CrowdStrikeMalquery
Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine.
Authentication & Identity Management · CrowdStrike Malquery
Configuration parameters
base_url— Server URL (e.g. https://example.net) (required)client_id— Client IDclient_secret— Client Secretcredentials_client— Client IDinsecure— Trust any certificate (not secure)proxy— Use system proxy settingsintegrationReliability— Source ReliabilityfeedExpirationPolicy—feedExpirationInterval—
Commands (9)
-
cs-malquery-exact-searchSearches Falcon MalQuery for a combination of hex patterns and strings to identify malware samples based upon file content, which returns a request ID. Use the request ID in the cs-malquery-get-request command to retrieve results. You can filter results based on criteria such as file type, file size and first seen date.
-
cs-malquery-file-downloadDownload a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported.
-
cs-malquery-fuzzy-searchSearches Falcon MalQuery quickly. Uses partial matching, but with more potential for false positives. Search for a combination of hex patterns and strings to identify samples based upon file content.
-
cs-malquery-get-ratelimitReturns information about search and download quotas in your environment.
-
cs-malquery-get-requestChecks the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request ID.
-
cs-malquery-huntSchedules a YARA rule-based search for execution, which returns a request ID. Use the request ID in the cs-malquery-get-request command to retrieve results. You can filter based on criteria such as file type, file size and first seen date.
-
cs-malquery-sample-fetchFetches a zip archive file using the password, "infected" containing the samples. Use this after the cs-malquery-samples-multidownload request has finished processing.
-
cs-malquery-samples-multidownloadSchedule samples for download, which returns a request ID. Use the request ID in the cs-malquery-get-request, to check the status of the operation. When the request status is “done”, use the cs-malquery-sample-fetch to download the results as a password-protected archive. The password to extract results from the archive: infected'
-
fileRetrieves indexed files metadata by their hash.