandbox:read

Keyword Arguments

NameServiceUberTypeData typeDescription
headers
Service Class Support

Uber Class Support
headerstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
querystringID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary.
name
Service Class Support

Uber Class Support
querystringThe name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_artifacts(id="string", name="string")
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetArtifacts(id="string", name="string")
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetArtifacts", id="string", name="string", headers=HEADERS)
print(response)

GetMemoryDumpExtractedStrings

Get extracted strings from a memory dump.

PEP8 method name

get_dump_extracted_strings

Endpoint

MethodRoute
GET/falconx/entities/memory-dump/extracted-strings/v1

Required Scope

falconx-sandbox:read

Keyword Arguments

NameServiceUberTypeData typeDescription
headers
Service Class Support

Uber Class Support
headerstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
querystringExtracted strings ID.
name
Service Class Support

Uber Class Support
querystringThe name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_dump_extracted_strings(id="string", name="string")
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDumpExtractedStrings(id="string", name="string")
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDumpExtractedStrings", id="string", name="string", headers=HEADERS)
print(response)

GetMemoryDumpHexDump

Get the hex view of a memory dump.

PEP8 method name

get_hex_dump

Endpoint

MethodRoute
GET/falconx/entities/memory-dump/hex-dump/v1

Required Scope

falconx-sandbox:read

Keyword Arguments

NameServiceUberTypeData typeDescription
headers
Service Class Support

Uber Class Support
headerstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
querystringHex dump ID.
name
Service Class Support

Uber Class Support
querystringThe name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_hex_dump(id="string", name="string")
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDumpHexDump(id="string", name="string")
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDumpHexDump", id="string", name="string", headers=HEADERS)
print(response)

GetMemoryDump

Get memory dump content, as a binary.

PEP8 method name

get_memory_dump

Endpoint

MethodRoute
GET/falconx/entities/memory-dump/v1

Required Scope

falconx-sandbox:read

Keyword Arguments

NameServiceUberTypeData typeDescription
headers
Service Class Support

Uber Class Support
headerstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
querystringMemory dump ID.
name
Service Class Support

Uber Class Support
querystringThe name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_memory_dump(id="string", name="string")
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDump(id="string", name="string")
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDump", id="string", name="string", headers=HEADERS)
print(response)

GetSummaryReports

Get a short summary version of a sandbox report.

PEP8 method name

get_summary_reports

Endpoint

MethodRoute
GET/falconx/entities/report-summaries/v1

Required Scope

falconx-sandbox:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_summary_reports(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSummaryReports(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSummaryReports", ids=id_list)
print(response)

GetReports

Get a full sandbox report.

PEP8 method name

get_reports

Endpoint

MethodRoute
GET/falconx/entities/reports/v1

Required Scope

falconx-sandbox:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_reports(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetReports(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetReports", ids=id_list)
print(response)

DeleteReport

Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.

PEP8 method name

delete_report

Endpoint

MethodRoute
DELETE/falconx/entities/reports/v1

Required Scope

falconx-sandbox:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_report(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteReport(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteReport", ids=id_list)
print(response)

GetSubmissions

Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

PEP8 method name

get_submissions

Endpoint

MethodRoute
GET/falconx/entities/submissions/v1

Required Scope

falconx-sandbox:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
ids
Service Class Support

Uber Class Support
querystring or list of stringsID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_submissions(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSubmissions(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSubmissions", ids=id_list)
print(response)

Submit

Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

PEP8 method name

submit

Endpoint

MethodRoute
POST/falconx/entities/submissions/v1

Required Scope

falconx-sandbox:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
action_script
Service Class Support

Uber Class Support
bodystringRuntime script for sandbox analysis.

Accepted values:
  • default
  • default_randomtheme
  • default_maxantievasion
  • default_openie
  • default_randomfiles
aid
Service Class Support

Uber Class Support
querystringDevice AID.
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
command_line
Service Class Support

Uber Class Support
bodystringCommand line script passed to the submitted file at runtime. Max length: 2048 characters
document_password
Service Class Support

Uber Class Support
bodystringAuto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters
enable_tor
Service Class Support

Uber Class Support
bodybooleanDeprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR.
environment_id
Service Class Support

Uber Class Support
bodyintegerSpecifies the sandbox environment used for analysis.

Accepted values:
  • 410 - macOS Sonoma ARM 64 bit
  • 400 - macOS Catalina 10.15
  • 300 - Linux Ubuntu 16.04, 64-bit
  • 200 - Android (static analysis)
  • 160 - Windows 10, 64-bit
  • 140 - Windows 11, 64-bit
  • 110 - Windows 7, 64-bit
  • 100 - Windows 7, 32-bit
network_settings
Service Class Support

Uber Class Support
bodystringSpecifies the sandbox network_settings used for analysis.

Accepted values:
  • default - Fully operating network
  • tor - Route network traffic via TOR
  • simulated - Simulate network traffic
  • offline - No network traffic
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
send_email_notification
Service Class Support

Uber Class Support
bodybooleanBoolean indicating if an email notification should be sent.
sha256
Service Class Support

Uber Class Support
bodystringID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample.

The url keyword must be unset if this keyword is used.
submit_name
Service Class Support

Uber Class Support
bodystringName of the malware sample that's used for file type detection and analysis.
system_date
Service Class Support

Uber Class Support
bodystringSet a custom date in the format yyyy-MM-dd for the sandbox environment.
system_time
Service Class Support

Uber Class Support
bodystringSet a custom time in the format HH:mm for the sandbox environment.
url
Service Class Support

Uber Class Support
bodystringA web page or file URL. It can be HTTP(S) or FTP.

The sha256 keyword must be unset if this keyword is used.
user_tags
Service Class Support

Uber Class Support
bodylist of stringsUser tags.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

tags = ['TAG1', 'TAG2', 'TAG3']

response = falcon.submit(action_script="string",
                         aid="string",
                         command_line="string",
                         document_password="string",
                         enable_tor=boolean,
                         environment_id=integer,
                         network_settings="string",
                         send_email_notifications=boolean,
                         sha256="string",
                         submit_name="string",
                         submit_date="string",
                         submit_time="string",
                         url="string",
                         user_tags=tags
                         )
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

tags = ['TAG1', 'TAG2', 'TAG3']

response = falcon.Submit(action_script="string",
                         aid="string",
                         command_line="string",
                         document_password="string",
                         enable_tor=boolean,
                         environment_id=integer,
                         network_settings="string",
                         send_email_notifications=boolean,
                         sha256="string",
                         submit_name="string",
                         submit_date="string",
                         submit_time="string",
                         url="string",
                         user_tags=tags
                         )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

tags = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "sandbox": [
        {
            "action_script": "string",
            "command_line": "string",
            "document_password": "string",
            "enable_tor": boolean,
            "environment_id": integer,
            "network_settings": "string",
            "sha256": "string",
            "submit_name": "string",
            "system_date": "string",
            "system_time": "string",
            "url": "string"
        }
    ],
    "send_email_notification": boolean,
    "user_tags": tags
}

response = falcon.command("Submit", aid="string", body=BODY)
print(response)

QueryReports

Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.

PEP8 method name

query_reports

Endpoint

MethodRoute
GET/falconx/queries/reports/v1

Required Scope

falconx-sandbox:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 5000).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.query_reports(filter="string",
                                offset="string",
                                limit=integer,
                                sort="string"
                                )
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.QueryReports(filter="string",
                               offset="string",
                               limit=integer,
                               sort="string"
                               )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryReports",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

QuerySubmissions

Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.

PEP8 method name

query_submissions

Endpoint

MethodRoute
GET/falconx/queries/submissions/v1

Required Scope

falconx-sandbox:read

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
filter
Service Class Support

Uber Class Support
querystringOptional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
queryintegerThe maximum records to return. (Max: 5000).
offset
Service Class Support

Uber Class Support
queryintegerStarting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
querystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.query_submissions(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string"
                                    )
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.QuerySubmissions(filter="string",
                                   offset="string",
                                   limit=integer,
                                   sort="string"
                                   )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QuerySubmissions",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

GetSampleV2

Retrieves the file associated with the given ID (SHA256)

PEP8 method name

get_sample

Endpoint

MethodRoute
GET/samples/entities/samples/v2

Required Scope

falconx-sandbox:read

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringThe file SHA256.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.
password_protected
Service Class Support

Uber Class Support
querybooleanFlag whether the sample should be zipped and password protected with password of infected.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.get_sample(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
    file_download.write(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.GetSampleV2(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
    file_download.write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.command("GetSampleV2", password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
    file_download.write(response)

UploadSampleV2

Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.

PEP8 method name

upload_sample

Endpoint

MethodRoute
POST/samples/entities/samples/v2

Required Scope

falconx-sandbox:write

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
comment
Service Class Support

Uber Class Support
formDatastringA descriptive comment to identify the file for other users.
data
Service Class Support

Uber Class Support
formDatafileContent of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.
file_data
or
sample
or
upfile

Service Class Support

Uber Class Support
formDatastringContent of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.
file_name
Service Class Support

Uber Class Support
formDatastringName to use for the file. Uses current file name if not specified.
is_confidential
Service Class Support

Uber Class Support
formDatabooleanDefines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console.
  • true - File is only shown to users within your customer account.
  • false - File can be seen by other CrowdStrike customers.
Defaults to true.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.upload_sample(sample=PAYLOAD,
                                file_name="string",
                                comment='string',
                                is_confidential=boolean
                                )
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.UploadSampleV2(file_data=PAYLOAD,
                                 file_name="string",
                                 comment='string',
                                 is_confidential=boolean
                                 )
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.command("UploadSampleV2",
                          data=PAYLOAD,
                          file_name="string",
                          comment="string",
                          is_confidential=boolean,
                          content_type="application/octet-stream"
                          )
print(response)

DeleteSampleV2

Removes a sample, including file, meta and submissions from the collection

PEP8 method name

delete_sample

Endpoint

MethodRoute
DELETE/samples/entities/samples/v2

Required Scope

falconx-sandbox:write

Content-Type

  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
id
Service Class Support

Uber Class Support
querystringThe file SHA256.
parameters
Service Class Support

Uber Class Support
querydictionaryFull query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_sample(ids=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteSampleV2(ids=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)

QuerySampleV1

Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

PEP8 method name

query_sample

Endpoint

MethodRoute
POST/samples/queries/samples/GET/v1

Required Scope

falconx-sandbox:read

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

NameServiceUberTypeData typeDescription
body
Service Class Support

Uber Class Support
bodydictionaryFull body payload in JSON format.
sha256s
Service Class Support

Uber Class Support
bodystring or list of stringsPass a list of sha256s to check if the exist. You will be returned the list of existing hashes.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'SHA1,SHA2,SHA3'  # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']

response = falcon.query_sample(sha256s=id_list)
print(response)

Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'SHA1,SHA2,SHA3'  # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']

response = falcon.QuerySampleV1(sha256s=id_list)
print(response)

Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "sha256s": [
        "string"
    ]
}

response = falcon.command("QuerySampleV1", body=BODY)
print(response)