Using the Falcon Intelligence Sandbox service collection

This service collection has code examples posted to the repository.

Table of Contents

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetArtifacts

Download IOC packs, PCAP files, and other analysis artifacts.

PEP8 method name

get_artifacts

Endpoint

Method	Route
	/falconx/entities/artifacts/v1

Required Scope

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
headers			header	string	Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id			query	string	ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary.
name			query	string	The name given to your downloaded file.
parameters			query	dictionary	Full query string parameters payload in JSON format.
stream			query	boolean	Enable streaming download of the returned file.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_artifacts(id="string", name="string", stream=boolean)

print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetArtifacts(id="string", name="string", stream=boolean)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetArtifacts",
                          id="string",
                          name="string",
                          stream=boolean,
                          headers=HEADERS
                          )
print(response)

GetMemoryDumpExtractedStrings

Get extracted strings from a memory dump.

PEP8 method name

get_dump_extracted_strings

Endpoint

Method	Route
	/falconx/entities/memory-dump/extracted-strings/v1

Required Scope

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
headers			header	string	Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id			query	string	Extracted strings ID.
name			query	string	The name given to your downloaded file.
parameters			query	dictionary	Full query string parameters payload in JSON format.
stream			query	boolean	Enable streaming download of the returned file.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_dump_extracted_strings(id="string", name="string", stream=boolean)

print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDumpExtractedStrings(id="string", name="string", stream=boolean)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDumpExtractedStrings",
                          id="string",
                          name="string",
                          stream=boolean,
                          headers=HEADERS
                          )
print(response)

GetMemoryDumpHexDump

Get the hex view of a memory dump.

PEP8 method name

get_hex_dump

Endpoint

Method	Route
	/falconx/entities/memory-dump/hex-dump/v1

Required Scope

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
headers			header	string	Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id			query	string	Hex dump ID.
name			query	string	The name given to your downloaded file.
parameters			query	dictionary	Full query string parameters payload in JSON format.
stream			query	boolean	Enable streaming download of the returned file.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_hex_dump(id="string", name="string", stream=boolean)

print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDumpHexDump(id="string", name="string", stream=boolean)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDumpHexDump",
                          id="string",
                          name="string",
                          stream=boolean,
                          headers=HEADERS
                          )
print(response)

GetMemoryDump

Get memory dump content, as a binary.

PEP8 method name

get_memory_dump

Endpoint

Method	Route
	/falconx/entities/memory-dump/v1

Required Scope

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
headers			header	string	Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id			query	string	Memory dump ID.
name			query	string	The name given to your downloaded file.
parameters			query	dictionary	Full query string parameters payload in JSON format.
stream			query	boolean	Enable streaming download of the returned file.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_memory_dump(id="string", name="string", stream=boolean)

print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDump(id="string", name="string", stream=boolean)

print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDump",
                          id="string",
                          name="string",
                          stream=boolean,
                          headers=HEADERS
                          )
print(response)

GetSummaryReports

Get a short summary version of a sandbox report.

PEP8 method name

get_summary_reports

Endpoint

Method	Route
	/falconx/entities/report-summaries/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	ID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_summary_reports(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSummaryReports(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSummaryReports", ids=id_list)
print(response)

GetReports

Get a full sandbox report.

PEP8 method name

get_reports

Endpoint

Method	Route
	/falconx/entities/reports/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_reports(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetReports(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetReports", ids=id_list)
print(response)

DeleteReport

Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.

PEP8 method name

delete_report

Endpoint

Method	Route
	/falconx/entities/reports/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_report(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteReport(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteReport", ids=id_list)
print(response)

GetSubmissions

Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

PEP8 method name

get_submissions

Endpoint

Method	Route
	/falconx/entities/submissions/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
ids			query	string or list of strings	ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_submissions(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSubmissions(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSubmissions", ids=id_list)
print(response)

Submit

Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

PEP8 method name

submit

Endpoint

Method	Route
	/falconx/entities/submissions/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
action_script			body	string	Runtime script for sandbox analysis. Accepted values: default default_randomtheme default_maxantievasion default_openie default_randomfiles
aid			query	string	Device AID.
body			body	dictionary	Full body payload in JSON format.
command_line			body	string	Command line script passed to the submitted file at runtime. Max length: 2048 characters
document_password			body	string	Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters
enable_tor			body	boolean	Deprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR.
environment_id			body	integer	Specifies the sandbox environment used for analysis. Accepted values: 410 - macOS Sonoma ARM 64 bit 400 - macOS Catalina 10.15 300 - Linux Ubuntu 16.04, 64-bit 200 - Android (static analysis) 160 - Windows 10, 64-bit 140 - Windows 11, 64-bit 110 - Windows 7, 64-bit 100 - Windows 7, 32-bit
network_settings			body	string	Specifies the sandbox network_settings used for analysis. Accepted values: default - Fully operating network tor - Route network traffic via TOR simulated - Simulate network traffic offline - No network traffic
parameters			query	dictionary	Full query string parameters payload in JSON format.
send_email_notification			body	boolean	Boolean indicating if an email notification should be sent.
sha256			body	string	ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample. The url keyword must be unset if this keyword is used.
submit_name			body	string	Name of the malware sample that's used for file type detection and analysis.
system_date			body	string	Set a custom date in the format yyyy-MM-dd for the sandbox environment.
system_time			body	string	Set a custom time in the format HH:mm for the sandbox environment.
url			body	string	A web page or file URL. It can be HTTP(S) or FTP. The sha256 keyword must be unset if this keyword is used.
user_tags			body	list of strings	User tags.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

tags = ['TAG1', 'TAG2', 'TAG3']

response = falcon.submit(action_script="string",
                         aid="string",
                         command_line="string",
                         document_password="string",
                         enable_tor=boolean,
                         environment_id=integer,
                         network_settings="string",
                         send_email_notifications=boolean,
                         sha256="string",
                         submit_name="string",
                         submit_date="string",
                         submit_time="string",
                         url="string",
                         user_tags=tags
                         )
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

tags = ['TAG1', 'TAG2', 'TAG3']

response = falcon.Submit(action_script="string",
                         aid="string",
                         command_line="string",
                         document_password="string",
                         enable_tor=boolean,
                         environment_id=integer,
                         network_settings="string",
                         send_email_notifications=boolean,
                         sha256="string",
                         submit_name="string",
                         submit_date="string",
                         submit_time="string",
                         url="string",
                         user_tags=tags
                         )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

tags = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "sandbox": [
        {
            "action_script": "string",
            "command_line": "string",
            "document_password": "string",
            "enable_tor": boolean,
            "environment_id": integer,
            "network_settings": "string",
            "sha256": "string",
            "submit_name": "string",
            "system_date": "string",
            "system_time": "string",
            "url": "string"
        }
    ],
    "send_email_notification": boolean,
    "user_tags": tags
}

response = falcon.command("Submit", aid="string", body=BODY)
print(response)

QueryReports

Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.

PEP8 method name

query_reports

Endpoint

Method	Route
	/falconx/queries/reports/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Optional filter and sort criteria in the form of an FQL query.
limit			query	integer	The maximum records to return. (Max: 5000).
offset			query	integer	Starting index of overall result set from which to return ids.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.query_reports(filter="string",
                                offset="string",
                                limit=integer,
                                sort="string"
                                )
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.QueryReports(filter="string",
                               offset="string",
                               limit=integer,
                               sort="string"
                               )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryReports",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

QuerySubmissions

Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.

PEP8 method name

query_submissions

Endpoint

Method	Route
	/falconx/queries/submissions/v1

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
filter			query	string	Optional filter and sort criteria in the form of an FQL query.
limit			query	integer	The maximum records to return. (Max: 5000).
offset			query	integer	Starting index of overall result set from which to return ids.
parameters			query	dictionary	Full query string parameters payload in JSON format.
sort			query	string	The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.query_submissions(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string"
                                    )
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.QuerySubmissions(filter="string",
                                   offset="string",
                                   limit=integer,
                                   sort="string"
                                   )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QuerySubmissions",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

GetSampleV2

Retrieves the file associated with the given ID (SHA256)

PEP8 method name

get_sample

Endpoint

Method	Route
	/samples/entities/samples/v2

Required Scope

Content-Type

• Produces: application/octet-stream

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	The file SHA256.
parameters			query	dictionary	Full query string parameters payload in JSON format.
password_protected			query	boolean	Flag whether the sample should be zipped and password protected with password of infected.
stream			query	boolean	Enable streaming download of the returned file.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.get_sample(password_protected=boolean, ids=file_sha, stream=boolean)
with open(save_file, 'wb') as file_download:
    file_download.write(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.GetSampleV2(password_protected=boolean, ids=file_sha, stream=boolean)
with open(save_file, 'wb') as file_download:
    file_download.write(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.command("GetSampleV2", password_protected=boolean, ids=file_sha, stream=boolean)
with open(save_file, 'wb') as file_download:
    file_download.write(response)

UploadSampleV2

Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.

PEP8 method name

upload_sample

Endpoint

Method	Route
	/samples/entities/samples/v2

Required Scope

Content-Type

• Consumes: multipart/form-data
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
comment			formData	string	A descriptive comment to identify the file for other users.
data			formData	file	Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats: Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub PDF APK Executable JAR Windows script component: .sct Windows shortcut: .lnk Windows help: .chm HTML application: .hta Windows script file: .wsf Javascript: .js Visual Basic: .vbs, .vbe Shockwave Flash: .swf Perl: .pl Powershell: .ps1, .psd1, .psm1 Scalable vector graphics: .svg Python: .py Linux ELF executables Email files: MIME RFC 822 .eml, Outlook .msg.
file_data or sample or upfile			formData	string	Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats: Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub PDF APK Executable JAR Windows script component: .sct Windows shortcut: .lnk Windows help: .chm HTML application: .hta Windows script file: .wsf Javascript: .js Visual Basic: .vbs, .vbe Shockwave Flash: .swf Perl: .pl Powershell: .ps1, .psd1, .psm1 Scalable vector graphics: .svg Python: .py Linux ELF executables Email files: MIME RFC 822 .eml, Outlook .msg.
file_name			formData	string	Name to use for the file. Uses current file name if not specified.
is_confidential			formData	boolean	Defines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console. true - File is only shown to users within your customer account. false - File can be seen by other CrowdStrike customers. Defaults to true.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.upload_sample(sample=PAYLOAD,
                                file_name="string",
                                comment='string',
                                is_confidential=boolean
                                )
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.UploadSampleV2(file_data=PAYLOAD,
                                 file_name="string",
                                 comment='string',
                                 is_confidential=boolean
                                 )
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.command("UploadSampleV2",
                          data=PAYLOAD,
                          file_name="string",
                          comment="string",
                          is_confidential=boolean,
                          content_type="application/octet-stream"
                          )
print(response)

DeleteSampleV2

Removes a sample, including file, meta and submissions from the collection

PEP8 method name

delete_sample

Endpoint

Method	Route
	/samples/entities/samples/v2

Required Scope

Content-Type

• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
id			query	string	The file SHA256.
parameters			query	dictionary	Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_sample(ids=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteSampleV2(ids=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)

QuerySampleV1

Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

PEP8 method name

query_sample

Endpoint

Method	Route
	/samples/queries/samples/GET/v1

Required Scope

Content-Type

• Consumes: application/json
• Produces: application/json

Keyword Arguments

Name	Service	Uber	Type	Data type	Description
body			body	dictionary	Full body payload in JSON format.
sha256s			body	string or list of strings	Pass a list of sha256s to check if the exist. You will be returned the list of existing hashes.

Usage

Service class example (PEP8 syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'SHA1,SHA2,SHA3'  # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']

response = falcon.query_sample(sha256s=id_list)
print(response)

Service class example (Operation ID syntax)

from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'SHA1,SHA2,SHA3'  # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']

response = falcon.QuerySampleV1(sha256s=id_list)
print(response)

Uber class example

from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "sha256s": [
        "string"
    ]
}

response = falcon.command("QuerySampleV1", body=BODY)
print(response)