Skip to content

Falconx Sandbox

Joshua Hiller edited this page Sep 16, 2023 · 22 revisions

CrowdStrike Falcon CrowdStrike Subreddit

Using the Falcon Intelligence Sandbox service collection

Uber class support Service class support Documentation Version Page Updated Samples Available

This service collection has code examples posted to the repository.

Table of Contents

Operation ID Description
GetArtifacts
PEP 8 get_artifacts
Download IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStrings
PEP 8 get_dump_extracted_strings
Get extracted strings from a memory dump.
GetMemoryDumpHexDump
PEP 8 get_hex_dump
Get the hex view of a memory dump.
GetMemoryDump
PEP 8 get_memory_dump
Get memory dump content, as a binary.
GetSummaryReports
PEP 8 get_summary_reports
Get a short summary version of a sandbox report.
GetReports
PEP 8 get_reports
Get a full sandbox report.
DeleteReport
PEP 8 delete_report
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissions
PEP 8 get_submissions
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
Submit
PEP 8 submit
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReports
PEP 8 query_reports
Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissions
PEP 8 query_submissions
Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2
PEP 8 get_sample
Retrieves the file associated with the given ID (SHA256)
UploadSampleV2
PEP 8 upload_sample
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
DeleteSampleV2
PEP 8 delete_sample
Removes a sample, including file, meta and submissions from the collection
QuerySampleV1
PEP 8 query_sample
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

Passing credentials

WARNING

client_id and client_secret are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)

CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.

GetArtifacts

Download IOC packs, PCAP files, and other analysis artifacts.

PEP8 method name

get_artifacts

Endpoint

Method Route
GET /falconx/entities/artifacts/v1

Keyword Arguments

Name Service Uber Type Data type Description
headers
Service Class Support

Uber Class Support
header string Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
query string ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary.
name
Service Class Support

Uber Class Support
query string The name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_artifacts(id="string", name="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetArtifacts(id="string", name="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetArtifacts", id="string", name="string", headers=HEADERS)
print(response)

GetMemoryDumpExtractedStrings

Get extracted strings from a memory dump.

PEP8 method name

get_dump_extracted_strings

Endpoint

Method Route
GET /falconx/entities/memory-dump/extracted-strings/v1

Keyword Arguments

Name Service Uber Type Data type Description
headers
Service Class Support

Uber Class Support
header string Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
query string Extracted strings ID.
name
Service Class Support

Uber Class Support
query string The name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_dump_extracted_strings(id="string", name="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDumpExtractedStrings(id="string", name="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDumpExtractedStrings", id="string", name="string", headers=HEADERS)
print(response)

GetMemoryDumpHexDump

Get the hex view of a memory dump.

PEP8 method name

get_hex_dump

Endpoint

Method Route
GET /falconx/entities/memory-dump/hex-dump/v1

Keyword Arguments

Name Service Uber Type Data type Description
headers
Service Class Support

Uber Class Support
header string Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
query string Hex dump ID.
name
Service Class Support

Uber Class Support
query string The name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_hex_dump(id="string", name="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDumpHexDump(id="string", name="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDumpHexDump", id="string", name="string", headers=HEADERS)
print(response)

GetMemoryDump

Get memory dump content, as a binary.

PEP8 method name

get_memory_dump

Endpoint

Method Route
GET /falconx/entities/memory-dump/v1

Keyword Arguments

Name Service Uber Type Data type Description
headers
Service Class Support

Uber Class Support
header string Format used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
id
Service Class Support

Uber Class Support
query string Memory dump ID.
name
Service Class Support

Uber Class Support
query string The name given to your downloaded file.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.get_memory_dump(id="string", name="string")
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.GetMemoryDump(id="string", name="string")
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

HEADERS = {
    "Accept-Encoding": "gzip"
}

response = falcon.command("GetMemoryDump", id="string", name="string", headers=HEADERS)
print(response)

GetSummaryReports

Get a short summary version of a sandbox report.

PEP8 method name

get_summary_reports

Endpoint

Method Route
GET /falconx/entities/report-summaries/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_summary_reports(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSummaryReports(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSummaryReports", ids=id_list)
print(response)

GetReports

Get a full sandbox report.

PEP8 method name

get_reports

Endpoint

Method Route
GET /falconx/entities/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_reports(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetReports(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetReports", ids=id_list)
print(response)

DeleteReport

Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.

PEP8 method name

delete_report

Endpoint

Method Route
DELETE /falconx/entities/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_report(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteReport(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteReport", ids=id_list)
print(response)

GetSubmissions

Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

PEP8 method name

get_submissions

Endpoint

Method Route
GET /falconx/entities/submissions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
ids
Service Class Support

Uber Class Support
query string or list of strings ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.get_submissions(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.GetSubmissions(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("GetSubmissions", ids=id_list)
print(response)

Submit

Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

PEP8 method name

submit

Endpoint

Method Route
POST /falconx/entities/submissions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
action_script
Service Class Support

Uber Class Support
body string Runtime script for sandbox analysis.

Accepted values:
  • default
  • default_randomtheme
  • default_maxantievasion
  • default_openie
  • default_randomfiles
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
command_line
Service Class Support

Uber Class Support
body string Command line script passed to the submitted file at runtime. Max length: 2048 characters
document_password
Service Class Support

Uber Class Support
body string Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters
enable_tor
Service Class Support

Uber Class Support
body boolean Deprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR.
environment_id
Service Class Support

Uber Class Support
body integer Specifies the sandbox environment used for analysis.

Accepted values:
  • 400 - macOS Catalina 10.15
  • 300 - Linux Ubuntu 16.04, 64-bit
  • 200 - Android (static analysis)
  • 160 - Windows 10, 64-bit
  • 110 - Windows 7, 64-bit
  • 100 - Windows 7, 32-bit
network_settings
Service Class Support

Uber Class Support
body string Specifies the sandbox network_settings used for analysis.

Accepted values:
  • default - Fully operating network
  • tor - Route network traffic via TOR
  • simulated - Simulate network traffic
  • offline - No network traffic
send_email_notification
Service Class Support

Uber Class Support
body boolean Boolean indicating if an email notification should be sent.
sha256
Service Class Support

Uber Class Support
body string ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample.

The url keyword must be unset if this keyword is used.
submit_name
Service Class Support

Uber Class Support
body string Name of the malware sample that's used for file type detection and analysis.
system_date
Service Class Support

Uber Class Support
body string Set a custom date in the format yyyy-MM-dd for the sandbox environment.
system_time
Service Class Support

Uber Class Support
body string Set a custom time in the format HH:mm for the sandbox environment.
url
Service Class Support

Uber Class Support
body string A web page or file URL. It can be HTTP(S) or FTP.

The sha256 keyword must be unset if this keyword is used.
user_tags
Service Class Support

Uber Class Support
body list of strings User tags.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

tags = ['TAG1', 'TAG2', 'TAG3']

response = falcon.submit(action_script="string",
                         command_line="string",
                         document_password="string",
                         enable_tor=boolean,
                         environment_id=integer,
                         network_settings="string",
                         send_email_notifications=boolean,
                         sha256="string",
                         submit_name="string",
                         submit_date="string",
                         submit_time="string",
                         url="string",
                         user_tags=tags
                         )
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

tags = ['TAG1', 'TAG2', 'TAG3']

response = falcon.Submit(action_script="string",
                         command_line="string",
                         document_password="string",
                         enable_tor=boolean,
                         environment_id=integer,
                         network_settings="string",
                         send_email_notifications=boolean,
                         sha256="string",
                         submit_name="string",
                         submit_date="string",
                         submit_time="string",
                         url="string",
                         user_tags=tags
                         )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

tags = ['TAG1', 'TAG2', 'TAG3']

BODY = {
    "sandbox": [
        {
            "action_script": "string",
            "command_line": "string",
            "document_password": "string",
            "enable_tor": boolean,
            "environment_id": integer,
            "network_settings": "string",
            "sha256": "string",
            "submit_name": "string",
            "system_date": "string",
            "system_time": "string",
            "url": "string"
        }
    ],
    "send_email_notification": boolean,
    "user_tags": tags
}

response = falcon.command("Submit", body=BODY)
print(response)

QueryReports

Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.

PEP8 method name

query_reports

Endpoint

Method Route
GET /falconx/queries/reports/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Optional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
query integer The maximum records to return. (Max: 5000).
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.query_reports(filter="string",
                                offset="string",
                                limit=integer,
                                sort="string"
                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.QueryReports(filter="string",
                               offset="string",
                               limit=integer,
                               sort="string"
                               )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QueryReports",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

QuerySubmissions

Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.

PEP8 method name

query_submissions

Endpoint

Method Route
GET /falconx/queries/submissions/v1

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
filter
Service Class Support

Uber Class Support
query string Optional filter and sort criteria in the form of an FQL query.
limit
Service Class Support

Uber Class Support
query integer The maximum records to return. (Max: 5000).
offset
Service Class Support

Uber Class Support
query integer Starting index of overall result set from which to return ids.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
sort
Service Class Support

Uber Class Support
query string The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.query_submissions(filter="string",
                                    offset="string",
                                    limit=integer,
                                    sort="string"
                                    )
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

response = falcon.QuerySubmissions(filter="string",
                                   offset="string",
                                   limit=integer,
                                   sort="string"
                                   )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

response = falcon.command("QuerySubmissions",
                          filter="string",
                          offset="string",
                          limit=integer,
                          sort="string"
                          )
print(response)

GetSampleV2

Retrieves the file associated with the given ID (SHA256)

PEP8 method name

get_sample

Endpoint

Method Route
GET /samples/entities/samples/v2

Content-Type

  • Produces: application/octet-stream

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string The file SHA256.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.
password_protected
Service Class Support

Uber Class Support
query boolean Flag whether the sample should be zipped and password protected with password of infected.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.get_sample(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
    file_download.write(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.GetSampleV2(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
    file_download.write(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"

save_file = "some_file.ext"

response = falcon.command("GetSampleV2", password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
    file_download.write(response)

UploadSampleV2

Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.

PEP8 method name

upload_sample

Endpoint

Method Route
POST /samples/entities/samples/v2

Content-Type

  • Consumes: multipart/form-data
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
comment
Service Class Support

Uber Class Support
formData string A descriptive comment to identify the file for other users.
data
Service Class Support

Uber Class Support
formData file Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.
file_data
or
sample
or
upfile

Service Class Support

Uber Class Support
formData string Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.
file_name
Service Class Support

Uber Class Support
formData string Name to use for the file. Uses current file name if not specified.
is_confidential
Service Class Support

Uber Class Support
formData boolean Defines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console.
  • true - File is only shown to users within your customer account.
  • false - File can be seen by other CrowdStrike customers.
Defaults to true.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.upload_sample(sample=PAYLOAD,
                                file_name="string",
                                comment='string',
                                is_confidential=boolean
                                )
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.UploadSampleV2(file_data=PAYLOAD,
                                 file_name="string",
                                 comment='string',
                                 is_confidential=boolean
                                 )
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()

response = falcon.command("UploadSampleV2",
                          data=PAYLOAD,
                          file_name="string",
                          comment="string",
                          is_confidential=boolean,
                          content_type="application/octet-stream"
                          )
print(response)

DeleteSampleV2

Removes a sample, including file, meta and submissions from the collection

PEP8 method name

delete_sample

Endpoint

Method Route
DELETE /samples/entities/samples/v2

Content-Type

  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
id
Service Class Support

Uber Class Support
query string The file SHA256.
parameters
Service Class Support

Uber Class Support
query dictionary Full query string parameters payload in JSON format.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.delete_sample(ids=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.DeleteSampleV2(ids=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']

response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)

QuerySampleV1

Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

PEP8 method name

query_sample

Endpoint

Method Route
POST /samples/queries/samples/GET/v1

Content-Type

  • Consumes: application/json
  • Produces: application/json

Keyword Arguments

Name Service Uber Type Data type Description
body
Service Class Support

Uber Class Support
body dictionary Full body payload in JSON format.
sha256s
Service Class Support

Uber Class Support
body string or list of strings Pass a list of sha256s to check if the exist. You will be returned the list of existing hashes.

Usage

Service class example (PEP8 syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'SHA1,SHA2,SHA3'  # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']

response = falcon.query_sample(sha256s=id_list)
print(response)
Service class example (Operation ID syntax)
from falconpy import FalconXSandbox

# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )

id_list = 'SHA1,SHA2,SHA3'  # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']

response = falcon.QuerySampleV1(sha256s=id_list)
print(response)
Uber class example
from falconpy import APIHarnessV2

# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
                      client_secret=CLIENT_SECRET
                      )

BODY = {
    "sha256s": [
        "string"
    ]
}

response = falcon.command("QuerySampleV1", body=BODY)
print(response)

CrowdStrike Falcon

Clone this wiki locally