CrowdStrike Malquery

Name	Description
CrowdStrike Malquery	Use the MalQuery Integration to query the contents of clean and malicious binary files, which forms part of Falcon's search engine.

Name	Description
CrowdStrikeMalquery - Search	Use this playbook as a sub-playbook to query the contents of binary files. This playbook implements polling by continuously running the `get-request` command until the operation completes. The remote action should have the following structure: Initiate the operation - insert the type of search command (hunt or exact-search) and it's additional arguments if necessary. Poll to check if the operation completed. Get the results of the operation.
CrowdStrikeMalquery - Multidownload and Fetch	Schedule samples for download. Using samples-multidownload is a three-step process: 1. Schedule the download with samples-multidownload, which returns a request ID. 2. Provide that request ID to the cs-malquery-get-request, in order to check the status of the operation. 3. When the request status is “done”, use cs-malquery-sample-fetch to download the results as a password-protected archive Use this playbook as a sub-playbook to schedule samples for download. This playbook implements polling by continuously running the `get-request` command until the operation completes. Once the request status is done the sub-playbook runs cs-malquery-sample-fetch. `The remote action should have the following structure: 1. Initiate the operation - insert the sample SHA256 ids. 2. Poll to check if the operation completed. 3. Get the results of the operation.`

Schedule samples for download. Using samples-multidownload is a
three-step process: 1. Schedule the download with samples-multidownload, which
returns a request ID. 2. Provide that request ID to the cs-malquery-get-request,
in order to check the status of the operation. 3. When the request status is
“done”, use cs-malquery-sample-fetch to download the results as a password-protected
archive
Use this playbook as a sub-playbook to schedule samples for download.
This playbook implements polling by continuously running the get-request command until the operation completes.
Once the request status is done the sub-playbook runs cs-malquery-sample-fetch.

The remote action should have the following structure:
1. Initiate the operation - insert the sample SHA256 ids.
2. Poll to check if the operation completed.
3. Get the results of the operation.

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR

Certification	Certified	Read more
Supported By	Cortex
Created	November 9, 2020
Last Release	July 8, 2025

Integrations

CrowdStrike Malquery

Integrations

CrowdStrike Malquery

Integrations

CrowdStrike Malquery

Integrations

CrowdStrike Malquery

Integrations

CrowdStrike Malquery

PUBLISHER

PLATFORMS

INFO

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER