CrowdStrike Malquery
CrowdStrike Malquery Pack.#
This Integration is part of theUse the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine. This integration was integrated and tested with version 1.0 of CrowdStrikeMalquery
#
Configure CrowdStrikeMalquery in CortexParameter | Description | Required |
---|---|---|
base_url | Server URL (e.g. https://example.net\) | True |
client_id | Client ID | True |
client_secret | Client Secret | True |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
cs-malquery-exact-searchSearches Falcon MalQuery for a combination of hex patterns and strings to identify malware samples based upon file content, which returns a request ID. Use the request ID in the cs-malquery-get-request command to retrieve results. You can filter results based on criteria such as file type, file size and first seen date.
#
Base Commandcs-malquery-exact-search
#
InputArgument Name | Description | Required |
---|---|---|
hex | The hex pattern to search. For example, deadbeef0102 (for bytes de, ad, be, ef, 01, 02). | Optional |
ascii | The ASCII pattern to search. For example, CrowdStrike. | Optional |
wide | The wide string pattern to search. For example, CrowdStrike. | Optional |
limit | The maximum number of results to be returned. Default is 100. | Optional |
max_size | The maximum file size. The value can be specified either in bytes or in multiples of KB/MB/GB. For example, 128000, 1.3 KB, 8mb. | Optional |
min_size | The minimum file size. The value can be specified either in bytes or in multiples of KB/MB/GB. For example, 128000, 1.3 KB, 8mb. | Optional |
max_date | Limits results to files first seen before this date. The format is YYYY/MM/DD. For example, 2018/01/31. | Optional |
min_date | Limits results to files first seen after this date. The format is YYYY/MM/DD. For example, 2018/01/31. | Optional |
filter_filetypes | Limits results to certain file types such as EMAIL, PCAP, PDF, PE32. Comma separated values. For a full list of file types, see the MalQuery API documentation. | Optional |
filter_meta | Specifies a subset of metadata fields to return in the results. Possible values - sha256, md5, type, size, first_seen, label, family. Comma separated values. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Malquery.Request_ID | String | The request ID. |
#
Command Example!cs-malquery-exact-search hex=8948208b480833ca33f989502489482889782c8bd7 filter_meta=sha256,type,size limit=5
#
Context Example#
Human Readable Output#
Search Result
Request_ID 08942ddd-373e-493d-54f9-f6e495174913
#
cs-malquery-huntSchedules a YARA rule-based search for execution, which returns a request ID. Use the request ID in the cs-malquery-get-request command to retrieve results. You can filter based on criteria such as file type, file size and first seen date.
#
Base Commandcs-malquery-hunt
#
InputArgument Name | Description | Required |
---|---|---|
yara_rule | The YARA rule to search. | Optional |
yar_file_entry_id | A YAR file entry ID that contains the YARA rule to search. Only one Yara rule per request. | Optional |
limit | The maximum number of results to be returned. | Optional |
max_size | The maximum file size. The value can be specified either in bytes or in multiples of KB/MB/GB. For example, 128000, 1.3 KB, 8mb. | Optional |
min_size | The minimum file size. For example, 128000, 1.3 KB, 8mb. | Optional |
max_date | Limits results to files first seen before this date. The format is YYYY/MM/DD. For example, 2018/01/31. | Optional |
min_date | Limits results to files first seen after this date. The format is YYYY/MM/DD. For example, 2018/01/31. | Optional |
filter_filetypes | Limits results to files of certain types such as EMAIL, PCAP, PDF, PE32. Comma separated values. For a full list of types, see the MalQuery API documentation. | Optional |
filter_meta | Specifies a subset of metadata fields to return in the results. Possible values - sha256, md5, type, size, first_seen, label, family. Comma separated values. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Malquery.Request_ID | String | The request ID. |
#
Command Example!cs-malquery-hunt file_type=PE32 filter_meta=sha256,type,size limit=5 yara_rule="rule CrowdStrike_16142_01 : wiper { strings: $ = { 41 61 43 63 64 44 65 46 66 47 68 69 4B 4C 6C 4D 6D 6E 4E 6F 4F 70 50 72 52 73 53 54 74 55 75 56 76 77 57 78 79 5A 7A 33 32 2E 5C 45 62 67 6A 48 49 20 5F 59 51 42 3A 22 2F 40 } condition: all of them and filesize < 800KB }"
#
Context Example#
Human Readable Output#
Search Result
Request_ID 503efffd-2d44-4566-7794-8de45568cbbf
#
cs-malquery-fuzzy-searchSearches Falcon MalQuery quickly. Uses partial matching, but with more potential for false positives. Search for a combination of hex patterns and strings to identify samples based upon file content.
#
Base Commandcs-malquery-fuzzy-search
#
InputArgument Name | Description | Required |
---|---|---|
hex | The hex pattern to search. For example, deadbeef0102 (for bytes de, ad, be, ef, 01, 02). | Optional |
ascii | The ASCII pattern to search. For example, CrowdStrike. | Optional |
wide | The wide string pattern to search. For example, CrowdStrike. | Optional |
limit | The maximum number of results to be returned. Default is 100. | Optional |
filter_meta | Specifies a subset of metadata fields to return in the results. Possible values - sha256, md5, type, size, first_seen, label, family. Comma separated values. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Malquery.File.family | String | The malware family of the file. For example, StoneDrill. |
Malquery.File.filesize | String | The size of the file. |
Malquery.File.filetype | String | The type of the file. |
Malquery.File.first_seen | String | The date when the file was first seen. |
Malquery.File.label | String | The label of the file. For example, Malware. |
Malquery.File.md5 | String | The MD5 of the file. |
Malquery.File.sha1 | String | The SHA1 of the file. |
Malquery.File.sha256 | String | The SHA256 of the file. |
#
Command Example!cs-malquery-fuzzy-search hex=8948208b480833ca33f989502489482889782c8bd7 filter_meta=sha256,type,size limit=5
#
Context Example#
Human Readable Output#
Fuzzy Search Result
filesize filetype sha256 310552 PE32 e51f0a8884eb08fc43da0501ebd3776831e2fd4b0a8dd12e69866a8febe41495 1672180 PE32 bc74f8fc37b902536b52c1157b74724edc96a586b0e3e38717dd845981443a5b 1672188 PE32 72b021085f62e5dc1335f878a2751bce68d95918c84215ec8dfebf491009ea09 279624 PE32 5e2e1735e10684b36d30b3a3362e66cd30fb493afac8e711d92bde8372b9b6d0 19055104 PE32 d5023cd464d7578506770338e0fc43bd64887dbf234785b4d8f8547e57efa33d
#
cs-malquery-get-requestChecks the status and results of an asynchronous request, such as hunt or exact-search. Supports a single request ID.
#
Base Commandcs-malquery-get-request
#
InputArgument Name | Description | Required |
---|---|---|
request_id | The identifier of a MalQuery request. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Malquery.Request_ID | String | The request ID. |
Malquery.Status | String | The status of the request. |
Malquery.File.family | String | The malware family of the file. For example, StoneDrill. |
Malquery.File.filesize | String | The size of the file. |
Malquery.File.filetype | String | The type of the file. For example, PE32. |
Malquery.File.first_seen | String | The date when the file was first seen. |
Malquery.File.label | String | The label of the file. For example, malware. |
Malquery.File.md5 | String | The file MD5. |
Malquery.File.sha1 | String | The file SHA1. |
Malquery.File.sha256 | String | The file SHA256. |
#
Command Example!cs-malquery-get-request request_id=096f6aa5-f245-4b09-790f-133bc89d4d26
#
Context Example#
Human Readable Output#
Search Result for request: 096f6aa5-f245-4b09-790f-133bc89d4d26
filesize filetype first_seen label md5 sha1 sha256 151552 PE32 2020/06/09 unknown 0b189ab69d40e782fe827c63e1cc6f06 85be23059c9abb3370586dc49dbd8f1ced05df8e d207ccf1eabcc9453288896d963f1a1c558c427abfe9305d7328e3a6fb06f6ee 245760 PE32 2019/03/12 malware 688bdedf1f9dd44d6db51a7f8499939c 2ca2622317bc840bf890d1e337d2c547be2cfebf 41a1d7b98d0ce3259270c9a8f26fe8899cca402cba69ef8e5c70449faea8b714 317440 PE32 2018/01/24 malware 345ade2a73ee83e4f75447a26c4e78c9 6ae00484a878201e6150108ca1b234dd1f68930d 0f191518ab7f24643218bd3384ae4bd1f52ec80419730d87196605a2a69938d7 128512 PE32 2017/07/20 malware 2b82ce15a632e3ce1485bfc87e586ee5 df07d50296914de0ca3116d4ca6d3845d55c7540 3fb85b787fa005e591cd2cd7e1e83c79d103b1c26f5da31fdf788764ae0b8bb0 130560 PE32 2016/12/09 malware 697c515a46484be4f9597cb4f39b2959 b9fc1ac4a7ccee467402f190391974a181391da3 bf79622491dc5d572b4cfb7feced055120138df94ffd2b48ca629bb0a77514cc
#
cs-malquery-get-ratelimitReturns information about search and download quotas in your environment.
#
Base Commandcs-malquery-get-ratelimit
#
Context OutputPath | Type | Description |
---|---|---|
Malquery.Quota.hunt_count | number | How many hunts were executed in the last month. |
Malquery.Quota.download_count | number | How many downloads were executed in the last month. |
Malquery.Quota.monitor_count | number | How many monitors were created in the last month. |
Malquery.Quota.hunt_limit | number | Total hunt limit per month. |
Malquery.Quota.download_limit | number | The total download limit per month. |
Malquery.Quota.monitor_limit | number | The total monitor limit per month. |
Malquery.Quota.refresh_time | string | The time when the limits are refreshed. ISO 8601 format. |
Malquery.Quota.days_left | number | The days left until the limits are refreshed. |
Malquery.Quota.hunt_counts.userid | String | The download counts per user. |
Malquery.Quota.hunt_counts.counter | number | The download counts per user. |
#
Command Example!cs-malquery-get-ratelimit
#
Context Example#
Human Readable Output#
Quota Data
hunt_count download_count monitor_count hunt_limit download_limit monitor_limit refresh_time days_left 83 28 0 100 50 10 2020-08-01T00:00:00Z 3
#
cs-malquery-samples-multidownloadSchedule samples for download, which returns a request ID. Use the request ID in the cs-malquery-get-request, to check the status of the operation. When the request status is “done”, use the cs-malquery-sample-fetch to download the results as a password-protected archive. The password to extract results from the archive: infected'
#
Base Commandcs-malquery-samples-multidownload
#
InputArgument Name | Description | Required |
---|---|---|
samples | Sample sha256 IDs. Comma separated values. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Malquery.Request_ID | String | The request ID. |
Malquery.Status | String | The request status. |
#
Command Example!cs-malquery-samples-multidownload samples=742db9f3ae1b7322dfe8ab81476cd3146f9c0ce086fc4cd38a1072fb6cae8662,accc6794951290467e01b7676e8b4ba177076d54f836589ea7d3298cdf6fc995
#
Context Example#
Human Readable Output#
Samples Multidownload Request
Request_ID e2e1aecb-6e34-44f7-5d42-932880276c5e
#
cs-malquery-file-downloadDownload a file indexed by MalQuery. Specify the file using its SHA256. Only one file is supported.
#
Base Commandcs-malquery-file-download
#
InputArgument Name | Description | Required |
---|---|---|
file_id | The SHA256 file. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The Entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | MD5 hash of the file. |
#
Command Example!cs-malquery-file-download file_id=d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766
#
Context Example#
cs-malquery-sample-fetchFetches a zip archive file using the password, "infected" containing the samples. Use this after the cs-malquery-samples-multidownload request has finished processing.
#
Base Commandcs-malquery-sample-fetch
#
InputArgument Name | Description | Required |
---|---|---|
request_id | Identifier of a MalQuery request. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.SHA256 | String | THe SHA256 hash of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.EntryID | String | The entry ID. |
File.Info | String | Information about the file. |
File.Type | String | The type of the file. |
File.MD5 | String | The MD5 hash of the file. |
#
Command Example!cs-malquery-sample-fetch request_id=93b55373-3b69-43cb-6ea1-2870a44e1c1e
#
Context Example#
Human Readable Output#
fileRetrieves indexed files metadata by their hash.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | The SHA256 of the files. Comma separated values. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | The indicator type. |
DBotScore.Indicator | String | The indicator that was tested. |
File.Vendor | String | The vendor used to calculate the score. |
Malquery.File.family | String | The malware family of the file. For example, StoneDrill. |
Malquery.File.filesize | String | The size of the file. |
Malquery.File.filetype | String | The type of the file. |
Malquery.File.first_seen | String | The date when the file was first seen. |
Malquery.File.label | String | The label of the file. |
Malquery.File.md5 | String | The MD5 hash of the file. |
Malquery.File.sha1 | String | The SHA1 hash of the file. |
Malquery.File.sha256 | String | The SHA256 hash of the file. |
#
Command Example!file file=d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766
#
Context Example#
Human Readable Output#
CrowdStrike Malquery File reputation
filesize filetype first_seen label md5 sha1 sha256 1076152 PE32 2014/01/27 unknown c6a6a731f341ced1d93b61bc7628721d 8953cdddbe825e8378c590084dca1e3d76ced233 d77cf874521ee7d4bb7f54bd8cef3d60ec24d267cf2d502f819880f0819f5766