Skip to main content

Overview

The Sample Files API allows you to upload suspicious files to CrowdStrike for analysis, download previously submitted samples, and manage sample file metadata. Samples can be submitted for analysis using Falcon Sandbox or Falcon QuickScan.
All sample operations require Sample uploads: Read or Sample uploads: Write permissions.

Get-FalconSample

Retrieve detailed information about accessible sample files using SHA256 hash values.

Syntax

Get-FalconSample [-Id] <string[]>

Parameters

Id
string[]
required
SHA256 hash value(s) of the sample file(s). Must be 64-character hexadecimal strings.Aliases: sha256s, sha256, ids

Examples

Get-FalconSample -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

Returns

Detailed information about the sample file including SHA256 hash, file size, file type, and analysis status.

Send-FalconSample

Upload a sample file to CrowdStrike for analysis. Maximum file size is 256MB.

Syntax

Send-FalconSample [-Path] <string> [[-IsConfidential] <boolean>] [[-Comment] <string>] [[-Name] <string>]

Parameters

Path
string
required
Path to the local file to upload. The file must exist and cannot be a directory.Aliases: body, FullName
IsConfidential
boolean
default:"true"
Prohibit the sample from being displayed in MalQuery. Default is True to keep samples confidential.Aliases: is_confidential
Comment
string
Audit log comment describing the reason for the upload or additional context.
Name
string
File name to use for the sample. If not specified, the local file name is used.Aliases: file_name, FileName

Examples

Send-FalconSample -Path 'C:\Samples\suspicious.exe'
ZIP and 7z archives are automatically redirected to Send-FalconSampleArchive for special handling.

Returns

Upload confirmation with SHA256 hash that can be used for Falcon Sandbox or QuickScan submissions.

Receive-FalconSample

Download a previously submitted sample file from CrowdStrike.

Syntax

Receive-FalconSample [-Path] <string> [-Id] <string> [[-PasswordProtected] <boolean>] [-Force]

Parameters

Path
string
required
Destination path where the sample file will be saved.
Id
string
required
SHA256 hash value of the sample to download. Must be 64-character hexadecimal string.Aliases: ids
PasswordProtected
boolean
Archive and password protect the sample with password infected.Aliases: password_protected
Force
switch
Overwrite an existing file when present at the destination path.

Examples

Receive-FalconSample -Path 'C:\Downloads\sample.bin' -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
Use password protection when downloading samples. The password infected is a standard password for malware archives. Always handle downloaded samples in a secure, isolated environment.

Remove-FalconSample

Remove a sample from your CrowdStrike environment.

Syntax

Remove-FalconSample [-Id] <string>

Parameters

Id
string
required
SHA256 hash value of the sample to remove. Must be 64-character hexadecimal string.Aliases: ids, sha256

Examples

Remove-FalconSample -Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
This operation cannot be undone. Ensure you have proper authorization before removing samples.

Common Workflows

Upload and Analyze Sample

# Upload sample file
$result = Send-FalconSample -Path 'C:\Samples\suspicious.exe' -Comment 'Potential malware from endpoint'

# Capture SHA256 for analysis
$sha256 = $result.sha256

# Submit to Falcon Sandbox for analysis
Submit-FalconSandbox -Sha256 $sha256

Download Multiple Samples

# List of SHA256 hashes
$hashes = @(
  'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
  'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2'
)

# Download each sample with password protection
foreach ($hash in $hashes) {
  $filename = "sample_$hash.zip"
  Receive-FalconSample -Path "C:\Downloads\$filename" -Id $hash -PasswordProtected $true
}

Batch Upload Samples

# Upload all executables from a directory
Get-ChildItem 'C:\Quarantine\*.exe' | ForEach-Object {
  $result = Send-FalconSample -Path $_.FullName -Comment "Quarantine upload - $($_.Name)"
  [PSCustomObject]@{
    FileName = $_.Name
    SHA256 = $result.sha256
    UploadTime = Get-Date
  }
} | Export-Csv 'C:\Logs\uploaded_samples.csv' -NoTypeInformation

Permissions Required

OperationPermission
Get-FalconSampleSample uploads: Read
Send-FalconSampleSample uploads: Write
Receive-FalconSampleSample uploads: Read
Remove-FalconSampleSample uploads: Write
  • Submit-FalconSandbox - Submit samples for sandbox analysis
  • Get-FalconQuickScan - Submit samples for quick scanning
  • Get-FalconMalQuery - Search for similar samples in MalQuery

Build docs developers (and LLMs) love

Get started for freeTalk to us