-
Notifications
You must be signed in to change notification settings - Fork 119
Falconx Sandbox
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Download IOC packs, PCAP files, and other analysis artifacts. | ||||
|
Get a short summary version of a sandbox report. | ||||
|
Get a full sandbox report. | ||||
|
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. | ||||
|
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | ||||
|
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | ||||
|
Find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria. | ||||
|
Find submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match your criteria. | ||||
|
Retrieves the file associated with the given ID (SHA256) | ||||
|
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
||||
|
Removes a sample, including file, meta and submissions from the collection | ||||
|
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
Download IOC packs, PCAP files, and other analysis artifacts.
get_artifacts
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
headers |
|
|
header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip , the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
id |
|
|
query | string | ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary. |
name |
|
|
query | string | The name given to your downloaded file. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.get_artifacts(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.GetArtifacts(id="string", name="string")
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetArtifacts", id="string", name="string", headers=HEADERS)
print(response)
Get a short summary version of a sandbox report.
get_summary_reports
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports . |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_summary_reports(ids=id_list)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSummaryReports(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSummaryReports", ids=id_list)
print(response)
Get a full sandbox report.
get_reports
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports . |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_reports(ids=id_list)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetReports(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetReports", ids=id_list)
print(response)
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
delete_report
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports . |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_report(ids=id_list)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteReport(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteReport", ids=id_list)
print(response)
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
get_submissions
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions . |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_submissions(ids=id_list)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSubmissions(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSubmissions", ids=id_list)
print(response)
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
submit
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
action_script |
|
|
body | string | Runtime script for sandbox analysis. Accepted values:
|
body |
|
|
body | string | Full body payload in JSON format. |
command_line |
|
|
body | string | Command line script passed to the submitted file at runtime. Max length: 2048 characters |
document_password |
|
|
body | string | Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters |
enable_tor |
|
|
body | boolean | Deprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR. |
environment_id |
|
|
body | integer | Specifies the sandbox environment used for analysis. Accepted values:
|
network_settings |
|
|
body | string | Specifies the sandbox network_settings used for analysis. Accepted values:
|
send_email_notification |
|
|
body | boolean | Boolean indicating if an email notification should be sent. |
sha256 |
|
|
body | string | ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample .The url keyword must be unset if this keyword is used. |
submit_name |
|
|
body | string | Name of the malware sample that's used for file type detection and analysis. |
system_date |
|
|
body | string | Set a custom date in the format yyyy-MM-dd for the sandbox environment. |
system_time |
|
|
body | string | Set a custom time in the format HH:mm for the sandbox environment. |
url |
|
|
body | string | A web page or file URL. It can be HTTP(S) or FTP. The sha256 keyword must be unset if this keyword is used. |
user_tags |
|
|
body | list of strings | User tags. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.submit(action_script="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notifications=boolean,
sha256="string",
submit_name="string",
submit_date="string",
submit_time="string",
url="string",
user_tags=tags
)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.Submit(action_script="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notifications=boolean,
sha256="string",
submit_name="string",
submit_date="string",
submit_time="string",
url="string",
user_tags=tags
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
tags = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"sandbox": [
{
"action_script": "string",
"command_line": "string",
"document_password": "string",
"enable_tor": boolean,
"environment_id": integer,
"network_settings": "string",
"sha256": "string",
"submit_name": "string",
"system_date": "string",
"system_time": "string",
"url": "string"
}
],
"send_email_notification": boolean,
"user_tags": tags
}
response = falcon.command("Submit", body=BODY)
print(response)
Find sandbox reports by providing an FQL filter and paging details. Returns a set of report IDs that match your criteria.
query_reports
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Optional filter and sort criteria in the form of an FQL query. |
limit |
|
|
query | integer | The maximum records to return. (Max: 5000). |
offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc . |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_reports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QueryReports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("QueryReports",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Find submission IDs for uploaded files by providing an FQL filter and paging details. Returns a set of submission IDs that match your criteria.
query_submissions
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Optional filter and sort criteria in the form of an FQL query. |
limit |
|
|
query | integer | The maximum records to return. (Max: 5000). |
offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc . |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.query_submissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.QuerySubmissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
response = falcon.command("QuerySubmissions",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Retrieves the file associated with the given ID (SHA256)
get_sample
- Produces: application/octet-stream
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
id |
|
|
query | string | The file SHA256. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
password_protected |
|
|
query | string | Flag whether the sample should be zipped and password protected with password of infected . |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
save_file = "some_file.ext"
response = falcon.get_sample(password_protected=boolean, ids=id_list)
open(save_file, 'wb').write(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
save_file = "some_file.ext"
response = falcon.GetSampleV2(password_protected=boolean, ids=id_list)
open(save_file, 'wb').write(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
save_file = "some_file.ext"
response = falcon.command("GetSampleV2", password_protected=boolean, ids=id_list)
open(save_file, 'wb').write(response)
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1
to start analyzing the file.
upload_sample
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
comment |
|
|
formData | string | A descriptive comment to identify the file for other users. |
data |
|
|
formData | file | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
|
file_data or sample or upfile |
|
|
formData | string | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
|
file_name |
|
|
formData | string | Name to use for the file. Uses current file name if not specified. |
is_confidential |
|
|
formData | boolean | Defines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console.
true . |
parameters |
|
|
formData | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.upload_sample(sample=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.UploadSampleV2(file_data=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.command("UploadSampleV2",
data=PAYLOAD,
file_name="string",
comment="string",
is_confidential=boolean,
content_type="application/octet-stream"
)
print(response)
Removes a sample, including file, meta and submissions from the collection
delete_sample
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
id |
|
|
query | string | The file SHA256. |
parameters |
|
|
query | string | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_sample(ids=id_list)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteSampleV2(ids=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
query_sample
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Datatype | Description |
---|---|---|---|---|---|
body |
|
|
body | string | Full body payload in JSON format. |
sha256s |
|
|
body | string or list of strings | Pass a list of sha256s to check if the exist. You will be returned the list of existing hashes. |
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.query_sample(sha256s=id_list)
print(response)
from falconpy import FalconXSandbox
falcon = FalconXSandbox(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.QuerySampleV1(sha256s=id_list)
print(response)
from falconpy import APIHarness
falcon = APIHarness(client_id="API_CLIENT_ID_HERE",
client_secret="API_CLIENT_SECRET_HERE"
)
BODY = {
"sha256s": [
"string"
]
}
response = falcon.command("QuerySampleV1", body=BODY)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust