Falcon X™ automates the threat analysis process and delivers actionable intelligence and custom IOCs specifically tailored for the threats encountered on your endpoints. With this level of automation, you can stop picking and choosing which threats to analyze and start analyzing all threats.
This document provides information about the CrowdStrike Falcon X connector, which facilitates automated interactions, with a CrowdStrike Falcon X server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon X connector as a step in FortiSOAR™ playbooks and perform automated operations such as submitting a URL to the CrowdStrike Falcon X sandbox, retrieving reports from the CrowdStrike Falcon X sandbox, retrieving the status of a sandbox analysis from the CrowdStrike Falcon X sandbox, etc.
Connector Version: 1.1.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the CrowdStrike Falcon X Connector in version 1.1.0:
Invalid number of sandbox parameters submittedEither sha256 or url attributes needs to be submitted, not bothcontent-type and payload specified in the API request.payload in the api request.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-crowdstrike-falcon-x
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon X connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the CrowdStrike Falcon server to which you will connect and perform the automated operations. |
| Client ID | Specify the Client ID used to access the CrowdStrike Falcon APIs and perform automated operations. |
| Client Secret | Specify the Client Secret token used to access the CrowdStrike Falcon APIs and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Upload File | Uploads a file for analysis to the CrowdStrike Falcon X sandbox. The file is uploaded based on the attachment IRI and comments you have specified. | upload_file Investigation |
| Submit Uploaded File | Submits a SHA256 hash for analysis to the CrowdStrike Falcon X sandbox based on the file hash, environment ID, and other input parameters you have specified. | submit_uploaded_file Investigation |
| Get Full Report | Retrieves a full version of a sandbox report from the CrowdStrike Falcon X sandbox based on the report ID you have specified. | get_full_report Investigation |
| Get Report Summary | Retrieves a short summary version of a sandbox report from the CrowdStrike Falcon X sandbox based on the report ID you have specified. | get_report_summary Investigation |
| Get Analysis Status | Retrieves the status of a sandbox analysis from the CrowdStrike Falcon X sandbox based on the report ID you have specified. | get_analysis_status Investigation |
| Search Reports | Retrieves the sandbox reports from the CrowdStrike Falcon X sandbox based on the FQL filter and other input parameters you have specified. | search_reports Investigation |
| Search Submission ID | Retrieve the submission IDs for uploaded files from the CrowdStrike Falcon X sandbox based on the FQL filter and other input parameters you have specified. | search_submission_id Investigation |
| Submit URL | Submits a URL for analysis to the CrowdStrike Falcon X sandbox based on the URL, environment ID, and other input parameters you have specified. | submit_url Investigation |
| Parameter | Description |
|---|---|
| Attachment IRI | Specify the IRI of the attachment that you want to submit for analysis to CrowdStrike Falcon X sandbox. Attachment IRIs are used to access the file directly from the FortiSOAR "Attachments" module. |
| Comment | Specify a descriptive comment that helps other users to identify the file. |
| Is Confidential | Defines the visibility of this file in the Falcon MalQuery using the API. Clear this option for this file to be seen by other CrowdStrike customers. By default, this option is selected and the file is shown only to users within your customer account. |
The output contains the following populated JSON schema:
{
"resources": [
{
"file_name": "",
"sha256": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Interactivity | Specifies whether the interactivity is to be true. By default, this option is set as False. |
| FileHash | Specify the SHA256 value of the file you want to submit for analysis to CrowdStrike Falcon X sandbox. You can know the hash of the file using the response of the Upload File action. |
| Environment ID | Select the sandbox environment to be used for the analysis of the submitted file hash. You can choose from options such as 300: Linux Ubuntu 16.04, 160 Windows 10, 64-bit, etc |
| Action Script | (Optional) Specify the runtime script to be used for the sandbox analysis. |
| Command Line | (Optional) Specify the command line script to be passed to the submitted file at runtime. |
| Document Password | (Optional) Specify the password of the file that is submitted for analysis to CrowdStrike Falcon X sandbox. Auto-filled for Adobe or Office files that prompt for a password. |
| Enable TOR | Determines whether the sandbox analysis routes network traffic using TOR. Select this option, if you want sandbox analysis to route network traffic using TOR. |
| Submit Name | (Optional) Specify the name of the malware sample that is to be used for file type detection and analysis. |
| System Date/Time | Specify a custom date and time for the sandbox environment. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"origin": "",
"sandbox": [
{
"action_script": "",
"command_line": "",
"document_password": "",
"enable_tor": true,
"environment_id": "",
"sha256": "",
"submit_name": "",
"system_date": "",
"system_time": "",
"url": ""
}
],
"state": "",
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"MsaMetaInfo": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"quota": {
"in_progress": "",
"total": "",
"used": ""
}
}
}
| Parameter | Description |
|---|---|
| Report IDs | Specify the ID of the report that you want to retrieve from the CrowdStrike Falcon X sandbox. You can know the report ID by using the Submit Uploaded File action. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"intel": [
{
"actors": [
{
"created_timestamp": "",
"description": "",
"first_activity_timestamp": "",
"id": "",
"image_artifact_id": "",
"known_as": "",
"last_activity_timestamp": "",
"name": "",
"origins": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"short_description": "",
"slug": "",
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail_artifact_id": ""
}
],
"malware_families": [],
"related_indicators": [
{
"created_timestamp": "",
"id": "",
"type": "",
"updated_timestamp": "",
"value": ""
}
]
}
],
"ioc_report_broad_csv_artifact_id": "",
"ioc_report_broad_json_artifact_id": "",
"ioc_report_broad_maec_artifact_id": "",
"ioc_report_broad_stix_artifact_id": "",
"ioc_report_strict_csv_artifact_id": "",
"ioc_report_strict_json_artifact_id": "",
"ioc_report_strict_maec_artifact_id": "",
"ioc_report_strict_stix_artifact_id": "",
"malquery": [
{
"errors": [
{
"code": "",
"message": ""
}
],
"input": "",
"resources": [
{
"family": "",
"file_size": "",
"file_type": "",
"first_seen_timestamp": "",
"label": "",
"md5": "",
"sha1": "",
"sha256": ""
}
],
"type": "",
"verdict": ""
}
],
"origin": "",
"sandbox": [
{
"architecture": "",
"classification": [],
"classification_tags": [],
"contacted_hosts": [
{
"address": "",
"associated_runtime": [
{
"name": "",
"pid": ""
}
],
"compromised": true,
"country": "",
"port": "",
"protocol": ""
}
],
"dns_requests": [
{
"address": "",
"compromised": true,
"country": "",
"domain": "",
"registrar_creation_timestamp": "",
"registrar_name": "",
"registrar_name_servers": "",
"registrar_organization": ""
}
],
"environment_description": "",
"environment_id": "",
"error_message": "",
"error_origin": "",
"error_type": "",
"extracted_files": [
{
"description": "",
"file_available_to_download": true,
"file_path": "",
"file_size": "",
"md5": "",
"name": "",
"runtime_process": "",
"sha1": "",
"sha256": "",
"threat_level": "",
"threat_level_readable": "",
"type_tags": []
}
],
"extracted_interesting_strings": [
{
"filename": "",
"process": "",
"source": "",
"type": "",
"value": ""
}
],
"file_imports": [
{
"functions": [],
"module": ""
}
],
"file_metadata": {
"file_analysis": [],
"file_compositions": [],
"imported_objects": []
},
"file_size": "",
"file_type": "",
"file_type_short": [],
"http_requests": [
{
"header": "",
"host": "",
"host_ip": "",
"host_port": "",
"method": "",
"response_code": "",
"response_phrase": "",
"url": ""
}
],
"incidents": [
{
"details": [],
"name": ""
}
],
"ioc_report_broad_artifact_id": "",
"ioc_report_strict_artifact_id": "",
"memory_forensics": [
{
"stream_uid": "",
"value": ""
}
],
"mitre_attacks": [
{
"attack_id": "",
"informative_identifiers": [],
"malicious_identifiers": [],
"suspicious_identifiers": [],
"tactic": "",
"technique": ""
}
],
"packer": "",
"pcap_report_artifact_id": "",
"processes": [
{
"command_line": "",
"file_accesses": [
{
"mask": "",
"path": "",
"type": ""
}
],
"handles": [
{
"id": "",
"path": "",
"type": ""
}
],
"icon_artifact_id": "",
"mutants": [],
"name": "",
"normalized_path": "",
"parent_uid": "",
"pid": "",
"process_flags": [
{
"data": "",
"name": ""
}
],
"registry": [
{
"key": "",
"operation": "",
"path": "",
"status": "",
"status_human_readable": "",
"value": ""
}
],
"script_calls": [
{
"cls_id": "",
"dispatch_id": "",
"matched_malicious_signatures": [],
"parameters": [
{
"argument_number": "",
"comment": "",
"meaning": "",
"name": "",
"value": ""
}
],
"result": "",
"status": ""
}
],
"sha256": "",
"streams": [
{
"executed": true,
"file_name": "",
"human_keywords": "",
"instructions_artifact_id": "",
"matched_signatures": [
{
"id": "",
"value": ""
}
],
"uid": ""
}
],
"uid": ""
}
],
"sample_flags": [],
"screenshots_artifact_ids": [],
"sha256": "",
"signatures": [
{
"attack_id": "",
"category": "",
"description": "",
"identifier": "",
"name": "",
"origin": "",
"relevance": "",
"threat_level": "",
"threat_level_human": "",
"type": ""
}
],
"submission_type": "",
"submit_name": "",
"submit_url": "",
"suricata_alerts": [
{
"category": "",
"description": "",
"destination_ip": "",
"destination_port": "",
"protocol": "",
"sid": ""
}
],
"target_url": "",
"threat_score": "",
"verdict": "",
"version_info": [
{
"id": "",
"value": ""
}
],
"windows_version_bitness": "",
"windows_version_edition": "",
"windows_version_name": "",
"windows_version_service_pack": "",
"windows_version_version": ""
}
],
"tags": [],
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": "",
"verdict": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Report IDs | Specify the ID of the report whose summary you want to retrieve from the CrowdStrike Falcon X sandbox. You can know the report ID by using the Submit Uploaded File action. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"intel": [
{
"actors": [
{
"id": "",
"name": "",
"slug": ""
}
]
}
],
"ioc_report_broad_csv_artifact_id": "",
"ioc_report_broad_json_artifact_id": "",
"ioc_report_broad_maec_artifact_id": "",
"ioc_report_broad_stix_artifact_id": "",
"ioc_report_strict_csv_artifact_id": "",
"ioc_report_strict_json_artifact_id": "",
"ioc_report_strict_maec_artifact_id": "",
"ioc_report_strict_stix_artifact_id": "",
"origin": "",
"sandbox": [
{
"classification_tags": [],
"environment_description": "",
"environment_id": "",
"error_message": "",
"error_origin": "",
"error_type": "",
"file_type": "",
"incidents": [
{
"details": [],
"name": ""
}
],
"sample_flags": [],
"sha256": "",
"submission_type": "",
"submit_name": "",
"submit_url": "",
"threat_score": "",
"verdict": ""
}
],
"tags": [],
"user_id": "",
"user_name": "",
"user_tags": [],
"verdict": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Report IDs | Specify the ID of the report whose analysis status you want to retrieve from the CrowdStrike Falcon X sandbox. You can know the report ID by using the Submit Uploaded File action. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"origin": "",
"sandbox": [
{
"action_script": "",
"command_line": "",
"document_password": "",
"enable_tor": "",
"environment_id": "",
"sha256": "",
"submit_name": "",
"system_date": "",
"system_time": "",
"url": ""
}
],
"state": "",
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| FQL Filter | Specify the FQL query using which you want to filter, sort, and search for reports in the CrowdStrike Falcon X sandbox. The FQL filter expression is a string in this format:<property>: <operator><value>.For more information, see the Falcon Query Language documentation provided by CrowdStrike. |
| Offset | (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the Limit parameter, which determines how many records to retrieve starting from the offset. |
| Limit | (Optional) Maximum number of report IDs that this operation should return. The maximum value that can be specified in this field is 5000. |
The output contains the following populated JSON schema:
{
"resources": [],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| FQL Filter | Specify the FQL query using which you want to filter, sort, and search for submission IDs in the CrowdStrike Falcon X sandbox. The FQL filter expression is a string in this format:<property>: <operator><value>.For more information, see the Falcon Query Language documentation provided by CrowdStrike. |
| Offset | (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the Limit parameter, which determines how many records to retrieve starting from the offset. |
| Limit | (Optional) Maximum number of submission IDs that this operation should return. The maximum value that can be specified in this field is 5000. |
The output contains the following populated JSON schema:
{
"resources": [],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Interactivity | Specifies whether the interactivity is to be true or not. By default, this option is set as False. |
| URL | Specify the web page or file URL you want to submit for analysis to CrowdStrike Falcon X sandbox. |
| Environment ID | Select the sandbox environment to be used for the analysis of the submitted URL. You can choose from options such as 300: Linux Ubuntu 16.04, 160 Windows 10, 64-bit, etc |
| Action Script | (Optional) Specify the runtime script to be used for the sandbox analysis. |
| Command Line | (Optional) Specify the command line script to be passed to the submitted file at runtime. |
| Document Password | (Optional) Specify the password of the URL that is submitted for analysis to CrowdStrike Falcon X sandbox. Auto-filled for Adobe or Office files that prompt for a password. |
| Enable TOR | Determines whether the sandbox analysis routes network traffic using TOR. Select this option, if you want sandbox analysis to route network traffic using TOR. |
| Submit Name | (Optional) Specify the name of the malware sample that is to be used for file type detection and analysis. |
| System Date/Time | Specify a custom date and time for the sandbox environment. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"origin": "",
"sandbox": [
{
"action_script": "",
"command_line": "",
"document_password": "",
"enable_tor": true,
"environment_id": "",
"sha256": "",
"submit_name": "",
"system_date": "",
"system_time": "",
"url": ""
}
],
"state": "",
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"MsaMetaInfo": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"quota": {
"in_progress": "",
"total": "",
"used": ""
}
}
}
The Sample - CrowdStrike Falcon X - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon X connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon X connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Falcon X™ automates the threat analysis process and delivers actionable intelligence and custom IOCs specifically tailored for the threats encountered on your endpoints. With this level of automation, you can stop picking and choosing which threats to analyze and start analyzing all threats.
This document provides information about the CrowdStrike Falcon X connector, which facilitates automated interactions, with a CrowdStrike Falcon X server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon X connector as a step in FortiSOAR™ playbooks and perform automated operations such as submitting a URL to the CrowdStrike Falcon X sandbox, retrieving reports from the CrowdStrike Falcon X sandbox, retrieving the status of a sandbox analysis from the CrowdStrike Falcon X sandbox, etc.
Connector Version: 1.1.0
Authored By: Fortinet
Certified: No
Following enhancements have been made to the CrowdStrike Falcon X Connector in version 1.1.0:
Invalid number of sandbox parameters submittedEither sha256 or url attributes needs to be submitted, not bothcontent-type and payload specified in the API request.payload in the api request.Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command as a root user to install the connector:
yum install cyops-connector-crowdstrike-falcon-x
For the procedure to configure a connector, click here
In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon X connector row (if you are in the Grid view on the Connectors page), and in the Configurations tab enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | Specify the URL of the CrowdStrike Falcon server to which you will connect and perform the automated operations. |
| Client ID | Specify the Client ID used to access the CrowdStrike Falcon APIs and perform automated operations. |
| Client Secret | Specify the Client Secret token used to access the CrowdStrike Falcon APIs and perform the automated operations. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function | Description | Annotation and Category |
|---|---|---|
| Upload File | Uploads a file for analysis to the CrowdStrike Falcon X sandbox. The file is uploaded based on the attachment IRI and comments you have specified. | upload_file Investigation |
| Submit Uploaded File | Submits a SHA256 hash for analysis to the CrowdStrike Falcon X sandbox based on the file hash, environment ID, and other input parameters you have specified. | submit_uploaded_file Investigation |
| Get Full Report | Retrieves a full version of a sandbox report from the CrowdStrike Falcon X sandbox based on the report ID you have specified. | get_full_report Investigation |
| Get Report Summary | Retrieves a short summary version of a sandbox report from the CrowdStrike Falcon X sandbox based on the report ID you have specified. | get_report_summary Investigation |
| Get Analysis Status | Retrieves the status of a sandbox analysis from the CrowdStrike Falcon X sandbox based on the report ID you have specified. | get_analysis_status Investigation |
| Search Reports | Retrieves the sandbox reports from the CrowdStrike Falcon X sandbox based on the FQL filter and other input parameters you have specified. | search_reports Investigation |
| Search Submission ID | Retrieve the submission IDs for uploaded files from the CrowdStrike Falcon X sandbox based on the FQL filter and other input parameters you have specified. | search_submission_id Investigation |
| Submit URL | Submits a URL for analysis to the CrowdStrike Falcon X sandbox based on the URL, environment ID, and other input parameters you have specified. | submit_url Investigation |
| Parameter | Description |
|---|---|
| Attachment IRI | Specify the IRI of the attachment that you want to submit for analysis to CrowdStrike Falcon X sandbox. Attachment IRIs are used to access the file directly from the FortiSOAR "Attachments" module. |
| Comment | Specify a descriptive comment that helps other users to identify the file. |
| Is Confidential | Defines the visibility of this file in the Falcon MalQuery using the API. Clear this option for this file to be seen by other CrowdStrike customers. By default, this option is selected and the file is shown only to users within your customer account. |
The output contains the following populated JSON schema:
{
"resources": [
{
"file_name": "",
"sha256": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Interactivity | Specifies whether the interactivity is to be true. By default, this option is set as False. |
| FileHash | Specify the SHA256 value of the file you want to submit for analysis to CrowdStrike Falcon X sandbox. You can know the hash of the file using the response of the Upload File action. |
| Environment ID | Select the sandbox environment to be used for the analysis of the submitted file hash. You can choose from options such as 300: Linux Ubuntu 16.04, 160 Windows 10, 64-bit, etc |
| Action Script | (Optional) Specify the runtime script to be used for the sandbox analysis. |
| Command Line | (Optional) Specify the command line script to be passed to the submitted file at runtime. |
| Document Password | (Optional) Specify the password of the file that is submitted for analysis to CrowdStrike Falcon X sandbox. Auto-filled for Adobe or Office files that prompt for a password. |
| Enable TOR | Determines whether the sandbox analysis routes network traffic using TOR. Select this option, if you want sandbox analysis to route network traffic using TOR. |
| Submit Name | (Optional) Specify the name of the malware sample that is to be used for file type detection and analysis. |
| System Date/Time | Specify a custom date and time for the sandbox environment. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"origin": "",
"sandbox": [
{
"action_script": "",
"command_line": "",
"document_password": "",
"enable_tor": true,
"environment_id": "",
"sha256": "",
"submit_name": "",
"system_date": "",
"system_time": "",
"url": ""
}
],
"state": "",
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"MsaMetaInfo": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"quota": {
"in_progress": "",
"total": "",
"used": ""
}
}
}
| Parameter | Description |
|---|---|
| Report IDs | Specify the ID of the report that you want to retrieve from the CrowdStrike Falcon X sandbox. You can know the report ID by using the Submit Uploaded File action. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"intel": [
{
"actors": [
{
"created_timestamp": "",
"description": "",
"first_activity_timestamp": "",
"id": "",
"image_artifact_id": "",
"known_as": "",
"last_activity_timestamp": "",
"name": "",
"origins": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"short_description": "",
"slug": "",
"target_countries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"target_industries": [
{
"id": "",
"name": "",
"slug": "",
"value": ""
}
],
"thumbnail_artifact_id": ""
}
],
"malware_families": [],
"related_indicators": [
{
"created_timestamp": "",
"id": "",
"type": "",
"updated_timestamp": "",
"value": ""
}
]
}
],
"ioc_report_broad_csv_artifact_id": "",
"ioc_report_broad_json_artifact_id": "",
"ioc_report_broad_maec_artifact_id": "",
"ioc_report_broad_stix_artifact_id": "",
"ioc_report_strict_csv_artifact_id": "",
"ioc_report_strict_json_artifact_id": "",
"ioc_report_strict_maec_artifact_id": "",
"ioc_report_strict_stix_artifact_id": "",
"malquery": [
{
"errors": [
{
"code": "",
"message": ""
}
],
"input": "",
"resources": [
{
"family": "",
"file_size": "",
"file_type": "",
"first_seen_timestamp": "",
"label": "",
"md5": "",
"sha1": "",
"sha256": ""
}
],
"type": "",
"verdict": ""
}
],
"origin": "",
"sandbox": [
{
"architecture": "",
"classification": [],
"classification_tags": [],
"contacted_hosts": [
{
"address": "",
"associated_runtime": [
{
"name": "",
"pid": ""
}
],
"compromised": true,
"country": "",
"port": "",
"protocol": ""
}
],
"dns_requests": [
{
"address": "",
"compromised": true,
"country": "",
"domain": "",
"registrar_creation_timestamp": "",
"registrar_name": "",
"registrar_name_servers": "",
"registrar_organization": ""
}
],
"environment_description": "",
"environment_id": "",
"error_message": "",
"error_origin": "",
"error_type": "",
"extracted_files": [
{
"description": "",
"file_available_to_download": true,
"file_path": "",
"file_size": "",
"md5": "",
"name": "",
"runtime_process": "",
"sha1": "",
"sha256": "",
"threat_level": "",
"threat_level_readable": "",
"type_tags": []
}
],
"extracted_interesting_strings": [
{
"filename": "",
"process": "",
"source": "",
"type": "",
"value": ""
}
],
"file_imports": [
{
"functions": [],
"module": ""
}
],
"file_metadata": {
"file_analysis": [],
"file_compositions": [],
"imported_objects": []
},
"file_size": "",
"file_type": "",
"file_type_short": [],
"http_requests": [
{
"header": "",
"host": "",
"host_ip": "",
"host_port": "",
"method": "",
"response_code": "",
"response_phrase": "",
"url": ""
}
],
"incidents": [
{
"details": [],
"name": ""
}
],
"ioc_report_broad_artifact_id": "",
"ioc_report_strict_artifact_id": "",
"memory_forensics": [
{
"stream_uid": "",
"value": ""
}
],
"mitre_attacks": [
{
"attack_id": "",
"informative_identifiers": [],
"malicious_identifiers": [],
"suspicious_identifiers": [],
"tactic": "",
"technique": ""
}
],
"packer": "",
"pcap_report_artifact_id": "",
"processes": [
{
"command_line": "",
"file_accesses": [
{
"mask": "",
"path": "",
"type": ""
}
],
"handles": [
{
"id": "",
"path": "",
"type": ""
}
],
"icon_artifact_id": "",
"mutants": [],
"name": "",
"normalized_path": "",
"parent_uid": "",
"pid": "",
"process_flags": [
{
"data": "",
"name": ""
}
],
"registry": [
{
"key": "",
"operation": "",
"path": "",
"status": "",
"status_human_readable": "",
"value": ""
}
],
"script_calls": [
{
"cls_id": "",
"dispatch_id": "",
"matched_malicious_signatures": [],
"parameters": [
{
"argument_number": "",
"comment": "",
"meaning": "",
"name": "",
"value": ""
}
],
"result": "",
"status": ""
}
],
"sha256": "",
"streams": [
{
"executed": true,
"file_name": "",
"human_keywords": "",
"instructions_artifact_id": "",
"matched_signatures": [
{
"id": "",
"value": ""
}
],
"uid": ""
}
],
"uid": ""
}
],
"sample_flags": [],
"screenshots_artifact_ids": [],
"sha256": "",
"signatures": [
{
"attack_id": "",
"category": "",
"description": "",
"identifier": "",
"name": "",
"origin": "",
"relevance": "",
"threat_level": "",
"threat_level_human": "",
"type": ""
}
],
"submission_type": "",
"submit_name": "",
"submit_url": "",
"suricata_alerts": [
{
"category": "",
"description": "",
"destination_ip": "",
"destination_port": "",
"protocol": "",
"sid": ""
}
],
"target_url": "",
"threat_score": "",
"verdict": "",
"version_info": [
{
"id": "",
"value": ""
}
],
"windows_version_bitness": "",
"windows_version_edition": "",
"windows_version_name": "",
"windows_version_service_pack": "",
"windows_version_version": ""
}
],
"tags": [],
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": "",
"verdict": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Report IDs | Specify the ID of the report whose summary you want to retrieve from the CrowdStrike Falcon X sandbox. You can know the report ID by using the Submit Uploaded File action. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"intel": [
{
"actors": [
{
"id": "",
"name": "",
"slug": ""
}
]
}
],
"ioc_report_broad_csv_artifact_id": "",
"ioc_report_broad_json_artifact_id": "",
"ioc_report_broad_maec_artifact_id": "",
"ioc_report_broad_stix_artifact_id": "",
"ioc_report_strict_csv_artifact_id": "",
"ioc_report_strict_json_artifact_id": "",
"ioc_report_strict_maec_artifact_id": "",
"ioc_report_strict_stix_artifact_id": "",
"origin": "",
"sandbox": [
{
"classification_tags": [],
"environment_description": "",
"environment_id": "",
"error_message": "",
"error_origin": "",
"error_type": "",
"file_type": "",
"incidents": [
{
"details": [],
"name": ""
}
],
"sample_flags": [],
"sha256": "",
"submission_type": "",
"submit_name": "",
"submit_url": "",
"threat_score": "",
"verdict": ""
}
],
"tags": [],
"user_id": "",
"user_name": "",
"user_tags": [],
"verdict": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Report IDs | Specify the ID of the report whose analysis status you want to retrieve from the CrowdStrike Falcon X sandbox. You can know the report ID by using the Submit Uploaded File action. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"origin": "",
"sandbox": [
{
"action_script": "",
"command_line": "",
"document_password": "",
"enable_tor": "",
"environment_id": "",
"sha256": "",
"submit_name": "",
"system_date": "",
"system_time": "",
"url": ""
}
],
"state": "",
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| FQL Filter | Specify the FQL query using which you want to filter, sort, and search for reports in the CrowdStrike Falcon X sandbox. The FQL filter expression is a string in this format:<property>: <operator><value>.For more information, see the Falcon Query Language documentation provided by CrowdStrike. |
| Offset | (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the Limit parameter, which determines how many records to retrieve starting from the offset. |
| Limit | (Optional) Maximum number of report IDs that this operation should return. The maximum value that can be specified in this field is 5000. |
The output contains the following populated JSON schema:
{
"resources": [],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| FQL Filter | Specify the FQL query using which you want to filter, sort, and search for submission IDs in the CrowdStrike Falcon X sandbox. The FQL filter expression is a string in this format:<property>: <operator><value>.For more information, see the Falcon Query Language documentation provided by CrowdStrike. |
| Offset | (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the Limit parameter, which determines how many records to retrieve starting from the offset. |
| Limit | (Optional) Maximum number of submission IDs that this operation should return. The maximum value that can be specified in this field is 5000. |
The output contains the following populated JSON schema:
{
"resources": [],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
}
}
| Parameter | Description |
|---|---|
| Interactivity | Specifies whether the interactivity is to be true or not. By default, this option is set as False. |
| URL | Specify the web page or file URL you want to submit for analysis to CrowdStrike Falcon X sandbox. |
| Environment ID | Select the sandbox environment to be used for the analysis of the submitted URL. You can choose from options such as 300: Linux Ubuntu 16.04, 160 Windows 10, 64-bit, etc |
| Action Script | (Optional) Specify the runtime script to be used for the sandbox analysis. |
| Command Line | (Optional) Specify the command line script to be passed to the submitted file at runtime. |
| Document Password | (Optional) Specify the password of the URL that is submitted for analysis to CrowdStrike Falcon X sandbox. Auto-filled for Adobe or Office files that prompt for a password. |
| Enable TOR | Determines whether the sandbox analysis routes network traffic using TOR. Select this option, if you want sandbox analysis to route network traffic using TOR. |
| Submit Name | (Optional) Specify the name of the malware sample that is to be used for file type detection and analysis. |
| System Date/Time | Specify a custom date and time for the sandbox environment. |
The output contains the following populated JSON schema:
{
"resources": [
{
"cid": "",
"created_timestamp": "",
"id": "",
"origin": "",
"sandbox": [
{
"action_script": "",
"command_line": "",
"document_password": "",
"enable_tor": true,
"environment_id": "",
"sha256": "",
"submit_name": "",
"system_date": "",
"system_time": "",
"url": ""
}
],
"state": "",
"user_id": "",
"user_name": "",
"user_tags": [],
"user_uuid": ""
}
],
"errors": [
{
"code": "",
"id": "",
"message": ""
}
],
"meta": {
"MsaMetaInfo": {
"pagination": {
"limit": "",
"offset": "",
"total": ""
},
"powered_by": "",
"query_time": "",
"trace_id": "",
"writes": {
"resources_affected": ""
}
},
"quota": {
"in_progress": "",
"total": "",
"used": ""
}
}
}
The Sample - CrowdStrike Falcon X - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon X connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon X connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.