This service collection has code examples posted to the repository.
| Operation ID | Description |
|---|
| Download IOC packs, PCAP files, and other analysis artifacts. |
| Get extracted strings from a memory dump. |
| Get the hex view of a memory dump. |
| Get memory dump content, as a binary. |
| Get a short summary version of a sandbox report. |
| Get a full sandbox report. |
| Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. |
| Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. |
| Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. |
| Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. |
| Retrieves the file associated with the given ID (SHA256) |
| Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
| Removes a sample, including file, meta and submissions from the collection |
| Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
WARNING
client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)
CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Download IOC packs, PCAP files, and other analysis artifacts.
get_artifacts
| Method | Route |
|---|
 | /falconx/entities/artifacts/v1 |
| Name | Service | Uber | Type | Data type | Description |
|---|
| headers | ![]()
![]() | ![]()
![]() | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | ![]()
![]() | ![]()
![]() | query | string | ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary. |
| name | ![]()
![]() | ![]()
![]() | query | string | The name given to your downloaded file. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_artifacts(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetArtifacts(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetArtifacts", id="string", name="string", headers=HEADERS)
print(response)
Get extracted strings from a memory dump.
get_dump_extracted_strings
| Method | Route |
|---|
| /falconx/entities/memory-dump/extracted-strings/v1 |
| Name | Service | Uber | Type | Data type | Description |
|---|
| headers | ![]()
![]() | ![]()
![]() | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | ![]()
![]() | ![]()
![]() | query | string | Extracted strings ID. |
| name | ![]()
![]() | ![]()
![]() | query | string | The name given to your downloaded file. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_dump_extracted_strings(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDumpExtractedStrings(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDumpExtractedStrings", id="string", name="string", headers=HEADERS)
print(response)
Get the hex view of a memory dump.
get_hex_dump
| Method | Route |
|---|
| /falconx/entities/memory-dump/hex-dump/v1 |
| Name | Service | Uber | Type | Data type | Description |
|---|
| headers | ![]()
![]() | ![]()
![]() | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | ![]()
![]() | ![]()
![]() | query | string | Hex dump ID. |
| name | ![]()
![]() | ![]()
![]() | query | string | The name given to your downloaded file. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_hex_dump(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDumpHexDump(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDumpHexDump", id="string", name="string", headers=HEADERS)
print(response)
Get memory dump content, as a binary.
get_memory_dump
| Method | Route |
|---|
| /falconx/entities/memory-dump/v1 |
| Name | Service | Uber | Type | Data type | Description |
|---|
| headers | ![]()
![]() | ![]()
![]() | header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
| id | ![]()
![]() | ![]()
![]() | query | string | Memory dump ID. |
| name | ![]()
![]() | ![]()
![]() | query | string | The name given to your downloaded file. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_memory_dump(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDump(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDump", id="string", name="string", headers=HEADERS)
print(response)
Get a short summary version of a sandbox report.
get_summary_reports
| Method | Route |
|---|
| /falconx/entities/report-summaries/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| ids | ![]()
![]() | ![]()
![]() | query | string or list of strings | ID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_summary_reports(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSummaryReports(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSummaryReports", ids=id_list)
print(response)
Get a full sandbox report.
get_reports
| Method | Route |
|---|
| /falconx/entities/reports/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| ids | ![]()
![]() | ![]()
![]() | query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_reports(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetReports(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetReports", ids=id_list)
print(response)
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
delete_report
| Method | Route |
|---|
 | /falconx/entities/reports/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| ids | ![]()
![]() | ![]()
![]() | query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_report(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteReport(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteReport", ids=id_list)
print(response)
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
get_submissions
| Method | Route |
|---|
| /falconx/entities/submissions/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| ids | ![]()
![]() | ![]()
![]() | query | string or list of strings | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_submissions(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSubmissions(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSubmissions", ids=id_list)
print(response)
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
submit
| Method | Route |
|---|
 | /falconx/entities/submissions/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| action_script | ![]()
![]() | ![]()
![]() | body | string | Runtime script for sandbox analysis.
Accepted values:- default
- default_randomtheme
- default_maxantievasion
- default_openie
- default_randomfiles
|
| body | ![]()
![]() | ![]()
![]() | body | dictionary | Full body payload in JSON format. |
| command_line | ![]()
![]() | ![]()
![]() | body | string | Command line script passed to the submitted file at runtime. Max length: 2048 characters |
| document_password | ![]()
![]() | ![]()
![]() | body | string | Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters |
| enable_tor | ![]()
![]() | ![]()
![]() | body | boolean | Deprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR. |
| environment_id | ![]()
![]() | ![]()
![]() | body | integer | Specifies the sandbox environment used for analysis.
Accepted values:400 - macOS Catalina 10.15300 - Linux Ubuntu 16.04, 64-bit200 - Android (static analysis)160 - Windows 10, 64-bit110 - Windows 7, 64-bit100 - Windows 7, 32-bit
|
| network_settings | ![]()
![]() | ![]()
![]() | body | string | Specifies the sandbox network_settings used for analysis.
Accepted values:default - Fully operating networktor - Route network traffic via TORsimulated - Simulate network trafficoffline - No network traffic
|
| send_email_notification | ![]()
![]() | ![]()
![]() | body | boolean | Boolean indicating if an email notification should be sent. |
| sha256 | ![]()
![]() | ![]()
![]() | body | string | ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample.
The url keyword must be unset if this keyword is used. |
| submit_name | ![]()
![]() | ![]()
![]() | body | string | Name of the malware sample that's used for file type detection and analysis. |
| system_date | ![]()
![]() | ![]()
![]() | body | string | Set a custom date in the format yyyy-MM-dd for the sandbox environment. |
| system_time | ![]()
![]() | ![]()
![]() | body | string | Set a custom time in the format HH:mm for the sandbox environment. |
| url | ![]()
![]() | ![]()
![]() | body | string | A web page or file URL. It can be HTTP(S) or FTP.
The sha256 keyword must be unset if this keyword is used. |
| user_tags | ![]()
![]() | ![]()
![]() | body | list of strings | User tags. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.submit(action_script="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notifications=boolean,
sha256="string",
submit_name="string",
submit_date="string",
submit_time="string",
url="string",
user_tags=tags
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.Submit(action_script="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notifications=boolean,
sha256="string",
submit_name="string",
submit_date="string",
submit_time="string",
url="string",
user_tags=tags
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"sandbox": [
{
"action_script": "string",
"command_line": "string",
"document_password": "string",
"enable_tor": boolean,
"environment_id": integer,
"network_settings": "string",
"sha256": "string",
"submit_name": "string",
"system_date": "string",
"system_time": "string",
"url": "string"
}
],
"send_email_notification": boolean,
"user_tags": tags
}
response = falcon.command("Submit", body=BODY)
print(response)
Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
query_reports
| Method | Route |
|---|
| /falconx/queries/reports/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| filter | ![]()
![]() | ![]()
![]() | query | string | Optional filter and sort criteria in the form of an FQL query. |
| limit | ![]()
![]() | ![]()
![]() | query | integer | The maximum records to return. (Max: 5000). |
| offset | ![]()
![]() | ![]()
![]() | query | integer | Starting index of overall result set from which to return ids. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
| sort | ![]()
![]() | ![]()
![]() | query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_reports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryReports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryReports",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
query_submissions
| Method | Route |
|---|
| /falconx/queries/submissions/v1 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| filter | ![]()
![]() | ![]()
![]() | query | string | Optional filter and sort criteria in the form of an FQL query. |
| limit | ![]()
![]() | ![]()
![]() | query | integer | The maximum records to return. (Max: 5000). |
| offset | ![]()
![]() | ![]()
![]() | query | integer | Starting index of overall result set from which to return ids. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
| sort | ![]()
![]() | ![]()
![]() | query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_submissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QuerySubmissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QuerySubmissions",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Retrieves the file associated with the given ID (SHA256)
get_sample
| Method | Route |
|---|
| /samples/entities/samples/v2 |
- Produces: application/octet-stream
| Name | Service | Uber | Type | Data type | Description |
|---|
| id | ![]()
![]() | ![]()
![]() | query | string | The file SHA256. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
| password_protected | ![]()
![]() | ![]()
![]() | query | boolean | Flag whether the sample should be zipped and password protected with password of infected. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.get_sample(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
file_download.write(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.GetSampleV2(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
file_download.write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.command("GetSampleV2", password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
file_download.write(response)
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
upload_sample
| Method | Route |
|---|
| /samples/entities/samples/v2 |
- Consumes: multipart/form-data
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| comment | ![]()
![]() | ![]()
![]() | formData | string | A descriptive comment to identify the file for other users. |
| data | ![]()
![]() | ![]()
![]() | formData | file | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats: - Portable executables:
.exe, .scr, .pif, .dll, .com, .cpl, etc. - Office documents:
.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub - PDF
- APK
- Executable JAR
- Windows script component:
.sct - Windows shortcut:
.lnk - Windows help:
.chm - HTML application:
.hta - Windows script file:
.wsf - Javascript:
.js - Visual Basic:
.vbs, .vbe - Shockwave Flash:
.swf - Perl:
.pl - Powershell:
.ps1, .psd1, .psm1 - Scalable vector graphics:
.svg - Python:
.py - Linux ELF executables
- Email files: MIME RFC 822
.eml, Outlook .msg.
|
file_data
or
sample
or
upfile | ![]()
![]() | ![]()
![]() | formData | string | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats: - Portable executables:
.exe, .scr, .pif, .dll, .com, .cpl, etc. - Office documents:
.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub - PDF
- APK
- Executable JAR
- Windows script component:
.sct - Windows shortcut:
.lnk - Windows help:
.chm - HTML application:
.hta - Windows script file:
.wsf - Javascript:
.js - Visual Basic:
.vbs, .vbe - Shockwave Flash:
.swf - Perl:
.pl - Powershell:
.ps1, .psd1, .psm1 - Scalable vector graphics:
.svg - Python:
.py - Linux ELF executables
- Email files: MIME RFC 822
.eml, Outlook .msg.
|
| file_name | ![]()
![]() | ![]()
![]() | formData | string | Name to use for the file. Uses current file name if not specified. |
| is_confidential | ![]()
![]() | ![]()
![]() | formData | boolean | Defines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console.true - File is only shown to users within your customer account.false - File can be seen by other CrowdStrike customers.
Defaults to true. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.upload_sample(sample=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.UploadSampleV2(file_data=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.command("UploadSampleV2",
data=PAYLOAD,
file_name="string",
comment="string",
is_confidential=boolean,
content_type="application/octet-stream"
)
print(response)
Removes a sample, including file, meta and submissions from the collection
delete_sample
| Method | Route |
|---|
| /samples/entities/samples/v2 |
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| id | ![]()
![]() | ![]()
![]() | query | string | The file SHA256. |
| parameters | ![]()
![]() | ![]()
![]() | query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_sample(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteSampleV2(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
query_sample
| Method | Route |
|---|
| /samples/queries/samples/GET/v1 |
- Consumes: application/json
- Produces: application/json
| Name | Service | Uber | Type | Data type | Description |
|---|
| body | ![]()
![]() | ![]()
![]() | body | dictionary | Full body payload in JSON format. |
| sha256s | ![]()
![]() | ![]()
![]() | body | string or list of strings | Pass a list of sha256s to check if the exist. You will be returned the list of existing hashes. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.query_sample(sha256s=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.QuerySampleV1(sha256s=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"sha256s": [
"string"
]
}
response = falcon.command("QuerySampleV1", body=BODY)
print(response)