-
Notifications
You must be signed in to change notification settings - Fork 119
Falconx Sandbox
This service collection has code examples posted to the repository.
Operation ID | Description | ||||
---|---|---|---|---|---|
|
Download IOC packs, PCAP files, and other analysis artifacts. | ||||
|
Get extracted strings from a memory dump. | ||||
|
Get the hex view of a memory dump. | ||||
|
Get memory dump content, as a binary. | ||||
|
Get a short summary version of a sandbox report. | ||||
|
Get a full sandbox report. | ||||
|
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint. | ||||
|
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | ||||
|
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes. | ||||
|
Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria. | ||||
|
Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria. | ||||
|
Retrieves the file associated with the given ID (SHA256) | ||||
|
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file. |
||||
|
Removes a sample, including file, meta and submissions from the collection | ||||
|
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200 |
WARNING
client_id
andclient_secret
are keyword arguments that contain your CrowdStrike API credentials. Please note that all examples below do not hard code these values. (These values are ingested as strings.)CrowdStrike does not recommend hard coding API credentials or customer identifiers within source code.
Download IOC packs, PCAP files, and other analysis artifacts.
get_artifacts
Method | Route |
---|---|
/falconx/entities/artifacts/v1 |
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
headers |
|
|
header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip , the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
id |
|
|
query | string | ID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary. |
name |
|
|
query | string | The name given to your downloaded file. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_artifacts(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetArtifacts(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetArtifacts", id="string", name="string", headers=HEADERS)
print(response)
Get extracted strings from a memory dump.
get_dump_extracted_strings
Method | Route |
---|---|
/falconx/entities/memory-dump/extracted-strings/v1 |
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
headers |
|
|
header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip , the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
id |
|
|
query | string | Extracted strings ID. |
name |
|
|
query | string | The name given to your downloaded file. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_dump_extracted_strings(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDumpExtractedStrings(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDumpExtractedStrings", id="string", name="string", headers=HEADERS)
print(response)
Get the hex view of a memory dump.
get_hex_dump
Method | Route |
---|---|
/falconx/entities/memory-dump/hex-dump/v1 |
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
headers |
|
|
header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip , the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
id |
|
|
query | string | Hex dump ID. |
name |
|
|
query | string | The name given to your downloaded file. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_hex_dump(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDumpHexDump(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDumpHexDump", id="string", name="string", headers=HEADERS)
print(response)
Get memory dump content, as a binary.
get_memory_dump
Method | Route |
---|---|
/falconx/entities/memory-dump/v1 |
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
headers |
|
|
header | string | Format used to compress your downloaded file. Currently, you must provide the value gzip , the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class. |
id |
|
|
query | string | Memory dump ID. |
name |
|
|
query | string | The name given to your downloaded file. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.get_memory_dump(id="string", name="string")
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.GetMemoryDump(id="string", name="string")
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
HEADERS = {
"Accept-Encoding": "gzip"
}
response = falcon.command("GetMemoryDump", id="string", name="string", headers=HEADERS)
print(response)
Get a short summary version of a sandbox report.
get_summary_reports
Method | Route |
---|---|
/falconx/entities/report-summaries/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_summary_reports(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSummaryReports(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSummaryReports", ids=id_list)
print(response)
Get a full sandbox report.
get_reports
Method | Route |
---|---|
/falconx/entities/reports/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_reports(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetReports(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetReports", ids=id_list)
print(response)
Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
delete_report
Method | Route |
---|---|
/falconx/entities/reports/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_report(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteReport(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteReport", ids=id_list)
print(response)
Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
get_submissions
Method | Route |
---|---|
/falconx/entities/submissions/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
ids |
|
|
query | string or list of strings | ID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_submissions(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetSubmissions(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetSubmissions", ids=id_list)
print(response)
Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
submit
Method | Route |
---|---|
/falconx/entities/submissions/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
action_script |
|
|
body | string | Runtime script for sandbox analysis. Accepted values:
|
body |
|
|
body | dictionary | Full body payload in JSON format. |
command_line |
|
|
body | string | Command line script passed to the submitted file at runtime. Max length: 2048 characters |
document_password |
|
|
body | string | Auto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters |
enable_tor |
|
|
body | boolean | Deprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR. |
environment_id |
|
|
body | integer | Specifies the sandbox environment used for analysis. Accepted values:
|
network_settings |
|
|
body | string | Specifies the sandbox network_settings used for analysis. Accepted values:
|
send_email_notification |
|
|
body | boolean | Boolean indicating if an email notification should be sent. |
sha256 |
|
|
body | string | ID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample .The url keyword must be unset if this keyword is used. |
submit_name |
|
|
body | string | Name of the malware sample that's used for file type detection and analysis. |
system_date |
|
|
body | string | Set a custom date in the format yyyy-MM-dd for the sandbox environment. |
system_time |
|
|
body | string | Set a custom time in the format HH:mm for the sandbox environment. |
url |
|
|
body | string | A web page or file URL. It can be HTTP(S) or FTP. The sha256 keyword must be unset if this keyword is used. |
user_tags |
|
|
body | list of strings | User tags. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.submit(action_script="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notifications=boolean,
sha256="string",
submit_name="string",
submit_date="string",
submit_time="string",
url="string",
user_tags=tags
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
response = falcon.Submit(action_script="string",
command_line="string",
document_password="string",
enable_tor=boolean,
environment_id=integer,
network_settings="string",
send_email_notifications=boolean,
sha256="string",
submit_name="string",
submit_date="string",
submit_time="string",
url="string",
user_tags=tags
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
tags = ['TAG1', 'TAG2', 'TAG3']
BODY = {
"sandbox": [
{
"action_script": "string",
"command_line": "string",
"document_password": "string",
"enable_tor": boolean,
"environment_id": integer,
"network_settings": "string",
"sha256": "string",
"submit_name": "string",
"system_date": "string",
"system_time": "string",
"url": "string"
}
],
"send_email_notification": boolean,
"user_tags": tags
}
response = falcon.command("Submit", body=BODY)
print(response)
Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
query_reports
Method | Route |
---|---|
/falconx/queries/reports/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Optional filter and sort criteria in the form of an FQL query. |
limit |
|
|
query | integer | The maximum records to return. (Max: 5000). |
offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc . |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_reports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QueryReports(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QueryReports",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
query_submissions
Method | Route |
---|---|
/falconx/queries/submissions/v1 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
filter |
|
|
query | string | Optional filter and sort criteria in the form of an FQL query. |
limit |
|
|
query | integer | The maximum records to return. (Max: 5000). |
offset |
|
|
query | integer | Starting index of overall result set from which to return ids. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
sort |
|
|
query | string | The property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc . |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.query_submissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.QuerySubmissions(filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
response = falcon.command("QuerySubmissions",
filter="string",
offset="string",
limit=integer,
sort="string"
)
print(response)
Retrieves the file associated with the given ID (SHA256)
get_sample
Method | Route |
---|---|
/samples/entities/samples/v2 |
- Produces: application/octet-stream
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id |
|
|
query | string | The file SHA256. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
password_protected |
|
|
query | boolean | Flag whether the sample should be zipped and password protected with password of infected . |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.get_sample(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
file_download.write(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.GetSampleV2(password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
file_download.write(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
file_sha = "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c"
save_file = "some_file.ext"
response = falcon.command("GetSampleV2", password_protected=boolean, ids=file_sha)
with open(save_file, 'wb') as file_download:
file_download.write(response)
Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1
to start analyzing the file.
upload_sample
Method | Route |
---|---|
/samples/entities/samples/v2 |
- Consumes: multipart/form-data
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
comment |
|
|
formData | string | A descriptive comment to identify the file for other users. |
data |
|
|
formData | file | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
|
file_data or sample or upfile |
|
|
formData | string | Content of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
|
file_name |
|
|
formData | string | Name to use for the file. Uses current file name if not specified. |
is_confidential |
|
|
formData | boolean | Defines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console.
true . |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.upload_sample(sample=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.UploadSampleV2(file_data=PAYLOAD,
file_name="string",
comment='string',
is_confidential=boolean
)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
FILENAME = 'test_file.ext'
PAYLOAD = open(FILENAME, 'rb').read()
response = falcon.command("UploadSampleV2",
data=PAYLOAD,
file_name="string",
comment="string",
is_confidential=boolean,
content_type="application/octet-stream"
)
print(response)
Removes a sample, including file, meta and submissions from the collection
delete_sample
Method | Route |
---|---|
/samples/entities/samples/v2 |
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
id |
|
|
query | string | The file SHA256. |
parameters |
|
|
query | dictionary | Full query string parameters payload in JSON format. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.delete_sample(ids=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.DeleteSampleV2(ids=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("DeleteSampleV2", ids=id_list)
print(response)
Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200
query_sample
Method | Route |
---|---|
/samples/queries/samples/GET/v1 |
- Consumes: application/json
- Produces: application/json
Name | Service | Uber | Type | Data type | Description |
---|---|---|---|---|---|
body |
|
|
body | dictionary | Full body payload in JSON format. |
sha256s |
|
|
body | string or list of strings | Pass a list of sha256s to check if the exist. You will be returned the list of existing hashes. |
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.query_sample(sha256s=id_list)
print(response)
from falconpy import FalconXSandbox
# Do not hardcode API credentials!
falcon = FalconXSandbox(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
id_list = 'SHA1,SHA2,SHA3' # Can also pass a list here: ['SHA1', 'SHA2', 'SHA3']
response = falcon.QuerySampleV1(sha256s=id_list)
print(response)
from falconpy import APIHarnessV2
# Do not hardcode API credentials!
falcon = APIHarnessV2(client_id=CLIENT_ID,
client_secret=CLIENT_SECRET
)
BODY = {
"sha256s": [
"string"
]
}
response = falcon.command("QuerySampleV1", body=BODY)
print(response)
- Home
- Discussions Board
- Glossary of Terms
- Installation, Upgrades and Removal
- Samples Collection
- Using FalconPy
- API Operations
-
Service Collections
- Alerts
- API Integrations
- Cloud Connect AWS (deprecated)
- Cloud Snapshots
- Configuration Assessment
- Configuration Assessment Evaluation Logic
- Container Alerts
- Container Detections
- Container Images
- Container Packages
- Container Vulnerabilities
- CSPM Registration
- Custom IOAs
- Custom Storage
- D4C Registration (deprecated)
- Detects
- Device Control Policies
- Discover
- Drift Indicators
- Event Streams
- Exposure Management
- Falcon Complete Dashboard
- Falcon Container
- Falcon Intelligence Sandbox
- FDR
- FileVantage
- Firewall Management
- Firewall Policies
- Foundry LogScale
- Host Group
- Hosts
- Identity Protection
- Image Assessment Policies
- Incidents
- Installation Tokens
- Intel
- IOA Exclusions
- IOC
- IOCs (deprecated)
- Kubernetes Protection
- MalQuery
- Message Center
- ML Exclusions
- Mobile Enrollment
- MSSP (Flight Control)
- OAuth2
- ODS (On Demand Scan)
- Overwatch Dashboard
- Prevention Policy
- Quarantine
- Quick Scan
- Real Time Response
- Real Time Response Admin
- Real Time Response Audit
- Recon
- Report Executions
- Response Policies
- Sample Uploads
- Scheduled Reports
- Sensor Download
- Sensor Update Policy
- Sensor Visibility Exclusions
- Spotlight Evaluation Logic
- Spotlight Vulnerabilities
- Tailored Intelligence
- ThreatGraph
- Unidentified Containers
- User Management
- Workflows
- Zero Trust Assessment
- Documentation Support
-
CrowdStrike SDKs
- Crimson Falcon - Ruby
- FalconPy - Python 3
- FalconJS - Javascript
- goFalcon - Go
- PSFalcon - Powershell
- Rusty Falcon - Rust