Skip to main content
Search for malware samples using partial pattern matching for faster results but with potential for false positives. Note: In order to get more accurate results, use MalQuery Exact Search action.
External DocumentationTo learn more, visit the CrowdStrike documentation.

Basic Parameters

ParameterDescription
PatternsSpecify an array of hex patterns or strings to search for within file contents at the byte level.

Each pattern should be an object with “type” and “value” fields. For example:
[
  {
    “type”:“hex”,
    “value”:“8948208b480833ca33f989502489482889782c8bd7”
  },
  {
    “type”:“ascii”,
    “value”:“suspicious_string”
  }
]

Advanced Parameters

ParameterDescription
LimitThe maximum number of matching files to return in the response.
Metadata FieldsA comma-separated list of metadata fields to include in results.

For example:
* sha256
* md5
* type
* size
* first_seen
* label
* family

Example Output

{
	"errors": [
		{
			"code": 0,
			"id": "string",
			"message": "string",
			"type": "string"
		}
	],
	"meta": {
		"pagination": {
			"limit": 0,
			"offset": 0,
			"total": 0
		},
		"powered_by": "string",
		"query_time": 0,
		"reqid": "Request ID returned after creating a hunt or exact search",
		"stats": {
			"clean_count": 0,
			"malware_count": 0,
			"pua_count": 0,
			"total_count": 0,
			"unknown_count": 0
		},
		"status": "Request status. Possible values: inprogress, failed, done",
		"trace_id": "string",
		"writes": {
			"resources_affected": 0
		}
	},
	"resources": [
		{
			"family": "Sample family",
			"filesize": 0,
			"filetype": "Sample file type",
			"first_seen": "Date when it was first seen",
			"label": "Sample label",
			"md5": "Sample MD5",
			"sha1": "Sample SHA1",
			"sha256": "Sample SHA256"
		}
	]
}

Workflow Library Example

Malquery Fuzzy Search with Crowdstrike and Send Results Via Email
Workflow LibraryPreview this Workflow on desktop
I