Skip to content

MalQuery

Jump to bottom
Joshua Hiller edited this page Apr 12, 2021 · 16 revisions

CrowdStrike Falcon Twitter URL

Using the Malquery service collection

Uber class support Uber class support

Table of Contents

API Function Description
GetMalQueryQuotasV1 Get information about search and download quotas in your environment
PostMalQueryFuzzySearchV1 Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.
GetMalQueryDownloadV1 Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time
GetMalQueryMetadataV1 Retrieve indexed files metadata by their hash
GetMalQueryRequestV1 Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.
GetMalQueryEntitiesSamplesFetchV1 Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing
PostMalQueryEntitiesSamplesMultidownloadV1 Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip
PostMalQueryExactSearchV1 Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint
PostMalQueryHuntV1 Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint

GetMalQueryQuotasV1

Get information about search and download quotas in your environment

Content-Type

  • Produces: application/json

Parameters

No parameters

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

response = falcon.command('GetMalQueryQuotasV1')
print(response)
falcon.deauthenticate()

PostMalQueryFuzzySearchV1

Search Falcon MalQuery quickly, but with more potential for false positives. Search for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity.

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
body body string Fuzzy search parameters. See model for more details.

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

BODY = {
    'Body Payload': 'See body description above'
}

response = falcon.command('PostMalQueryFuzzySearchV1', body=BODY)
print(response)
falcon.deauthenticate()

GetMalQueryDownloadV1

Download a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported at this time

Content-Type

  • Produces: application/octet-stream

Parameters

Required Name Type Datatype Description
ids query array (string) The file SHA256.

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

IDS = 'ID1,ID2,ID3'

response = falcon.command('GetMalQueryDownloadV1', ids=IDS)
print(response)
falcon.deauthenticate()

GetMalQueryMetadataV1

Retrieve indexed files metadata by their hash

Content-Type

  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) The file SHA256.

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

IDS = 'ID1,ID2,ID3'

response = falcon.command('GetMalQueryMetadataV1', ids=IDS)
print(response)
falcon.deauthenticate()

GetMalQueryRequestV1

Check the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request id at this time.

Content-Type

  • Produces: application/json

Parameters

Required Name Type Datatype Description
ids query array (string) Identifier of a MalQuery request

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

IDS = 'ID1,ID2,ID3'

response = falcon.command('GetMalQueryRequestV1', ids=IDS)
print(response)
falcon.deauthenticate()

GetMalQueryEntitiesSamplesFetchV1

Fetch a zip archive with password 'infected' containing the samples. Call this once the /entities/samples-multidownload request has finished processing

Content-Type

  • Produces: application/zip

Parameters

Required Name Type Datatype Description
ids query string Multidownload job id

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

IDS = 'ID1,ID2,ID3'

response = falcon.command('GetMalQueryEntitiesSamplesFetchV1', ids=IDS)
print(response)
falcon.deauthenticate()

PostMalQueryEntitiesSamplesMultidownloadV1

Schedule samples for download. Use the result id with the /request endpoint to check if the download is ready after which you can call the /entities/samples-fetch to get the zip

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
body body string Download request. See model for more details.

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

BODY = {
    'Body Payload': 'See body description above'
}

response = falcon.command('PostMalQueryEntitiesSamplesMultidownloadV1', body=BODY)
print(response)
falcon.deauthenticate()

PostMalQueryExactSearchV1

Search Falcon MalQuery for a combination of hex patterns and strings in order to identify samples based upon file content at byte level granularity. You can filter results on criteria such as file type, file size and first seen date. Returns a request id which can be used with the /request endpoint

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
body body string Exact search parameters. See model for more details.

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

BODY = {
    'Body Payload': 'See body description above'
}

response = falcon.command('PostMalQueryExactSearchV1', body=BODY)
print(response)
falcon.deauthenticate()

PostMalQueryHuntV1

Schedule a YARA-based search for execution. Returns a request id which can be used with the /request endpoint

Content-Type

  • Consumes: application/json
  • Produces: application/json

Parameters

Required Name Type Datatype Description
body body string Hunt parameters. See model for more details.

Usage

Uber class example
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

BODY = {
    'Body Payload': 'See body description above'
}

response = falcon.command('PostMalQueryHuntV1', body=BODY)
print(response)
falcon.deauthenticate()

CrowdStrike Falcon

Clone this wiki locally