MalQuery
The MalQuery service collection provides operations for searching and downloading malware samples from Falcon’s malware repository. Check quotas, perform fuzzy or exact searches by hex patterns and strings, download files, retrieve metadata, schedule multi-sample downloads, and run YARA-based hunts.
| Language | Last Update |
|---|---|
| Python | v1.5.0 |
| PowerShell | v2.2.9 |
| Go | v0.20.0 |
| TypeScript | v0.6.0 |
| Rust | v0.7.0 |
| Ruby | v1.2.0 |
This service collection has code examples posted to the repository.
Table of Contents
Section titled “Table of Contents”| Operation | Description |
|---|---|
GetMalQueryQuotasV1get_quotas | Get information about search and download quotas in your environment |
PostMalQueryFuzzySearchV1fuzzy_search | Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. |
GetMalQueryDownloadV1get_download | Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time |
GetMalQueryMetadataV1get_metadata | Retrieve indexed files metadata by their hash |
GetMalQueryRequestV1get_request | Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time. |
GetMalQueryEntitiesSamplesFetchV1get_samples | Fetch a zip archive with password ‘infected’ containing the samples. Call this once the /entities/samples-multidownload request has finished processing |
PostMalQueryEntitiesSamplesMultidownloadV1samples_multidownload | Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip |
PostMalQueryExactSearchV1exact_search | Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint |
PostMalQueryHuntV1hunt | Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint |
GetMalQueryQuotasV1
Section titled “GetMalQueryQuotasV1”Get information about search and download quotas in your environment
GET /malquery/aggregates/quotas/v1
PEP 8
get_quotasParameters
Section titled “Parameters”No keywords are arguments are accepted.
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.get_quotas()print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.GetMalQueryQuotasV1()print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.command("GetMalQueryQuotasV1")print(response)Get-FalconMalQueryQuotapackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Malquery.GetMalQueryQuotasV1( &malquery.GetMalQueryQuotasV1Params{ Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.getMalQueryQuotasV1();
console.log(response);use rusty_falcon::apis::malquery_api::get_mal_query_quotas_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_mal_query_quotas_v1(&falcon.cfg).await.expect("API call failed"); // configuration
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
response = api.get_mal_query_quotas_v1
puts responsePostMalQueryFuzzySearchV1
Section titled “PostMalQueryFuzzySearchV1”Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
POST /malquery/combined/fuzzy-search/v1
PEP 8
fuzzy_searchParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| filter_meta | body | list of strings | FQL Syntax. |
| limit | body | integer | Maximum number of matches to return. |
| patterns | body | list of dictionaries | List of patterns to match in JSON format. Example: {“type”: “string”,“value”: “string”} |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
patterns = [ { "type": "string", "value": "string" }]
response = falcon.fuzzy_search(filter_meta=["string"], limit=integer, patterns=patterns)print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
patterns = [ { "type": "string", "value": "string" }]
response = falcon.PostMalQueryFuzzySearchV1(filter_meta=["string"], limit=integer, patterns=patterns)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "options": { "filter_meta": ["string"], "limit": integer }, "patterns": [ { "type": "string", "value": "string" } ]}
response = falcon.command("PostMalQueryFuzzySearchV1", body=body_payload)print(response)Invoke-FalconMalQuery -Type "string" ` -Value "string" ` -Limit integer ` -Fuzzy $booleanpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
type := "string" value := "string"
response, err := client.Malquery.PostMalQueryFuzzySearchV1( &malquery.PostMalQueryFuzzySearchV1Params{ Body: &models.MalqueryFuzzySearchParametersV1{ Options: &struct{}{}, Patterns: []interface{}{ { Type: &type, Value: &value, }, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.postMalQueryFuzzySearchV1( { options: { filterMeta: [], limit: integer }, patterns: [{ type: "string", value: "string" }]} // body);
console.log(response);use rusty_falcon::apis::malquery_api::post_mal_query_fuzzy_search_v1;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MalqueryFuzzySearchParametersV1;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MalqueryFuzzySearchParametersV1 { patterns: vec![SearchParameter { type: Some("string".to_string()), value: Some("string".to_string()), ..Default::default() }], ..Default::default() };
let response = post_mal_query_fuzzy_search_v1( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
body = Falcon::MalqueryFuzzySearchParametersV1.new( options: { filter_meta: [], limit: integer }, patterns: [{ type: 'string', value: 'string' }])
response = api.post_mal_query_fuzzy_search_v1(body)
puts responseGetMalQueryDownloadV1
Section titled “GetMalQueryDownloadV1”Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GET /malquery/entities/download-files/v1
PEP 8
get_downloadParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | File(s) SHA256 ID. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| stream | query | boolean | Enable streaming download of the returned file. |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
with open("output_file", "wb") as save_file: response = falcon.get_download(ids=id_list, stream=boolean, stream=boolean) save_file.write(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
with open("output_file", "wb") as save_file: response = falcon.GetMalQueryDownloadV1(ids=id_list, stream=boolean, stream=boolean) save_file.write(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
with open("output_file", "wb") as save_file: response = falcon.command("GetMalQueryDownloadV1", ids=id_list) save_file.write(response)Receive-FalconMalQuerySample -Path "string" -Id "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Malquery.GetMalQueryDownloadV1( &malquery.GetMalQueryDownloadV1Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.getMalQueryDownloadV1(["ID1", "ID2", "ID3"]); // ids
console.log(response);use rusty_falcon::apis::malquery_api::get_mal_query_download_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_mal_query_download_v1( &falcon.cfg, // configuration vec!["string".to_string()], // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
response = api.get_mal_query_download_v1(['ID1', 'ID2', 'ID3'])
puts responseGetMalQueryMetadataV1
Section titled “GetMalQueryMetadataV1”Retrieve indexed files metadata by their hash
GET /malquery/entities/metadata/v1
PEP 8
get_metadataParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | File(s) SHA256 ID. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_metadata(ids=id_list)print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetMalQueryMetadataV1(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetMalQueryMetadataV1", ids=id_list)print(response)Get-FalconMalQuerySample -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Malquery.GetMalQueryMetadataV1( &malquery.GetMalQueryMetadataV1Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.getMalQueryMetadataV1(["ID1", "ID2", "ID3"]); // ids
console.log(response);use rusty_falcon::apis::malquery_api::get_mal_query_metadata_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_mal_query_metadata_v1( &falcon.cfg, // configuration vec!["string".to_string()], // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
response = api.get_mal_query_metadata_v1(['ID1', 'ID2', 'ID3'])
puts responseGetMalQueryRequestV1
Section titled “GetMalQueryRequestV1”Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GET /malquery/entities/requests/v1
PEP 8
get_requestParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string | Identifier of the MalQuery request. |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_request(ids=id_list)print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetMalQueryRequestV1(ids=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetMalQueryRequestV1", ids=id_list)print(response)Get-FalconMalQuery -Id "string"package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Malquery.GetMalQueryRequestV1( &malquery.GetMalQueryRequestV1Params{ Ids: []string{"ID1", "ID2", "ID3"}, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.getMalQueryRequestV1(["ID1", "ID2", "ID3"]); // ids
console.log(response);use rusty_falcon::apis::malquery_api::get_mal_query_request_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_mal_query_request_v1( &falcon.cfg, // configuration vec!["string".to_string()], // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
response = api.get_mal_query_request_v1(['ID1', 'ID2', 'ID3'])
puts responseGetMalQueryEntitiesSamplesFetchV1
Section titled “GetMalQueryEntitiesSamplesFetchV1”Fetch a zip archive with password ‘infected’ containing the samples. Call this once the /entities/samples-multidownload request has finished processing
GET /malquery/entities/samples-fetch/v1
PEP 8
get_samplesParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| ids | query | string or list of strings | Multi-download job ID(s). |
| parameters | query | dictionary | Full query string parameters payload in JSON format. |
| stream | query | boolean | Enable streaming download of the returned file. |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.get_samples(ids=id_list, stream=boolean)print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.GetMalQueryEntitiesSamplesFetchV1(ids=id_list, stream=boolean)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.command("GetMalQueryEntitiesSamplesFetchV1", ids="string")print(response)Examples coming soon.
package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Malquery.GetMalQueryEntitiesSamplesFetchV1( &malquery.GetMalQueryEntitiesSamplesFetchV1Params{ Ids: "string", Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.getMalQueryEntitiesSamplesFetchV1("string"); // ids
console.log(response);use rusty_falcon::apis::malquery_api::get_mal_query_entities_samples_fetch_v1;use rusty_falcon::easy::client::FalconHandle;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let response = get_mal_query_entities_samples_fetch_v1( &falcon.cfg, // configuration "string", // ids ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
response = api.get_mal_query_entities_samples_fetch_v1('string')
puts responsePostMalQueryEntitiesSamplesMultidownloadV1
Section titled “PostMalQueryEntitiesSamplesMultidownloadV1”Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
POST /malquery/entities/samples-multidownload/v1
PEP 8
samples_multidownloadParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| samples | body | list of strings | List of MalQuery sample ID(s) to be downloaded. |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.samples_multidownload(samples=id_list)print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
response = falcon.PostMalQueryEntitiesSamplesMultidownloadV1(samples=id_list)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
id_list = 'ID1,ID2,ID3' # Can also pass a list here: ['ID1', 'ID2', 'ID3']
body_payload = { "samples": ["string"]}
response = falcon.command("PostMalQueryEntitiesSamplesMultidownloadV1", body=body_payload)print(response)Group-FalconMalQuerySample -Id @("ID1", "ID2")package main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
response, err := client.Malquery.PostMalQueryEntitiesSamplesMultidownloadV1( &malquery.PostMalQueryEntitiesSamplesMultidownloadV1Params{ Body: &models.MalqueryMultiDownloadRequestV1{ Samples: []string{"string"}, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.postMalQueryEntitiesSamplesMultidownloadV1( { samples: []} // body);
console.log(response);use rusty_falcon::apis::malquery_api::post_mal_query_entities_samples_multidownload_v1;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MalqueryMultiDownloadRequestV1;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MalqueryMultiDownloadRequestV1 { samples: vec!["string".to_string()], ..Default::default() };
let response = post_mal_query_entities_samples_multidownload_v1( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
body = Falcon::MalqueryMultiDownloadRequestV1.new( samples: [])
response = api.post_mal_query_entities_samples_multidownload_v1(body)
puts responsePostMalQueryExactSearchV1
Section titled “PostMalQueryExactSearchV1”Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
POST /malquery/queries/exact-search/v1
PEP 8
exact_searchParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| filter_filetypes | body | list of strings | File types to filter on. |
| filter_meta | body | list of strings | File metadata to filter on. |
| limit | body | integer | Maximum number of matches to return. |
| min_date | body | string | UTC formatted date string representing the earliest date from which to return results. |
| max_date | body | string | UTC formatted date string representing the latest date from which to return results. |
| min_size | body | string | Minimum file size for returned results. |
| max_size | body | string | Maximum file size for returned results. |
| patterns | body | list of dictionaries | List of patterns to match in JSON format. Example: {“type”: “string”,“value”: “string”} |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
patterns = [ { "type": "string", "value": "string" }]
response = falcon.exact_search(filter_filetypes=["string"], filter_meta=["string"], limit=integer, max_date="string", min_date="string", max_size="string", min_size="string", patterns=patterns)print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
patterns = [ { "type": "string", "value": "string" }]
response = falcon.PostMalQueryExactSearchV1(filter_filetypes=["string"], filter_meta=["string"], limit=integer, max_date="string", min_date="string", max_size="string", min_size="string", patterns=patterns)print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "options": { "app": "string", "filter_filetypes": ["string"], "filter_meta": ["string"], "limit": integer, "max_date": "string", "max_size": "string", "min_date": "string", "min_size": "string", "submitted_by_customer": boolean }, "patterns": [ { "type": "string", "value": "string" } ]}
response = falcon.command("PostMalQueryExactSearchV1", body=body_payload)print(response)Invoke-FalconMalQuery -Type "string" ` -Value "string" ` -Limit integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
type := "string" value := "string"
response, err := client.Malquery.PostMalQueryExactSearchV1( &malquery.PostMalQueryExactSearchV1Params{ Body: &models.MalqueryExternalExactSearchParametersV1{ Options: &struct{}{}, Patterns: []interface{}{ { Type: &type, Value: &value, }, }, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.postMalQueryExactSearchV1( { options: { app: "string", filterFiletypes: [], filterMeta: [], limit: integer, maxDate: "string", maxSize: "string", minDate: "string", minSize: "string", submittedByCustomer: boolean }, patterns: [{ type: "string", value: "string" }]} // body);
console.log(response);use rusty_falcon::apis::malquery_api::post_mal_query_exact_search_v1;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MalqueryExternalExactSearchParametersV1;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MalqueryExternalExactSearchParametersV1 { patterns: vec![SearchParameter { type: Some("string".to_string()), value: Some("string".to_string()), ..Default::default() }], ..Default::default() };
let response = post_mal_query_exact_search_v1( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
body = Falcon::MalqueryExternalExactSearchParametersV1.new( options: { app: 'string', filter_filetypes: [], filter_meta: [], limit: integer, max_date: 'string', max_size: 'string', min_date: 'string', min_size: 'string', submitted_by_customer: boolean }, patterns: [{ type: 'string', value: 'string' }])
response = api.post_mal_query_exact_search_v1(body)
puts responsePostMalQueryHuntV1
Section titled “PostMalQueryHuntV1”Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint
POST /malquery/queries/hunt/v1
PEP 8
huntParameters
Section titled “Parameters”| Name | Type | Data type | Description |
|---|---|---|---|
| body | body | dictionary | Full body payload in JSON format. |
| filter_filetypes | body | list of strings | File types to filter on. |
| filter_meta | body | list of strings | File metadata to filter on. |
| limit | body | integer | Maximum number of matches to return. |
| min_date | body | string | UTC formatted date string representing the earliest date from which to return results. |
| max_date | body | string | UTC formatted date string representing the latest date from which to return results. |
| min_size | body | string | Minimum file size for returned results. |
| max_size | body | string | Maximum file size for returned results. |
| yara_rule | body | string | Yara rule to use for matching. |
Code Examples
Section titled “Code Examples”from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.hunt(filter_filetypes=["string"], filter_meta=["string"], limit=integer, max_date="string", min_date="string", max_size="string", min_size="string", yara_rule="string")print(response)from falconpy import MalQuery
falcon = MalQuery(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
response = falcon.PostMalQueryHuntV1(filter_filetypes=["string"], filter_meta=["string"], limit=integer, max_date="string", min_date="string", max_size="string", min_size="string", yara_rule="string")print(response)from falconpy import APIHarnessV2
falcon = APIHarnessV2(client_id=CLIENT_ID, client_secret=CLIENT_SECRET )
body_payload = { "options": { "app": "string", "filter_filetypes": ["string"], "filter_meta": ["string"], "limit": integer, "max_date": "string", "max_size": "string", "min_date": "string", "min_size": "string", "submitted_by_customer": boolean }, "yara_rule": "string"}
response = falcon.command("PostMalQueryHuntV1", body=body_payload)print(response)Invoke-FalconMalQuery -YaraRule "string" -Limit integerpackage main
import ( "context" "fmt" "os"
"github.com/crowdstrike/gofalcon/falcon" "github.com/crowdstrike/gofalcon/falcon/client/malquery" "github.com/crowdstrike/gofalcon/falcon/models")
func main() { client, err := falcon.NewClient(&falcon.ApiConfig{ ClientId: os.Getenv("FALCON_CLIENT_ID"), ClientSecret: os.Getenv("FALCON_CLIENT_SECRET"), Context: context.Background(), }) if err != nil { panic(err) }
yara_rule := "string"
response, err := client.Malquery.PostMalQueryHuntV1( &malquery.PostMalQueryHuntV1Params{ Body: &models.MalqueryExternalHuntParametersV1{ Options: &struct{}{}, YaraRule: &yara_rule, }, Context: context.Background(), }, ) if err != nil { panic(falcon.ErrorExplain(err)) }
fmt.Printf("%+v\n", response.Payload)}import { FalconClient } from "crowdstrike-falcon";
const client = new FalconClient({ cloud: process.env.FALCON_CLOUD!, clientId: process.env.FALCON_CLIENT_ID!, clientSecret: process.env.FALCON_CLIENT_SECRET!,});
const response = await client.malquery.postMalQueryHuntV1( { options: { app: "string", filterFiletypes: [], filterMeta: [], limit: integer, maxDate: "string", maxSize: "string", minDate: "string", minSize: "string", submittedByCustomer: boolean }, yaraRule: "string"} // body);
console.log(response);use rusty_falcon::apis::malquery_api::post_mal_query_hunt_v1;use rusty_falcon::easy::client::FalconHandle;use rusty_falcon::models::MalqueryExternalHuntParametersV1;
#[tokio::main]async fn main() { let falcon = FalconHandle::from_env().await.expect("Could not authenticate");
let body = MalqueryExternalHuntParametersV1 { yara_rule: Some("string".to_string()), ..Default::default() };
let response = post_mal_query_hunt_v1( &falcon.cfg, // configuration body, // body ).await.expect("API call failed");
println!("{:?}", response);}require "crimson-falcon"
Falcon.configure do |config| config.client_id = ENV["FALCON_CLIENT_ID"] config.client_secret = ENV["FALCON_CLIENT_SECRET"] config.cloud = ENV["FALCON_CLOUD"]end
api = Falcon::Malquery.new
body = Falcon::MalqueryExternalHuntParametersV1.new( options: { app: 'string', filter_filetypes: [], filter_meta: [], limit: integer, max_date: 'string', max_size: 'string', min_date: 'string', min_size: 'string', submitted_by_customer: boolean }, yara_rule: 'string')
response = api.post_mal_query_hunt_v1(body)
puts response