Letting users upload files to Sandbox via Falconpy/GUI

[jaycrast]

Hello, was hoping to maybe get some guidance on if this use case is possible, and if so, what would be your opinions on how to best develop this.

Goal: We want to be able to provide a simple Web GUI for the falconpy sandbox where users would be able to upload a questionable file, and are then provided with the results of that uploaded file. We're wanting to host the application/site in an S3 bucket

Few issues I'm trying to solve with limited experience. The provided sample code for single file upload uses the command line arguments to pass in the file. Are there any examples that could be provided that could help us build out something similar to how we would manually upload files to the Sandbox from the CrowdStrike GUI? The idea is to build out a frontend with Flask or anything similar, pull the API credentials from Secrets Manager for authentication, and be able to then upload a single file to the sandbox with a just an upload file button.

[jshcodes]

Have you seen the S3 bucket protection integration example? It doesn't speak to every one of your requirements, but it does demonstrate the following:

• Pulling secrets from Systems Manager.
• Triggering the lambda when the file is uploaded to the bucket, which then sends the file to the sandbox for submission to Quick Scan.

With some minor changes, it could definitely be leveraged to perform the more in-depth scan. You will still need to solve for retrieving and displaying the result if you go this route.

[jaycrast]

Hey @jshcodes, thanks for the help!

I've got the infrastructure deployed for the S3 bucket protection, but running in to a few issues actually getting these objects over to the sandbox. I tried finding anything in the quick scan documentation referencing supported sample types but I haven't seen anything yet. The lambda function is getting invoked every time I upload an object, but I'm getting these errors in CloudWatch for most file types I've tested so far (xlsx, txt, jpeg, csv etc.)

[WARNING] 2023-05-16T06:39:21.239Z 5f27ae2b-c997-4455-9560-60252e712d63 Scan error for d382403de92a44a4999e90726b81a8c3.eml: sample type not supported

[WARNING] 2023-05-16T06:49:34.764Z d7ae09e0-e370-4c45-b975-157e726a06b7 Scan error for b0a599b2a58e4f33a5da634f839ad1b1.txt: sample type not supported

I've had one successful upload so far:

[INFO] 2023-05-16T07:07:08.683Z 8f91a976-dc07-47da-813b-c73c2ae480c3 No threat found in 36b8f5d4c47e46298c05c900c451201f.pdf

Any ideas what I'm missing?

Thanks again.

[jaycrast]

Follow up question, if we're wanting to utilize the full sandbox scans rather than the quick scans. Do I just need to import the FalconXSandbox module rather than the quick scans, and then edit the lambda function to use the sandbox.submit and sandbox.get_reports methods to replace all of the scanner methods in the example code?

[jshcodes]

Hi @jaycrast -

Regarding your first question, QuickScan doesn't scan text files, so this integration has been updated to report that in the log.

For your second question, you are correct. Once uploaded to the sandbox, you may submit a file to QuickScan or the full ML scan depending on which API operation (or Service Class method) you decide to leverage.