CrowdStrike Malware Analysis Integration Guide

Overview

The CrowdStrike Malware Analysis integration allows your NINA workflows to connect with CrowdStrike Falcon platform for file analysis, malware research, and sandboxing capabilities. This integration enables automated security operations, threat detection, and incident response directly from your automation platform.

Capabilities

This integration provides access to 5 resources with 45 operations covering:

• Falconx Sandbox: Operations for Falconx Sandbox
• Malquery: Operations for Malquery
• Quick Scan: Operations for Quick Scan
• Quick Scan Pro: Operations for Quick Scan Pro
• Sample Uploads: Operations for Sample Uploads

Credential Configuration

Before using the CrowdStrike Malware Analysis integration in your workflows, you need to configure credentials for authentication.

Authentication Method

CrowdStrike Falcon uses OAuth2 Client Credentials authentication. This is a server-to-server authentication flow where you provide a Client ID and Client Secret, and the integration automatically handles token acquisition and refresh.

Field	Description	Required
Client ID	Your CrowdStrike API Client ID	Yes
Client Secret	Your CrowdStrike API Client Secret	Yes
Base URL	CrowdStrike API endpoint for your cloud region	Yes

How It Works

1. You provide the Client ID and Client Secret when creating a credential
2. The integration exchanges these for an OAuth2 access token automatically
3. Tokens are refreshed automatically when they expire
4. No redirect URLs or user interaction required

CrowdStrike Cloud Regions

Select the Base URL that matches your CrowdStrike Falcon cloud region:

Cloud Region	Base URL	Description
US-1	https://api.crowdstrike.com	United States (default)
US-2	https://api.us-2.crowdstrike.com	United States (secondary)
EU-1	https://api.eu-1.crowdstrike.com	European Union
US-GOV-1	https://api.laggar.gcw.crowdstrike.com	US Government Cloud

How to Obtain API Credentials

1. Log in to the CrowdStrike Falcon Console
2. Navigate to Support and resources > API Clients and Keys
3. Click Add new API client
4. Configure the API client:
   • Client Name: A descriptive name (e.g., "NINA Integration")
   • Description: Purpose of this API client
   • API Scopes: Select the permissions required for your use case (see Required Scopes below)
5. Click Add to create the client
6. Copy and securely store the Client ID and Client Secret immediately

Important: The Client Secret is only displayed once at creation time. If you lose it, you must create a new API client.

Required API Scopes

The API scopes required depend on which operations you plan to use. Common scopes include:

Scope	Permission	Use Case
Detections	Read/Write	View and manage detections
Hosts	Read/Write	Query and manage endpoints
Incidents	Read/Write	View and manage incidents
IOCs	Read/Write	Manage indicators of compromise
Prevention Policies	Read/Write	Manage prevention policies
Real Time Response	Read/Write	Execute RTR commands
Sensor Update Policies	Read/Write	Manage sensor updates

Refer to the CrowdStrike API documentation for a complete list of available scopes.

Creating a CrowdStrike Credential in NINA

1. Navigate to the Credentials section in NINA
2. Click Add New Credential
3. Fill in the credential details:
   • Integration Service: Select "CrowdStrike Malware Analysis"
   • Client ID: Paste your CrowdStrike API Client ID
   • Client Secret: Paste your CrowdStrike API Client Secret
   • Base URL: Select your CrowdStrike cloud region URL
4. Click Test Connection to verify the credentials work
5. Click Save to store the credential securely

Note: All CrowdStrike integrations (EDR, Intel, Platform, etc.) share the same credential. You only need to create one credential to use across all CrowdStrike modules.

Supported Resources

Resource	Description	Operations
Falconx Sandbox	Operations for Falconx Sandbox	15
Malquery	Operations for Malquery	9
Quick Scan	Operations for Quick Scan	4
Quick Scan Pro	Operations for Quick Scan Pro	6
Sample Uploads	Operations for Sample Uploads	11

Resource Details

Falconx Sandbox

Operations for Falconx Sandbox

Operations

Operation	Name	Description
delete_report	Delete Report	SDK: falconx_sandbox.DeleteReport
delete_sample_v2	Delete Sample V2	SDK: falconx_sandbox.DeleteSampleV2
get_artifacts	Get Artifacts	SDK: falconx_sandbox.GetArtifacts
get_memory_dump	Get Memory Dump	SDK: falconx_sandbox.GetMemoryDump
get_memory_dump_extracted_strings	Get Memory Dump Extracted Strings	SDK: falconx_sandbox.GetMemoryDumpExtractedStrings
get_memory_dump_hex_dump	Get Memory Dump Hex Dump	SDK: falconx_sandbox.GetMemoryDumpHexDump
get_reports	Get Reports	SDK: falconx_sandbox.GetReports
get_sample_v2	Get Sample V2	SDK: falconx_sandbox.GetSampleV2
get_submissions	Get Submissions	SDK: falconx_sandbox.GetSubmissions
get_summary_reports	Get Summary Reports	SDK: falconx_sandbox.GetSummaryReports
list_reports	List Reports	SDK: falconx_sandbox.QueryReports
list_sample_	List Sample	SDK: falconx_sandbox.QuerySampleV1
list_submissions	List Submissions	SDK: falconx_sandbox.QuerySubmissions
submit	Submit	SDK: falconx_sandbox.Submit
upload_sample_v2	Upload Sample V2	SDK: falconx_sandbox.UploadSampleV2

Delete Report

SDK: falconx_sandbox.DeleteReport

Parameters:

Name	Type	Required	Description
ids	string	No	ID of a report.

Example:

{
  "ids": "<ids>"
}

Delete Sample V2

SDK: falconx_sandbox.DeleteSampleV2

Parameters:

Name	Type	Required	Description
ids	string	No	The file SHA256.

Example:

{
  "ids": "<ids>"
}

Get Artifacts

SDK: falconx_sandbox.GetArtifacts

Parameters:

Name	Type	Required	Description
accept_encoding	string	No	Format used to compress your downloaded file. Currently, you must provide the value gzip, the o...
id	string	No	ID of an artifact, such as an IOC pack, PCAP file, memory dump, or actor image. Find an artifact ...
name	string	No	The name given to your downloaded file.

Example:

{
  "accept_encoding": "<accept_encoding>",
  "id": "<id>",
  "name": "<name>"
}

Get Memory Dump

SDK: falconx_sandbox.GetMemoryDump

Parameters:

Name	Type	Required	Description
accept_encoding	string	No	Format used to compress your downloaded file. Currently, you must provide the value gzip, the o...
id	string	No	Memory dump id
name	string	No	The name given to your downloaded file.

Example:

{
  "accept_encoding": "<accept_encoding>",
  "id": "<id>",
  "name": "<name>"
}

Get Memory Dump Extracted Strings

SDK: falconx_sandbox.GetMemoryDumpExtractedStrings

Parameters:

Name	Type	Required	Description
accept_encoding	string	No	Format used to compress your downloaded file. Currently, you must provide the value gzip, the o...
id	string	No	Extracted strings id
name	string	No	The name given to your downloaded file.

Example:

{
  "accept_encoding": "<accept_encoding>",
  "id": "<id>",
  "name": "<name>"
}

Get Memory Dump Hex Dump

SDK: falconx_sandbox.GetMemoryDumpHexDump

Parameters:

Name	Type	Required	Description
accept_encoding	string	No	Format used to compress your downloaded file. Currently, you must provide the value gzip, the o...
id	string	No	Hex dump id
name	string	No	The name given to your downloaded file.

Example:

{
  "accept_encoding": "<accept_encoding>",
  "id": "<id>",
  "name": "<name>"
}

Get Reports

SDK: falconx_sandbox.GetReports

Parameters:

Name	Type	Required	Description
ids	array	No	ID of a report. Find a report ID from the response when submitting a malware sample or search wit...

Example:

{
  "ids": ["<ids>"]
}

Get Sample V2

SDK: falconx_sandbox.GetSampleV2

Parameters:

Name	Type	Required	Description
ids	string	No	The file SHA256.
password_protected	boolean	No	Flag whether the sample should be zipped and password protected with pass='infected'

Example:

{
  "ids": "<ids>",
  "password_protected": true
}

Get Submissions

SDK: falconx_sandbox.GetSubmissions

Parameters:

Name	Type	Required	Description
ids	array	No	ID of a submitted malware sample. Find a submission ID from the response when submitting a malwar...

Example:

{
  "ids": ["<ids>"]
}

Get Summary Reports

SDK: falconx_sandbox.GetSummaryReports

Parameters:

Name	Type	Required	Description
ids	array	No	ID of a summary. Find a summary ID from the response when submitting a malware sample or search w...

Example:

{
  "ids": ["<ids>"]
}

List Reports

SDK: falconx_sandbox.QueryReports

Parameters:

Name	Type	Required	Description
filter	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
limit	number	No	Maximum number of report IDs to return. Max: 5000.
offset	string	No	The offset to start retrieving reports from.
sort	string	No	Sort order: asc or desc.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

List Sample

SDK: falconx_sandbox.QuerySampleV1

Parameters:

Name	Type	Required	Description
sha256s	array	Yes	sha256s. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "sha256s": ["<sha256s>"]
}

List Submissions

SDK: falconx_sandbox.QuerySubmissions

Parameters:

Name	Type	Required	Description
filter	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
limit	number	No	Maximum number of submission IDs to return. Max: 5000.
offset	string	No	The offset to start retrieving submissions from.
sort	string	No	Sort order: asc or desc.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Submit

SDK: falconx_sandbox.Submit

Parameters:

Name	Type	Required	Description
auto_detect_environment	boolean	No	auto detect environment
sandbox	object	Yes	sandbox. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
send_email_notification	boolean	No	send email notification
user_tags	array	Yes	user tags. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "auto_detect_environment": true,
  "sandbox": {},
  "send_email_notification": true,
  "user_tags": ["<user_tags>"]
}

Upload Sample V2

SDK: falconx_sandbox.UploadSampleV2

Parameters:

Name	Type	Required	Description
comment	string	No	A descriptive comment to identify the file for other users.
file_name	string	No	Name of the file.
is_confidential	boolean	No	Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. - `...

Example:

{
  "comment": "<comment>",
  "file_name": "<file_name>",
  "is_confidential": true
}

Malquery

Operations for Malquery

Operations

Operation	Name	Description
list_mal_download_	List Mal Download	SDK: malquery.GetMalQueryDownloadV1
list_mal_entities_samples_fetch_	List Mal Entities Samples Fetch	SDK: malquery.GetMalQueryEntitiesSamplesFetchV1
list_mal_metadata_	List Mal Metadata	SDK: malquery.GetMalQueryMetadataV1
list_mal_quotas_	List Mal Quotas	SDK: malquery.GetMalQueryQuotasV1
list_mal_request_	List Mal Request	SDK: malquery.GetMalQueryRequestV1
list_post_mal_entities_samples_multidownload_	List Post Mal Entities Samples Multidownload	SDK: malquery.PostMalQueryEntitiesSamplesMultidownloadV1
list_post_mal_exact_search_	List Post Mal Exact Search	SDK: malquery.PostMalQueryExactSearchV1
list_post_mal_fuzzy_search_	List Post Mal Fuzzy Search	SDK: malquery.PostMalQueryFuzzySearchV1
list_post_mal_hunt_	List Post Mal Hunt	SDK: malquery.PostMalQueryHuntV1

List Mal Download

SDK: malquery.GetMalQueryDownloadV1

Parameters:

Name	Type	Required	Description
ids	array	No	The file SHA256.

Example:

{
  "ids": ["<ids>"]
}

List Mal Entities Samples Fetch

SDK: malquery.GetMalQueryEntitiesSamplesFetchV1

Parameters:

Name	Type	Required	Description
ids	string	No	Multidownload job id

Example:

{
  "ids": "<ids>"
}

List Mal Metadata

SDK: malquery.GetMalQueryMetadataV1

Parameters:

Name	Type	Required	Description
ids	array	No	The file SHA256.

Example:

{
  "ids": ["<ids>"]
}

List Mal Quotas

SDK: malquery.GetMalQueryQuotasV1

This operation has no parameters.

Example:

{
}

List Mal Request

SDK: malquery.GetMalQueryRequestV1

Parameters:

Name	Type	Required	Description
ids	array	No	Identifier of a MalQuery request

Example:

{
  "ids": ["<ids>"]
}

List Post Mal Entities Samples Multidownload

SDK: malquery.PostMalQueryEntitiesSamplesMultidownloadV1

Parameters:

Name	Type	Required	Description
samples	array	Yes	List of sample sha256 ids

Example:

{
  "samples": ["<samples>"]
}

List Post Mal Exact Search

SDK: malquery.PostMalQueryExactSearchV1

Parameters:

Name	Type	Required	Description
options	object	No	Additional search options
patterns	object	Yes	Patterns to search for

Example:

{
  "options": {},
  "patterns": {}
}

List Post Mal Fuzzy Search

SDK: malquery.PostMalQueryFuzzySearchV1

Parameters:

Name	Type	Required	Description
options	object	No	options. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
patterns	object	Yes	patterns. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "options": {},
  "patterns": {}
}

List Post Mal Hunt

SDK: malquery.PostMalQueryHuntV1

Parameters:

Name	Type	Required	Description
options	object	No	Optional advanced searching parameters
yara_rule	string	Yes	A YARA rule that defines your search

Example:

{
  "options": {},
  "yara_rule": "<yara_rule>"
}

Quick Scan

Operations for Quick Scan

Operations

Operation	Name	Description
get_scans	Get Scans	SDK: quick_scan.GetScans
get_scans_aggregates	Get Scans Aggregates	SDK: quick_scan.GetScansAggregates
list_submissions_mixin0	List Submissions Mixin0	SDK: quick_scan.QuerySubmissionsMixin0
scan_samples	Scan Samples	SDK: quick_scan.ScanSamples

Get Scans

SDK: quick_scan.GetScans

Parameters:

Name	Type	Required	Description
ids	array	No	ID of a submitted scan

Example:

{
  "ids": ["<ids>"]
}

Get Scans Aggregates

SDK: quick_scan.GetScansAggregates

Parameters:

Name	Type	Required	Description
date_ranges	object	Yes	date ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
exclude	string	Yes	exclude. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
extended_bounds	object	No	extended bounds. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
field	string	Yes	field. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
filter	string	Yes	filter. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
from	number	Yes	from. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
include	string	Yes	include. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
interval	string	Yes	interval. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
max_doc_count	number	No	max doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
min_doc_count	number	No	min doc count. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
missing	string	Yes	missing. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
name	string	Yes	name. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
q	string	Yes
ranges	object	Yes	ranges. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
size	number	Yes	size. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
sort	string	Yes	sort. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
sub_aggregates	object	Yes	sub aggregates. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
time_zone	string	Yes	time zone. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
type	string	Yes	type. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "date_ranges": {},
  "exclude": "<exclude>",
  "extended_bounds": {},
  "field": "<field>",
  "filter": "<filter>",
  "from": 10,
  "include": "<include>",
  "interval": "<interval>",
  "max_doc_count": 10,
  "min_doc_count": 10,
  "missing": "<missing>",
  "name": "<name>",
  "q": "<q>",
  "ranges": {},
  "size": 10,
  "sort": "<sort>",
  "sub_aggregates": {},
  "time_zone": "<time_zone>",
  "type": "<type>"
}

List Submissions Mixin0

SDK: quick_scan.QuerySubmissionsMixin0

Parameters:

Name	Type	Required	Description
filter	string	No	Optional filter and sort criteria in the form of an FQL query. For more information about FQL que...
limit	number	No	Maximum number of volume IDs to return. Max: 5000.
offset	string	No	The offset to start retrieving submissions from.
sort	string	No	Sort order: asc or desc.

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": "<offset>",
  "sort": "<sort>"
}

Scan Samples

SDK: quick_scan.ScanSamples

Parameters:

Name	Type	Required	Description
samples	array	Yes	samples. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "samples": ["<samples>"]
}

Quick Scan Pro

Operations for Quick Scan Pro

Operations

Operation	Name	Description
delete_file	Delete File	SDK: quick_scan_pro.DeleteFile
delete_scan_result	Delete Scan Result	SDK: quick_scan_pro.DeleteScanResult
get_scan_result	Get Scan Result	SDK: quick_scan_pro.GetScanResult
launch_scan	Launch Scan	SDK: quick_scan_pro.LaunchScan
list_scan_results	List Scan Results	SDK: quick_scan_pro.QueryScanResults
upload_file_mixin0mixin93	Upload File Mixin0Mixin93	SDK: quick_scan_pro.UploadFileMixin0Mixin93

Delete File

SDK: quick_scan_pro.DeleteFile

Parameters:

Name	Type	Required	Description
ids	array	No	File's SHA256

Example:

{
  "ids": ["<ids>"]
}

Delete Scan Result

SDK: quick_scan_pro.DeleteScanResult

Parameters:

Name	Type	Required	Description
ids	array	No	Scan job IDs previously created by LaunchScan

Example:

{
  "ids": ["<ids>"]
}

Get Scan Result

SDK: quick_scan_pro.GetScanResult

Parameters:

Name	Type	Required	Description
ids	array	No	Scan job IDs previously created by LaunchScan

Example:

{
  "ids": ["<ids>"]
}

Launch Scan

SDK: quick_scan_pro.LaunchScan

Parameters:

Name	Type	Required	Description
resources	array	Yes	Batch operation - array of JSON strings. Each item should be: {"field1":"value1","field2":"value...

Example:

{
  "resources": ["<resources>"]
}

List Scan Results

SDK: quick_scan_pro.QueryScanResults

Parameters:

Name	Type	Required	Description
filter	string	No	Empty value means to not filter on anything Available filter fields that supports match (~): _all...
limit	number	No	Maximum number of IDs to return. Max: 5000. Default: 50
offset	number	No	The offset to start retrieving ids from.
sort	string	No	Sort order: asc or desc. Sort supported fields created_timestamp

Example:

{
  "filter": "<filter>",
  "limit": 10,
  "offset": 10,
  "sort": "<sort>"
}

Upload File Mixin0Mixin93

SDK: quick_scan_pro.UploadFileMixin0Mixin93

Parameters:

Name	Type	Required	Description
file_name	string	No	OCTET-STREAM ONLY - Name of the file (required for octet-stream uploads).
scan	boolean	No	If true, after upload, it starts scanning immediately. Default scan mode is 'false'

Example:

{
  "file_name": "<file_name>",
  "scan": true
}

Sample Uploads

Operations for Sample Uploads

Operations

Operation	Name	Description
archive_delete_	Archive Delete	SDK: sample_uploads.ArchiveDeleteV1
archive_get_	Archive Get	SDK: sample_uploads.ArchiveGetV1
archive_list_	Archive List	SDK: sample_uploads.ArchiveListV1
archive_upload_	Archive Upload	SDK: sample_uploads.ArchiveUploadV1
archive_upload_v2	Archive Upload V2	SDK: sample_uploads.ArchiveUploadV2
delete_sample_v3	Delete Sample V3	SDK: sample_uploads.DeleteSampleV3
extraction_create_	Extraction Create	SDK: sample_uploads.ExtractionCreateV1
extraction_get_	Extraction Get	SDK: sample_uploads.ExtractionGetV1
extraction_list_	Extraction List	SDK: sample_uploads.ExtractionListV1
get_sample_v3	Get Sample V3	SDK: sample_uploads.GetSampleV3
upload_sample_v3	Upload Sample V3	SDK: sample_uploads.UploadSampleV3

Archive Delete

SDK: sample_uploads.ArchiveDeleteV1

Parameters:

Name	Type	Required	Description
id	string	No	The archive SHA256.

Example:

{
  "id": "<id>"
}

Archive Get

SDK: sample_uploads.ArchiveGetV1

Parameters:

Name	Type	Required	Description
id	string	No	The archive SHA256.
include_files	boolean	No	If true includes processed archive files in response.

Example:

{
  "id": "<id>",
  "include_files": true
}

Archive List

SDK: sample_uploads.ArchiveListV1

Parameters:

Name	Type	Required	Description
id	string	No	The archive SHA256.
limit	number	No	Max number of files to retrieve. Default: 100
offset	string	No	Offset from where to get files.

Example:

{
  "id": "<id>",
  "limit": 10,
  "offset": "<offset>"
}

Archive Upload

SDK: sample_uploads.ArchiveUploadV1

Parameters:

Name	Type	Required	Description
body	array	No	Content of the uploaded archive in binary format. For example, use --data-binary @$FILE_PATH wh...
comment	string	No	A descriptive comment to identify the file for other users.
is_confidential	boolean	No	Defines visibility of this file, either via the API or the Falcon console. - true: File is only...
name	string	No	Name of the archive.
password	string	No	Archive password.

Example:

{
  "body": ["<body>"],
  "comment": "<comment>",
  "is_confidential": true,
  "name": "<name>",
  "password": "<password>"
}

Archive Upload V2

SDK: sample_uploads.ArchiveUploadV2

Parameters:

Name	Type	Required	Description
comment	string	No	A descriptive comment to identify the file for other users. For example, use --form comment= wh...
is_confidential	boolean	No	Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. For...
name	string	No	Name of the archive. For example, use --form name= when using cURL.
password	string	No	Archive password. For example, use --form password= when using cURL.

Example:

{
  "comment": "<comment>",
  "is_confidential": true,
  "name": "<name>",
  "password": "<password>"
}

Delete Sample V3

SDK: sample_uploads.DeleteSampleV3

Parameters:

Name	Type	Required	Description
ids	string	No	The file SHA256.

Example:

{
  "ids": "<ids>"
}

Extraction Create

SDK: sample_uploads.ExtractionCreateV1

Parameters:

Name	Type	Required	Description
extract_all	boolean	No	extract all. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
files	object	Yes	files. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/
sha256	string	No	sha256. See CrowdStrike API documentation: https://developer.crowdstrike.com/docs/openapi/

Example:

{
  "extract_all": true,
  "files": {},
  "sha256": "<sha256>"
}

Extraction Get

SDK: sample_uploads.ExtractionGetV1

Parameters:

Name	Type	Required	Description
id	string	No	The extraction operation ID.
include_files	boolean	No	If true includes processed archive files in response.

Example:

{
  "id": "<id>",
  "include_files": true
}

Extraction List

SDK: sample_uploads.ExtractionListV1

Parameters:

Name	Type	Required	Description
id	string	No	The extraction operation ID.
limit	number	No	Max number of file extractions to retrieve.
offset	string	No	Offset from where to get file extractions.

Example:

{
  "id": "<id>",
  "limit": 10,
  "offset": "<offset>"
}

Get Sample V3

SDK: sample_uploads.GetSampleV3

Parameters:

Name	Type	Required	Description
ids	string	No	The file SHA256.
password_protected	boolean	No	Flag whether the sample should be zipped and password protected with pass='infected'

Example:

{
  "ids": "<ids>",
  "password_protected": true
}

Upload Sample V3

SDK: sample_uploads.UploadSampleV3

Parameters:

Name	Type	Required	Description
comment	string	No	A descriptive comment to identify the file for other users.
file_name	string	No	Name of the file.
is_confidential	boolean	No	Defines visibility of this file in Falcon MalQuery, either via the API or the Falcon console. - `...

Example:

{
  "comment": "<comment>",
  "file_name": "<file_name>",
  "is_confidential": true
}

Best Practices

1. Use Appropriate Filters: Leverage FQL (Falcon Query Language) filters to narrow down results and improve performance.

2. Implement Pagination: For operations returning large datasets, use limit and offset parameters to paginate results.

3. Handle Rate Limits: CrowdStrike APIs have rate limits. Implement appropriate delays and retry logic in your workflows.

4. Secure Credentials: Never log or expose API credentials. Use NINA's credential management for secure storage.

5. Use Specific Scopes: When creating API clients, only request the minimum required API scopes.

6. Monitor API Usage: Track your API usage to avoid hitting rate limits during critical operations.

7. Validate IDs: Always validate resource IDs before using them in update or delete operations.

8. Error Handling: Implement comprehensive error handling for API failures and unexpected responses.

Troubleshooting

Issue	Possible Solution
401 Unauthorized	Verify Client ID and Client Secret are correct; check if credentials have expired
403 Forbidden	Ensure API client has required scopes for the operation
404 Not Found	Verify the resource ID exists and is accessible with your credentials
429 Too Many Requests	Rate limit exceeded; implement delays between requests
Invalid Filter	Check FQL syntax; refer to CrowdStrike FQL documentation
Connection Timeout	Verify network connectivity and correct Base URL for your region
Empty Results	Verify filter criteria; check if resources exist in your environment

Support

For issues with this integration, please contact support with:

• The operation you were attempting
• Any error messages received
• The parameters used (excluding sensitive data)
• Your CrowdStrike cloud region

For CrowdStrike API documentation, visit: CrowdStrike Developer Portal

Updated: 2026-02-05