Skip to content
CrowdStrike Developer Center

Falconx Sandbox

The Falcon Intelligence Sandbox service collection provides operations for analyzing malware samples and URLs. Download artifacts, memory dumps, and analysis reports. Submit files and URLs for sandbox analysis, query reports and submissions, and manage sample files.

LanguageLast Update
Pythonv1.5.0
PowerShellv2.2.9
Gov0.20.0
TypeScriptv0.6.0
Rustv0.7.0
Rubyv1.2.0

This service collection has code examples posted to the repository.

Table of Contents

Section titled “Table of Contents”
OperationDescription
GetArtifacts
get_artifacts		Download IOC packs, PCAP files, and other analysis artifacts.
GetMemoryDumpExtractedStrings
get_dump_extracted_strings		Get extracted strings from a memory dump.
GetMemoryDumpHexDump
get_hex_dump		Get the hex view of a memory dump.
GetMemoryDump
get_memory_dump		Get memory dump content, as a binary.
GetSummaryReports
get_summary_reports		Get a short summary version of a sandbox report.
GetReports
get_reports		Get a full sandbox report.
DeleteReport
delete_report		Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.
GetSubmissions
get_submissions		Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
Submit
submit		Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.
QueryReports
query_reports		Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.
QuerySubmissions
query_submissions		Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.
GetSampleV2
get_sample		Retrieves the file associated with the given ID (SHA256)
UploadSampleV2
upload_sample		Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.
DeleteSampleV2
delete_sample		Removes a sample, including file, meta and submissions from the collection
QuerySampleV1
query_sample		Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

GetArtifacts

Section titled “GetArtifacts”

Download IOC packs, PCAP files, and other analysis artifacts.

GET /falconx/entities/artifacts/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_artifacts

Parameters

Section titled “Parameters”
NameTypeData typeDescription
headersheaderstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
idquerystringID of an artifact, such as an IOC pack, PCAP file, or actor image. Find an artifact ID in a report or summary.
namequerystringThe name given to your downloaded file.
parametersquerydictionaryFull query string parameters payload in JSON format.
streamquerybooleanEnable streaming download of the returned file.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


with open("output_file", "wb") as save_file:
    response = falcon.get_artifacts(id="string",
                                    name="string",
                                    stream=boolean,
                                    stream=boolean)
    save_file.write(response)

GetMemoryDumpExtractedStrings

Section titled “GetMemoryDumpExtractedStrings”

Get extracted strings from a memory dump.

GET /falconx/entities/memory-dump/extracted-strings/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_dump_extracted_strings

Parameters

Section titled “Parameters”
NameTypeData typeDescription
headersheaderstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
idquerystringExtracted strings ID.
namequerystringThe name given to your downloaded file.
parametersquerydictionaryFull query string parameters payload in JSON format.
streamquerybooleanEnable streaming download of the returned file.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


with open("output_file", "wb") as save_file:
    response = falcon.get_dump_extracted_strings(id="string",
                                                 name="string",
                                                 stream=boolean,
                                                 stream=boolean)
    save_file.write(response)

GetMemoryDumpHexDump

Section titled “GetMemoryDumpHexDump”

Get the hex view of a memory dump.

GET /falconx/entities/memory-dump/hex-dump/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_hex_dump

Parameters

Section titled “Parameters”
NameTypeData typeDescription
headersheaderstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
idquerystringHex dump ID.
namequerystringThe name given to your downloaded file.
parametersquerydictionaryFull query string parameters payload in JSON format.
streamquerybooleanEnable streaming download of the returned file.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


with open("output_file", "wb") as save_file:
    response = falcon.get_hex_dump(id="string",
                                   name="string",
                                   stream=boolean,
                                   stream=boolean)
    save_file.write(response)

GetMemoryDump

Section titled “GetMemoryDump”

Get memory dump content, as a binary.

GET /falconx/entities/memory-dump/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_memory_dump

Parameters

Section titled “Parameters”
NameTypeData typeDescription
headersheaderstringFormat used to compress your downloaded file. Currently, you must provide the value gzip, the only valid format, as the Accept-Encoding header when using the Uber class. This keyword is not necessary when using the Service Class.
idquerystringMemory dump ID.
namequerystringThe name given to your downloaded file.
parametersquerydictionaryFull query string parameters payload in JSON format.
streamquerybooleanEnable streaming download of the returned file.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


with open("output_file", "wb") as save_file:
    response = falcon.get_memory_dump(id="string",
                                      name="string",
                                      stream=boolean,
                                      stream=boolean)
    save_file.write(response)

GetSummaryReports

Section titled “GetSummaryReports”

Get a short summary version of a sandbox report.

GET /falconx/entities/report-summaries/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_summary_reports

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsID of a summary report. Find a summary report ID from the response when submitting a malware sample or search with query_reports.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_summary_reports(ids=id_list)
print(response)

GetReports

Section titled “GetReports”

Get a full sandbox report.

GET /falconx/entities/reports/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_reports

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_reports(ids=id_list)
print(response)

DeleteReport

Section titled “DeleteReport”

Delete report based on the report ID. Operation can be checked for success by polling for the report ID on the report-summaries endpoint.

DELETE /falconx/entities/reports/v1
Scope Sandbox (Falcon Intelligence): WRITE Consumes · Produces application/json
PEP 8 delete_report

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsID of a report. Find a report ID from the response when submitting a malware sample or search with query_reports.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_report(ids=id_list)
print(response)

GetSubmissions

Section titled “GetSubmissions”

Check the status of a sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

GET /falconx/entities/submissions/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 get_submissions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystring or list of stringsID of a submitted malware sample. Find a submission ID from the response when submitting a malware sample or search with query_submissions.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.get_submissions(ids=id_list)
print(response)

Submit

Section titled “Submit”

Submit an uploaded file or a URL for sandbox analysis. Time required for analysis varies but is usually less than 15 minutes.

POST /falconx/entities/submissions/v1
Scope Sandbox (Falcon Intelligence): WRITE Consumes · Produces application/json
PEP 8 submit

Parameters

Section titled “Parameters”
NameTypeData typeDescription
action_scriptbodystringRuntime script for sandbox analysis. Accepted values:
  • default
  • default_randomtheme
  • default_maxantievasion
  • default_openie
  • default_randomfiles
aidquerystringDevice AID.
bodybodydictionaryFull body payload in JSON format.
command_linebodystringCommand line script passed to the submitted file at runtime. Max length: 2048 characters
document_passwordbodystringAuto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters
enable_torbodybooleanDeprecated, please use network_settings instead. If true, sandbox analysis routes network traffic via TOR.
environment_idbodyintegerSpecifies the sandbox environment used for analysis. Accepted values: 410 - macOS Sonoma ARM 64 bit, 400 - macOS Catalina 10.15, 300 - Linux Ubuntu 16.04, 64-bit, 200 - Android (static analysis), 160 - Windows 10, 64-bit, 140 - Windows 11, 64-bit, 110 - Windows 7, 64-bit, 100 - Windows 7, 32-bit
network_settingsbodystringSpecifies the sandbox network_settings used for analysis. Accepted values: default - Fully operating network, tor - Route network traffic via TOR, simulated - Simulate network traffic, offline - No network traffic
parametersquerydictionaryFull query string parameters payload in JSON format.
send_email_notificationbodybooleanBoolean indicating if an email notification should be sent.
sha256bodystringID of the sample, which is a SHA256 hash value. Find a sample ID from the response when uploading a malware sample or search with query_sample. The url keyword must be unset if this keyword is used.
submit_namebodystringName of the malware sample that’s used for file type detection and analysis.
system_datebodystringSet a custom date in the format yyyy-MM-dd for the sandbox environment.
system_timebodystringSet a custom time in the format HH:mm for the sandbox environment.
urlbodystringA web page or file URL. It can be HTTP(S) or FTP. The sha256 keyword must be unset if this keyword is used.
user_tagsbodylist of stringsUser tags.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


response = falcon.submit(action_script="string",
                         aid="string",
                         command_line="string",
                         document_password="string",
                         enable_tor="string",
                         environment_id="string",
                         network_settings="string",
                         send_email_notification=boolean,
                         sha256="string",
                         submit_name="string",
                         system_date="string",
                         system_time="string",
                         url="string",
                         user_tags=["string"])
print(response)

QueryReports

Section titled “QueryReports”

Find sandbox reports by providing a FQL filter and paging details. Returns a set of report IDs that match your criteria.

GET /falconx/queries/reports/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_reports

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 5000).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


response = falcon.query_reports(filter="string",
                                limit=integer,
                                offset="string",
                                sort="string")
print(response)

QuerySubmissions

Section titled “QuerySubmissions”

Find submission IDs for uploaded files by providing a FQL filter and paging details. Returns a set of submission IDs that match your criteria.

GET /falconx/queries/submissions/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_submissions

Parameters

Section titled “Parameters”
NameTypeData typeDescription
filterquerystringOptional filter and sort criteria in the form of an FQL query.
limitqueryintegerThe maximum records to return. (Max: 5000).
offsetqueryintegerStarting index of overall result set from which to return ids.
parametersquerydictionaryFull query string parameters payload in JSON format.
sortquerystringThe property to sort on, followed by a dot (.), followed by the sort direction, either asc or desc.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


response = falcon.query_submissions(filter="string",
                                    limit=integer,
                                    offset="string",
                                    sort="string")
print(response)

GetSampleV2

Section titled “GetSampleV2”

Retrieves the file associated with the given ID (SHA256)

GET /samples/entities/samples/v2
Scope Sandbox (Falcon Intelligence): READ Produces application/octet-stream
PEP 8 get_sample

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystringThe file SHA256.
parametersquerydictionaryFull query string parameters payload in JSON format.
password_protectedquerybooleanFlag whether the sample should be zipped and password protected with password of infected.
streamquerybooleanEnable streaming download of the returned file.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


with open("output_file", "wb") as save_file:
    response = falcon.get_sample(ids=id_list,
                                 password_protected="string",
                                 stream=boolean,
                                 stream=boolean)
    save_file.write(response)

UploadSampleV2

Section titled “UploadSampleV2”

Upload a file for sandbox analysis. After uploading, use /falconx/entities/submissions/v1 to start analyzing the file.

POST /samples/entities/samples/v2
Scope Sandbox (Falcon Intelligence): WRITE Consumes multipart/form-data Produces application/json
PEP 8 upload_sample

Parameters

Section titled “Parameters”
NameTypeData typeDescription
commentformDatastringA descriptive comment to identify the file for other users.
dataformDatafileContent of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.
file_data or sample or upfileformDatastringContent of the uploaded sample in binary format. Max file size: 256 MB. Accepted file formats:
  • Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc.
  • Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub
  • PDF
  • APK
  • Executable JAR
  • Windows script component: .sct
  • Windows shortcut: .lnk
  • Windows help: .chm
  • HTML application: .hta
  • Windows script file: .wsf
  • Javascript: .js
  • Visual Basic: .vbs, .vbe
  • Shockwave Flash: .swf
  • Perl: .pl
  • Powershell: .ps1, .psd1, .psm1
  • Scalable vector graphics: .svg
  • Python: .py
  • Linux ELF executables
  • Email files: MIME RFC 822 .eml, Outlook .msg.
file_nameformDatastringName to use for the file. Uses current file name if not specified.
is_confidentialformDatabooleanDefines the visibility of this file in Falcon MalQuery, either via the API or the Falcon console. true - File is only shown to users within your customer account. false - File can be seen by other CrowdStrike customers. Defaults to true.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


response = falcon.upload_sample(comment="string",
                                file_data="string",
                                file_name="string",
                                is_confidential="string")
print(response)

DeleteSampleV2

Section titled “DeleteSampleV2”

Removes a sample, including file, meta and submissions from the collection

DELETE /samples/entities/samples/v2
Scope Sandbox (Falcon Intelligence): WRITE Consumes · Produces application/json
PEP 8 delete_sample

Parameters

Section titled “Parameters”
NameTypeData typeDescription
idsquerystringThe file SHA256.
parametersquerydictionaryFull query string parameters payload in JSON format.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


id_list = 'ID1,ID2,ID3'  # Can also pass a list here: ['ID1', 'ID2', 'ID3']


response = falcon.delete_sample(ids=id_list)
print(response)

QuerySampleV1

Section titled “QuerySampleV1”

Retrieves a list with sha256 of samples that exist and customer has rights to access them, maximum number of accepted items is 200

POST /samples/queries/samples/GET/v1
Scope Sandbox (Falcon Intelligence): READ Consumes · Produces application/json
PEP 8 query_sample

Parameters

Section titled “Parameters”
NameTypeData typeDescription
bodybodydictionaryFull body payload in JSON format.
sha256sbodystring or list of stringsPass a list of sha256s to check if the exist. You will be returned the list of existing hashes.

Code Examples

Section titled “Code Examples”
from falconpy import FalconXSandbox


falcon = FalconXSandbox(client_id=CLIENT_ID,
                        client_secret=CLIENT_SECRET
                        )


response = falcon.query_sample(sha256s=["string"])
print(response)
© 2026 CrowdStrike, Inc. All rights reserved. Privacy Notice Cookie Notice Terms of Use