Falcon Malware Sandbox APIv2 Connector
Falcon Sandbox has a powerful and simple API that can be used to submit files/URLs for analysis, pull report data, but also perform advanced search queries. The API is open and free to the entire IT-security community.
$ gem install falconz
To create a client, we can specify our API key or set the HYBRID_ANALYSIS_API_KEY
environment variable to communicate with the API.
require "falconz"
client = Falconz.client.new(key: "your_api_key")
Get the current file hashes that are being processed along with their environment IDs.
client.in_progress
# => [{:hash=>"b8560ce1bacb5515fdaef7cb3615a8172663da749b038687ab4a439cbf64f23b", :environment=>"100"},
# {:hash=>"4f456ae8d592a73be8e898384a6b78cf1406965bcb2cea38ffa976c1084acb74", :environment=>"120"},
# {:hash=>"6e206c74d4b9796264e5e2cb351e563806320e8d6d794fba38d3be93aa4b1bb5", :environment=>"100"},
# {:hash=>"8d5bd56a19d06d46c8e92552f0bf81fa38cbf3365ab022e97075810be18000d9", :environment=>"120"},
# {:hash=>"497f631d332b6b242528409778ecb7a778b1b50d6964139b549fdd71410381bc", :environment=>"120"}]
Upload a local file to the sandbox.
client.submit_file(file: "malware.exe", environment_id: 100)
# => {"job_id"=>"5acc00b27ca3e138c14ab0e4",
# "environment_id"=>"100",
# "sha256"=>"015e5c626b993855fa88ce4c9758bc780fac3774c3d8bfcfae62833affc31e00"}
Search for results related to a given hash (MD5/SHA1/SHA256).
client.search_hash("cc311a06612f1b420cf788bd8883fa9dbd34d33ba8fa2443b86b7f88c7a75c2c")
# => [{"job_id"=>"5ae641ad7ca3e175d57a6013",
# "environment_id"=>"100",
# "environment_description"=>"Windows 7 32 bit",
# "size"=>3127633,
# "type"=>"PE32 executable (GUI) Intel 80386, for MS Windows",
# "type_short"=>["peexe"],
# "target_url"=>nil,
# "state"=>"SUCCESS",
# "submit_name"=>"sospecha.exe",
# "md5"=>"7421fed9ae4b6643913b080718b919cc",
# "sha1"=>"4f86bc7a578b6ac9d1e5f1fc325917e436f60520",
# "sha256"=>"cc311a06612f1b420cf788bd8883fa9dbd34d33ba8fa2443b86b7f88c7a75c2c",
# "sha512"=>"684558a218f6039ba718bfeac763f529222474498a41fdfa6994c8a3955b2686c07fd053d1afab73b2403b9f98fd3cf7112faec220c1b12b574c6a7fea828a8b",
# "ssdeep"=>"49152:32uJI9LH1MuvxlFl7Z0pnZASuwSpW/vnjC91R8rsiX8L1ViGiJJLQRRtaU:muwLH6oF0pZAS6W/vWzRo8iGi2RtaU",
# "imphash"=>"884310b1928934402ea6fec1dbd3cf5e",
# "av_detect"=>1,
# "vx_family"=>"TSGeneric",
# "url_analysis"=>false,
# "analysis_start_time"=>"2018-04-30T00:06:01-05:00",
# "threat_score"=>85,
# "interesting"=>false,
# "threat_level"=>2,
# "verdict"=>"malicious",
# "certificates"=>[],
# "domains"=>[],
# "classification_tags"=>[],
# "compromised_hosts"=>[],
# "hosts"=>[],
# "total_network_connections"=>0,
# "total_processes"=>5,
# "total_signatures"=>56,
# "extracted_files"=>[],
# "processes"=>[],
# "file_metadata"=>nil}]
Check the number of environments available to use.
client.number_of_environments
# => 5
Get the available environments ID numbers.
client.environment_ids
# => [100, 110, 120, 300, 200]
Get information about current API key being used.
client.current_key
# => {"api_key"=>"130cce541890e1d9c4b34b83cb8b4cee9854bd90b6180b9",
# "auth_level"=>100,
# "auth_level_name"=>"default",
# "user"=>
# {"id"=>"4cee9b605d901c825c",
# "email"=>"[email protected]",
# "name"=>"picat"}}
The gem is available as open source under the terms of the MIT License.