Fortinet Document Library

Version:


Table of Contents

CrowdStrike Falcon Sandbox

2.0.0
Copy Link

About the connector

CrowdStrike Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of a powerful sandbox solution.

This document provides information about the CrowdStrike Falcon Sandbox connector, which facilitates automated interactions, with a CrowdStrike Falcon Sandbox server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Sandbox connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files or URLs to the sandbox, search for analysis summary in the sandbox or retrieving a summary of the analysis data of a submitted sample from the sandbox. 

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the CrowdStrike Falcon connector in version 2.0.0:

  • Certified the CrowdStrike Falcon connector.
  • Removed the "Submit Dropped File" operation and playbook.

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-crowd-strike-falcon-sandbox

Prerequisites to configuring the connector

  • You must have the URL of the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations and the API key configured for your account to access that CrowdStrike Falcon Sandbox server.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon Sandbox connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server Address URL of the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations.
API Key API key that is configured for your account for the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:

Function Description Annotation and Category
Submit File To Sandbox Submits a file that is present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified. submit_file_to_sandbox
Investigation
Submit URL To Sandbox Submit a website URL for analysis to CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified. submit_url_to_sandbox
Investigation
Submit URL For Hash Submits a URL to CrowdStrike Falcon Sandbox to determine the SHA256 of the online file or the submitted URL has when it is being processed by the system based on the URL you have specified.
Note: The value of the SHA256 is useful when you are performing a URL analysis lookup.
submit_url_hash_to_sandbox
Investigation
Quick Scan File Submits a file for a quick scan to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified.
Note: You can check the results of the quick scan in the overview endpoint.
quick_scan_file
Investigation
Quick Scan URL Submits a URL for a quick scan on CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified.
Note: You can check the results of the quick scan in the overview endpoint.
quick_scan_url
Investigation
Get Analysis Overview Retrieves an overview of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. get_analysis_overview
Investigation
Get Analysis Summary Retrieves a summary of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. get_analysis_summary
Investigation
Search Query Search for analysis summary in CrowdStrike Falcon Sandbox using either hash values or search terms such as file name, file type, etc. search_query
Investigation
Get Scanners Retrieves a list of available scanners from CrowdStrike Falcon Sandbox. get_scanners_list
Investigation
Download Report Downloads report files from CrowdStrike Falcon Sandbox based on download type and corresponding ID you have specified. download_report
Investigation
Get Report Summary Retrieves a summary of a report (submission) from CrowdStrike Falcon Sandbox based on the report ID you have specified. get_report_summary
Investigation
Get Submission State Retrieves the state of a submission from CrowdStrike Falcon Sandbox based on the report ID you have specified. get_submission_state
Investigation

operation: Submit File To Sandbox

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to submit the file present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI.

If you choose the 'Attachment ID' option, then you must specify the following option:
  • Attachment ID: Attachment ID of the FortiSOAR file that you want to submit for analysis to CrowdStrike Falcon Sandbox.
If you choose the 'File IRI' option, then you must specify the following option:
  • FIle IRI: File IRI of the FortiSOAR file that you want to submit for analysis to CrowdStrike Falcon Sandbox.
Environment Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
No Hash Lookup Select this option, i.e. set it to 'true', this operation will not perform a lookup for any hash value.
Action Script (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'.
Hybrid Analysis Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'.
Script Logging Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'.
Input Sample Tampering Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'.
Offline Analysis Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'.
Email Address (Optional) Enter the email addresses that you want to associate with the submission of the specified file. These email addresses can be used for notification purposes.
Comment (Optional) Comment text that you want to associate with the submission of the specified file.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "job_id": "",
     "environment_id": "",
     "sha256": "",
     "submission_id": ""
}

operation: Submit URL To Sandbox

Input parameters

Parameter Description
URL URL or URL with a file that you want to submit for analysis to CrowdStrike Falcon Sandbox.
Environment Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
No Hash Lookup Select this option, i.e. set it to 'true', this operation will not perform lookup for any hash value.
Action Script (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'.
Hybrid Analysis Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'.
Script Logging Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'.
Input Sample Tampering Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'.
Offline Analysis Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'.
Email Address (Optional) Enter the email addresses that you want to associate with the submission of the specified URL. These email addresses can be used for notification purposes.
Comment (Optional) Comment text that you want to associate with the submission of the specified URL.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "job_id": "",
     "environment_id": "",
     "submission_type": "",
     "sha256": "",
     "submission_id": ""
}

operation: Submit URL For Hash

Input parameters

Parameter Description
URL URL or URL with a file whose SHA256 value, when it is being processed by the system, you want to retrieve from CrowdStrike Falcon Sandbox.

Output

The output contains the following populated JSON schema:
{
     "sha256": ""
}

operation: Quick Scan File

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to submit the file present in FortiSOAR™ for a quick scan on CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI.

If you choose the 'Attachment ID' option, then you must specify the following option:
  • Attachment ID: Attachment ID of the FortiSOAR file that you want to submit for a quick scan on CrowdStrike Falcon Sandbox.
If you choose the 'File IRI' option, then you must specify the following option:
  • FIle IRI: File IRI of the FortiSOAR file that you want to submit for a quick scan on to CrowdStrike Falcon Sandbox.
Scan Type Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox,
Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
Comment (Optional) Comment text that you want to associate with the submission of the specified file.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "reports": [],
     "finished": "",
     "scanners": [
         {
             "anti_virus_results": [],
             "total": "",
             "progress": "",
             "name": "",
             "positives": "",
             "status": "",
             "percent": ""
         }
     ],
     "whitelist": [
         {
             "value": "",
             "id": ""
         }
     ],
     "id": "",
     "sha256": ""
}

operation: Quick Scan URL

Input parameters

Parameter Description
URL URL or URL with a file that you want to submit for a quick scan on CrowdStrike Falcon Sandbox.
Scan Type Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox,
Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
Comment (Optional) Comment text that you want to associate with the submission of the specified URL.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "reports": [],
     "finished": "",
     "scanners": [
         {
             "anti_virus_results": [],
             "total": "",
             "progress": "",
             "name": "",
             "positives": "",
             "status": "",
             "percent": ""
         }
     ],
     "submission_type": "",
     "whitelist": "",
     "id": "",
     "sha256": ""
}

operation: Get Analysis Overview

Input parameters

Parameter Description
SHA256 SHA256 values whose analysis data overview you want to lookup and retrieve from CrowdStrike Falcon Sandbox.
Refresh Select this option to refresh the overview retrieved from CrowdStrike Falcon Sandbox and fetch fresh data from CrowdStrike Falcon Sandbox.

Output

The output contains the following populated JSON schema:
{
     "related_reports": [],
     "children_in_progress": "",
     "scanners": [
         {
             "anti_virus_results": [],
             "total": "",
             "progress": "",
             "name": "",
             "positives": "",
             "status": "",
             "percent": ""
         }
     ],
     "size": "",
     "tags": [],
     "url_analysis": "",
     "other_file_name": [],
     "multiscan_result": "",
     "related_parent_hashes": [],
     "whitelisted": "",
     "type_short": [],
     "children_in_queue": "",
     "related_children_hashes": [],
     "architecture": "",
     "type": "",
     "threat_score": "",
     "last_file_name": "",
     "verdict": "",
     "analysis_start_time": "",
     "submit_context": [],
     "reports": [],
     "last_multi_scan": "",
     "sha256": ""
}

operation: Get Analysis Summary

Input parameters

Parameter Description
SHA256 SHA256 values whose analysis data summary you want to lookup and retrieve from CrowdStrike Falcon Sandbox.

Output

The output contains the following populated JSON schema:
{
     "verdict": "",
     "multiscan_result": "",
     "analysis_start_time": "",
     "last_multi_scan": "",
     "sha256": "",
     "threat_score": ""
}

operation: Search Query

Input parameters

Parameter Description
Search By Select the option based on which you want to perform a search in CrowdStrike Falcon Sandbox. You can choose between 'Hash Values' or 'Search Terms'.
If you choose 'Hash Values' then you must specify the following parameter:
  • Hash Values: List of hashes based on which you want to perform a search in CrowdStrike Falcon Sandbox. The following are the allowed hash types: 'MD5', 'SHA1', or 'SHA256'.
If you choose 'Search Terms' then you must specify one or more of the following parameters:
  • File Name: Name of the file that you want to search in the CrowdStrike Falcon Sandbox. database. For example, invoice.exe
  • File Type: Type of file that you want to search in the CrowdStrike Falcon Sandbox database.
  • File Type Description: Description of the filetype that you want to search in the CrowdStrike Falcon Sandbox database. For example, PE32 executable.
  • Environment ID: ID of the environment that you want to search in the CrowdStrike Falcon Sandbox. The available environment IDs are: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis’, 160: 'Windows 10 64 bit’, 110: 'Windows 7 64 bit’, or 100: ‘Windows 7 32 bit’.
  • Country: 3-digit ISO of the country that you want to search in the CrowdStrike Falcon Sandbox. For example, swe
  • Verdict: Verdict that you want to search in the CrowdStrike Falcon Sandbox. The available options are: 1 'whitelisted’, 2 'no verdict’, 3 'no specific threat’, 4 'suspicious’, or 5 ‘malicious’.
  • AV Multiscan Range: Range of AV Multiscan that you want to search in the CrowdStrike Falcon Sandbox. For example, 50-70 (min 0, max 100).
  • AV Family Substring: AV Family Substring that you want to search in the CrowdStrike Falcon Sandbox. For example, nemucod
  • Hashtag: Hashtag that you want to search in the CrowdStrike Falcon Sandbox database.
  • Start Date: Date from when you want to start searching in the CrowdStrike Falcon Sandbox database.
  • End Date: Date till when you want to start searching in the CrowdStrike Falcon Sandbox database.
  • Port: Port number that you want to search in the CrowdStrike Falcon Sandbox database. For example, 8080
  • Host: Host IP address that you want to search in the CrowdStrike Falcon Sandbox database. For example, 192.xxx.0.0
  • Domain: Name of the domain that you want to search in the CrowdStrike Falcon Sandbox database. For example, checkip.dyndns.org
  • URL: HTTP Request Substring that you want to search in the CrowdStrike Falcon Sandbox database. For example, google
  • Similar TO: Similar samples based on which you want to search in the CrowdStrike Falcon Sandbox database.
  • Context: Context of the sample based on which you want to search in the CrowdStrike Falcon Sandbox database.
  • Uses Tactic: User tactics that you want to search in the CrowdStrike Falcon Sandbox database. The available options are: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Impact, Exfiltration, or Command And Control.
  • Uses Technique: Select the technique that should be used to search in the CrowdStrike Falcon Sandbox database such as, 'Credential Dumping', 'Remote System Discovery', 'System Firmware', etc. By default, this is set to 'Data Compressed'.

Output

The output contains the following populated JSON schema:
{
     "total_network_connections": "",
     "target_url": "",
     "environment_id": "",
     "extracted_files": [],
     "file_metadata": "",
     "threat_level": "",
     "interesting": "",
     "certificates": [],
     "error_type": "",
     "total_processes": "",
     "compromised_hosts": [],
     "error_origin": "",
     "ssdeep": "",
     "total_signatures": "",
     "size": "",
     "sha512": "",
     "hosts": [],
     "submit_name": "",
     "state": "",
     "url_analysis": "",
     "domains": [],
     "environment_description": "",
     "classification_tags": [],
     "submissions": [
         {
             "filename": "",
             "created_at": "",
             "submission_id": "",
             "url": ""
         }
     ],
     "processes": [],
     "type": "",
     "verdict": "no verdict",
     "sha1": "",
     "threat_score": "",
     "sha256": "",
     "tags": [],
     "job_id": "",
     "md5": "",
     "analysis_start_time": "",
     "av_detect": "",
     "vx_family": "",
     "type_short": [],
     "mitre_attcks": [],
     "imphash": ""
}
{
     "count": "",
     "search_terms": [
         {
             "value": "",
             "id": ""
         }
     ],
     "result": [
         {
             "environment_description": "",
             "environment_id": "",
             "type": "",
             "av_detect": "",
             "threat_score": "",
             "job_id": "",
             "verdict": "",
             "analysis_start_time": "",
             "size": "",
             "vx_family": "",
             "type_short": "",
             "submit_name": "",
             "sha256": ""
         }
     ]
}

operation: Get Scanners

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "description": "",
     "available": "",
     "supported_types": []
}

operation: Download Report

Input parameters

Parameter Description
Download Type Select the download type based on which you want to download the report from CrowdStrike Falcon Sandbox. The available options are: Download Certificate Files, Download Memory Dump Files, Download Memory Strings, Download Network PCAP File, Download Report Data, Download Sample File
If you choose 'Download Sample File', then you must specify the following parameter:
  • ID: ID of the report file that you want to download from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
If you choose 'Download Network PCAP File', then you must specify the following parameters:
  • ID: ID of the report based on which you want to download network PCAP files from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
  • Accept Encoding: By default, a .gz file of the network PCAP gile is downloaded from CrowdStrike Falcon Sandbox. If your client supports it, then you can download the file using .gzip encoding, which is recommended.
If you choose 'Download Memory Dump Files', then you must specify the following parameter:
  • ID: ID of the report based on which you want to download memory dump files from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
If you choose 'Download Report Data', then you must specify the following parameters:
  • ID: ID of the report whose report data you want to download from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
  • Type: Type of requested report whose report data you want to download from CrowdStrike Falcon Sandbox. The following are the available types:
    • xml - The XML report as application/xml content and *.gz compressed.
    • json - The JSON report as application/json content
    • html - The HTML report as text/html content and *.gz compressed
    • pdf - The PDF report as application/pdf content
    • maec - The MAEC (4.1) report as application/xml content
    • stix - The STIX report as application/xml content
    • misp - The MISP XML report as application/xml content
    • misp-json - The MISP JSON report as application/json content
    • openioc - The OpenIOC (1.1) report as application/xml content
  • Accept Encoding: By default, a .gz file of the network PCAP gile is downloaded from CrowdStrike Falcon Sandbox. If your client supports it, then you can download the file using .gzip encoding, which is recommended.
If you choose 'Download Memory Strings', then you must specify the following parameters:
  • ID: ID of the report based on which you want to download memory strings from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
  • Accept Encoding: By default, a .gz file of the network PCAP gile is downloaded from CrowdStrike Falcon Sandbox. If your client supports it, then you can download the file using .gzip encoding, which is recommended.
If you choose 'Download Certificate Files', then you must specify the following parameter:
  • ID: ID of the report based on which you want to download certificate files from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".

Output

The output contains a non-dictionary value.

operation: Get Report Summary

Input parameters

Parameter Description
ID ID of the report whose summary you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".

Output

The output contains the following populated JSON schema:
{
  &nbnbsp;  "total_network_connections": "",
     "target_url": "",
     "environment_id": "",
     "extracted_files": [
         {
             "threat_level": "",
             "type_tags": [],
             "description": "",
             "name": "",
             "file_available_to_download": "",
             "av_matched": "",
             "av_label": "",
             "file_size": "",
             "sha1": "",
             "md5": "",
             "threat_level_readable": "",
             "file_path": "",
             "av_total": "",
             "sha256": "",
             "runtime_process": ""
         }
     ],
     "file_metadata": {
         "file_compositions": [],
         "imported_objects": [],
         "file_analysis": [],
         "total_file_compositions_imports": ""
     },
     "threat_level": "",
     "interesting": "",
     "certificates": [],
     "error_type": "",
     "total_processes": "",
     "compromised_hosts": [],
     "error_origin": "",
     "ssdeep": "",
     "total_signatures": "",
     "size": "",
     "sha512": "",
     "hosts": [],
     "submit_name": "",
     "state": "",
     "url_analysis": "",
     "domains": [],
     "environment_description": "",
     "classification_tags": [],
     "submissions": [
         {
             "filename": "",
             "created_at": "",
             "submission_id": "",
             "url": ""
         }
     ],
     "processes": [
         {
             "file_accesses": [],
             "uid": "",
             "mutants": [],
             "command_line": "",
             "streams": [],
             "name": "",
             "handles": [],
             "created_files": [],
             "av_label": "",
             "pid": "",
             "script_calls": [],
             "av_matched": "",
             "icon": "",
             "normalized_path": "",
             "registry": [],
             "parentuid": "",
             "av_total": "",
             "process_flags": [],
             "sha256": ""
         }
     ],
     "type": "",
     "verdict": "",
     "sha1": "",
     "threat_score": "",
     "sha256": "",
     "tags": [],
     "job_id": "",
     "md5": "",
     "analysis_start_time": "",
     "av_detect": "",
     "vx_family": "",
     "type_short": [],
     "mitre_attcks": [],
     "imphash": ""
}

operation: Get Submission State

Input parameters

Parameter Description
ID ID of the report whose submission state you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".

Output

The output contains the following populated JSON schema:
{
     "error_origin": "",
     "error_type": "",
     "state": "",
     "related_reports": [],
     "error": ""
}

Included playbooks

The Sample - CrowdStrike Falcon Sandbox - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon Sandbox connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Sandbox connector.

  • Download Report
  • Get Analysis Overview
  • Get Analysis Summary
  • Get Report Summary
  • Get Scanners
  • Get Submission State
  • Quick Scan File
  • Quick Scan URL
  • Search Query
  • Submit File And Get Report*
  • Submit File To Sandbox
  • Submit URL For Hash
  • Submit URL To Sandbox
     

*The Submit File And Get Report playbook utilized a number of CrowdStrike Falcon Sandbox actions such as Submit File to Sandbox, Get Submission State, etc and submits a file to the CrowdStrike Falcon Sandbox for analysis and retrieve its analysis report from CrowdStrike Falcon Sandbox.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

CrowdStrike Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of a powerful sandbox solution.

This document provides information about the CrowdStrike Falcon Sandbox connector, which facilitates automated interactions, with a CrowdStrike Falcon Sandbox server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Sandbox connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files or URLs to the sandbox, search for analysis summary in the sandbox or retrieving a summary of the analysis data of a submitted sample from the sandbox. 

Version information

Connector Version: 2.0.0

FortiSOAR™ Version Tested on: 6.0.0-790

Authored By: Fortinet

Certified: Yes

Release Notes for version 2.0.0

Following enhancements have been made to the CrowdStrike Falcon connector in version 2.0.0:

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-crowd-strike-falcon-sandbox

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon Sandbox connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:

Parameter Description
Server Address URL of the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations.
API Key API key that is configured for your account for the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:

Function Description Annotation and Category
Submit File To Sandbox Submits a file that is present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified. submit_file_to_sandbox
Investigation
Submit URL To Sandbox Submit a website URL for analysis to CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified. submit_url_to_sandbox
Investigation
Submit URL For Hash Submits a URL to CrowdStrike Falcon Sandbox to determine the SHA256 of the online file or the submitted URL has when it is being processed by the system based on the URL you have specified.
Note: The value of the SHA256 is useful when you are performing a URL analysis lookup.
submit_url_hash_to_sandbox
Investigation
Quick Scan File Submits a file for a quick scan to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified.
Note: You can check the results of the quick scan in the overview endpoint.
quick_scan_file
Investigation
Quick Scan URL Submits a URL for a quick scan on CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified.
Note: You can check the results of the quick scan in the overview endpoint.
quick_scan_url
Investigation
Get Analysis Overview Retrieves an overview of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. get_analysis_overview
Investigation
Get Analysis Summary Retrieves a summary of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. get_analysis_summary
Investigation
Search Query Search for analysis summary in CrowdStrike Falcon Sandbox using either hash values or search terms such as file name, file type, etc. search_query
Investigation
Get Scanners Retrieves a list of available scanners from CrowdStrike Falcon Sandbox. get_scanners_list
Investigation
Download Report Downloads report files from CrowdStrike Falcon Sandbox based on download type and corresponding ID you have specified. download_report
Investigation
Get Report Summary Retrieves a summary of a report (submission) from CrowdStrike Falcon Sandbox based on the report ID you have specified. get_report_summary
Investigation
Get Submission State Retrieves the state of a submission from CrowdStrike Falcon Sandbox based on the report ID you have specified. get_submission_state
Investigation

operation: Submit File To Sandbox

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to submit the file present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI.

If you choose the 'Attachment ID' option, then you must specify the following option:
  • Attachment ID: Attachment ID of the FortiSOAR file that you want to submit for analysis to CrowdStrike Falcon Sandbox.
If you choose the 'File IRI' option, then you must specify the following option:
  • FIle IRI: File IRI of the FortiSOAR file that you want to submit for analysis to CrowdStrike Falcon Sandbox.
Environment Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
No Hash Lookup Select this option, i.e. set it to 'true', this operation will not perform a lookup for any hash value.
Action Script (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'.
Hybrid Analysis Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'.
Script Logging Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'.
Input Sample Tampering Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'.
Offline Analysis Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'.
Email Address (Optional) Enter the email addresses that you want to associate with the submission of the specified file. These email addresses can be used for notification purposes.
Comment (Optional) Comment text that you want to associate with the submission of the specified file.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "job_id": "",
     "environment_id": "",
     "sha256": "",
     "submission_id": ""
}

operation: Submit URL To Sandbox

Input parameters

Parameter Description
URL URL or URL with a file that you want to submit for analysis to CrowdStrike Falcon Sandbox.
Environment Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
No Hash Lookup Select this option, i.e. set it to 'true', this operation will not perform lookup for any hash value.
Action Script (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'.
Hybrid Analysis Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'.
Script Logging Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'.
Input Sample Tampering Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'.
Offline Analysis Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'.
Email Address (Optional) Enter the email addresses that you want to associate with the submission of the specified URL. These email addresses can be used for notification purposes.
Comment (Optional) Comment text that you want to associate with the submission of the specified URL.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "job_id": "",
     "environment_id": "",
     "submission_type": "",
     "sha256": "",
     "submission_id": ""
}

operation: Submit URL For Hash

Input parameters

Parameter Description
URL URL or URL with a file whose SHA256 value, when it is being processed by the system, you want to retrieve from CrowdStrike Falcon Sandbox.

Output

The output contains the following populated JSON schema:
{
     "sha256": ""
}

operation: Quick Scan File

Input parameters

Parameter Description
File IRI/Attachment ID

Select the method using which you want to submit the file present in FortiSOAR™ for a quick scan on CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI.

If you choose the 'Attachment ID' option, then you must specify the following option:
  • Attachment ID: Attachment ID of the FortiSOAR file that you want to submit for a quick scan on CrowdStrike Falcon Sandbox.
If you choose the 'File IRI' option, then you must specify the following option:
  • FIle IRI: File IRI of the FortiSOAR file that you want to submit for a quick scan on to CrowdStrike Falcon Sandbox.
Scan Type Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox,
Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
Comment (Optional) Comment text that you want to associate with the submission of the specified file.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "reports": [],
     "finished": "",
     "scanners": [
         {
             "anti_virus_results": [],
             "total": "",
             "progress": "",
             "name": "",
             "positives": "",
             "status": "",
             "percent": ""
         }
     ],
     "whitelist": [
         {
             "value": "",
             "id": ""
         }
     ],
     "id": "",
     "sha256": ""
}

operation: Quick Scan URL

Input parameters

Parameter Description
URL URL or URL with a file that you want to submit for a quick scan on CrowdStrike Falcon Sandbox.
Scan Type Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox,
Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox.
Share With Third Party Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'.
Allow Community Access Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'.
Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’)
Comment (Optional) Comment text that you want to associate with the submission of the specified URL.
Note: Usage of '#tags' is supported.
Submission Name (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis.

Output

The output contains the following populated JSON schema:
{
     "reports": [],
     "finished": "",
     "scanners": [
         {
             "anti_virus_results": [],
             "total": "",
             "progress": "",
             "name": "",
             "positives": "",
             "status": "",
             "percent": ""
         }
     ],
     "submission_type": "",
     "whitelist": "",
     "id": "",
     "sha256": ""
}

operation: Get Analysis Overview

Input parameters

Parameter Description
SHA256 SHA256 values whose analysis data overview you want to lookup and retrieve from CrowdStrike Falcon Sandbox.
Refresh Select this option to refresh the overview retrieved from CrowdStrike Falcon Sandbox and fetch fresh data from CrowdStrike Falcon Sandbox.

Output

The output contains the following populated JSON schema:
{
     "related_reports": [],
     "children_in_progress": "",
     "scanners": [
         {
             "anti_virus_results": [],
             "total": "",
             "progress": "",
             "name": "",
             "positives": "",
             "status": "",
             "percent": ""
         }
     ],
     "size": "",
     "tags": [],
     "url_analysis": "",
     "other_file_name": [],
     "multiscan_result": "",
     "related_parent_hashes": [],
     "whitelisted": "",
     "type_short": [],
     "children_in_queue": "",
     "related_children_hashes": [],
     "architecture": "",
     "type": "",
     "threat_score": "",
     "last_file_name": "",
     "verdict": "",
     "analysis_start_time": "",
     "submit_context": [],
     "reports": [],
     "last_multi_scan": "",
     "sha256": ""
}

operation: Get Analysis Summary

Input parameters

Parameter Description
SHA256 SHA256 values whose analysis data summary you want to lookup and retrieve from CrowdStrike Falcon Sandbox.

Output

The output contains the following populated JSON schema:
{
     "verdict": "",
     "multiscan_result": "",
     "analysis_start_time": "",
     "last_multi_scan": "",
     "sha256": "",
     "threat_score": ""
}

operation: Search Query

Input parameters

Parameter Description
Search By Select the option based on which you want to perform a search in CrowdStrike Falcon Sandbox. You can choose between 'Hash Values' or 'Search Terms'.
If you choose 'Hash Values' then you must specify the following parameter:
  • Hash Values: List of hashes based on which you want to perform a search in CrowdStrike Falcon Sandbox. The following are the allowed hash types: 'MD5', 'SHA1', or 'SHA256'.
If you choose 'Search Terms' then you must specify one or more of the following parameters:
  • File Name: Name of the file that you want to search in the CrowdStrike Falcon Sandbox. database. For example, invoice.exe
  • File Type: Type of file that you want to search in the CrowdStrike Falcon Sandbox database.
  • File Type Description: Description of the filetype that you want to search in the CrowdStrike Falcon Sandbox database. For example, PE32 executable.
  • Environment ID: ID of the environment that you want to search in the CrowdStrike Falcon Sandbox. The available environment IDs are: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis’, 160: 'Windows 10 64 bit’, 110: 'Windows 7 64 bit’, or 100: ‘Windows 7 32 bit’.
  • Country: 3-digit ISO of the country that you want to search in the CrowdStrike Falcon Sandbox. For example, swe
  • Verdict: Verdict that you want to search in the CrowdStrike Falcon Sandbox. The available options are: 1 'whitelisted’, 2 'no verdict’, 3 'no specific threat’, 4 'suspicious’, or 5 ‘malicious’.
  • AV Multiscan Range: Range of AV Multiscan that you want to search in the CrowdStrike Falcon Sandbox. For example, 50-70 (min 0, max 100).
  • AV Family Substring: AV Family Substring that you want to search in the CrowdStrike Falcon Sandbox. For example, nemucod
  • Hashtag: Hashtag that you want to search in the CrowdStrike Falcon Sandbox database.
  • Start Date: Date from when you want to start searching in the CrowdStrike Falcon Sandbox database.
  • End Date: Date till when you want to start searching in the CrowdStrike Falcon Sandbox database.
  • Port: Port number that you want to search in the CrowdStrike Falcon Sandbox database. For example, 8080
  • Host: Host IP address that you want to search in the CrowdStrike Falcon Sandbox database. For example, 192.xxx.0.0
  • Domain: Name of the domain that you want to search in the CrowdStrike Falcon Sandbox database. For example, checkip.dyndns.org
  • URL: HTTP Request Substring that you want to search in the CrowdStrike Falcon Sandbox database. For example, google
  • Similar TO: Similar samples based on which you want to search in the CrowdStrike Falcon Sandbox database.
  • Context: Context of the sample based on which you want to search in the CrowdStrike Falcon Sandbox database.
  • Uses Tactic: User tactics that you want to search in the CrowdStrike Falcon Sandbox database. The available options are: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Impact, Exfiltration, or Command And Control.
  • Uses Technique: Select the technique that should be used to search in the CrowdStrike Falcon Sandbox database such as, 'Credential Dumping', 'Remote System Discovery', 'System Firmware', etc. By default, this is set to 'Data Compressed'.

Output

The output contains the following populated JSON schema:
{
     "total_network_connections": "",
     "target_url": "",
     "environment_id": "",
     "extracted_files": [],
     "file_metadata": "",
     "threat_level": "",
     "interesting": "",
     "certificates": [],
     "error_type": "",
     "total_processes": "",
     "compromised_hosts": [],
     "error_origin": "",
     "ssdeep": "",
     "total_signatures": "",
     "size": "",
     "sha512": "",
     "hosts": [],
     "submit_name": "",
     "state": "",
     "url_analysis": "",
     "domains": [],
     "environment_description": "",
     "classification_tags": [],
     "submissions": [
         {
             "filename": "",
             "created_at": "",
             "submission_id": "",
             "url": ""
         }
     ],
     "processes": [],
     "type": "",
     "verdict": "no verdict",
     "sha1": "",
     "threat_score": "",
     "sha256": "",
     "tags": [],
     "job_id": "",
     "md5": "",
     "analysis_start_time": "",
     "av_detect": "",
     "vx_family": "",
     "type_short": [],
     "mitre_attcks": [],
     "imphash": ""
}
{
     "count": "",
     "search_terms": [
         {
             "value": "",
             "id": ""
         }
     ],
     "result": [
         {
             "environment_description": "",
             "environment_id": "",
             "type": "",
             "av_detect": "",
             "threat_score": "",
             "job_id": "",
             "verdict": "",
             "analysis_start_time": "",
             "size": "",
             "vx_family": "",
             "type_short": "",
             "submit_name": "",
             "sha256": ""
         }
     ]
}

operation: Get Scanners

Input parameters

None.

Output

The output contains the following populated JSON schema:
{
     "name": "",
     "description": "",
     "available": "",
     "supported_types": []
}

operation: Download Report

Input parameters

Parameter Description
Download Type Select the download type based on which you want to download the report from CrowdStrike Falcon Sandbox. The available options are: Download Certificate Files, Download Memory Dump Files, Download Memory Strings, Download Network PCAP File, Download Report Data, Download Sample File
If you choose 'Download Sample File', then you must specify the following parameter:
  • ID: ID of the report file that you want to download from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
If you choose 'Download Network PCAP File', then you must specify the following parameters:
  • ID: ID of the report based on which you want to download network PCAP files from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
  • Accept Encoding: By default, a .gz file of the network PCAP gile is downloaded from CrowdStrike Falcon Sandbox. If your client supports it, then you can download the file using .gzip encoding, which is recommended.
If you choose 'Download Memory Dump Files', then you must specify the following parameter:
  • ID: ID of the report based on which you want to download memory dump files from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
If you choose 'Download Report Data', then you must specify the following parameters:
  • ID: ID of the report whose report data you want to download from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
  • Type: Type of requested report whose report data you want to download from CrowdStrike Falcon Sandbox. The following are the available types:
    • xml - The XML report as application/xml content and *.gz compressed.
    • json - The JSON report as application/json content
    • html - The HTML report as text/html content and *.gz compressed
    • pdf - The PDF report as application/pdf content
    • maec - The MAEC (4.1) report as application/xml content
    • stix - The STIX report as application/xml content
    • misp - The MISP XML report as application/xml content
    • misp-json - The MISP JSON report as application/json content
    • openioc - The OpenIOC (1.1) report as application/xml content
  • Accept Encoding: By default, a .gz file of the network PCAP gile is downloaded from CrowdStrike Falcon Sandbox. If your client supports it, then you can download the file using .gzip encoding, which is recommended.
If you choose 'Download Memory Strings', then you must specify the following parameters:
  • ID: ID of the report based on which you want to download memory strings from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".
  • Accept Encoding: By default, a .gz file of the network PCAP gile is downloaded from CrowdStrike Falcon Sandbox. If your client supports it, then you can download the file using .gzip encoding, which is recommended.
If you choose 'Download Certificate Files', then you must specify the following parameter:
  • ID: ID of the report based on which you want to download certificate files from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".

Output

The output contains a non-dictionary value.

operation: Get Report Summary

Input parameters

Parameter Description
ID ID of the report whose summary you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".

Output

The output contains the following populated JSON schema:
{
  &nbnbsp;  "total_network_connections": "",
     "target_url": "",
     "environment_id": "",
     "extracted_files": [
         {
             "threat_level": "",
             "type_tags": [],
             "description": "",
             "name": "",
             "file_available_to_download": "",
             "av_matched": "",
             "av_label": "",
             "file_size": "",
             "sha1": "",
             "md5": "",
             "threat_level_readable": "",
             "file_path": "",
             "av_total": "",
             "sha256": "",
             "runtime_process": ""
         }
     ],
     "file_metadata": {
         "file_compositions": [],
         "imported_objects": [],
         "file_analysis": [],
         "total_file_compositions_imports": ""
     },
     "threat_level": "",
     "interesting": "",
     "certificates": [],
     "error_type": "",
     "total_processes": "",
     "compromised_hosts": [],
     "error_origin": "",
     "ssdeep": "",
     "total_signatures": "",
     "size": "",
     "sha512": "",
     "hosts": [],
     "submit_name": "",
     "state": "",
     "url_analysis": "",
     "domains": [],
     "environment_description": "",
     "classification_tags": [],
     "submissions": [
         {
             "filename": "",
             "created_at": "",
             "submission_id": "",
             "url": ""
         }
     ],
     "processes": [
         {
             "file_accesses": [],
             "uid": "",
             "mutants": [],
             "command_line": "",
             "streams": [],
             "name": "",
             "handles": [],
             "created_files": [],
             "av_label": "",
             "pid": "",
             "script_calls": [],
             "av_matched": "",
             "icon": "",
             "normalized_path": "",
             "registry": [],
             "parentuid": "",
             "av_total": "",
             "process_flags": [],
             "sha256": ""
         }
     ],
     "type": "",
     "verdict": "",
     "sha1": "",
     "threat_score": "",
     "sha256": "",
     "tags": [],
     "job_id": "",
     "md5": "",
     "analysis_start_time": "",
     "av_detect": "",
     "vx_family": "",
     "type_short": [],
     "mitre_attcks": [],
     "imphash": ""
}

operation: Get Submission State

Input parameters

Parameter Description
ID ID of the report whose submission state you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId".

Output

The output contains the following populated JSON schema:
{
     "error_origin": "",
     "error_type": "",
     "state": "",
     "related_reports": [],
     "error": ""
}

Included playbooks

The Sample - CrowdStrike Falcon Sandbox - 1.0.0 playbook collection comes bundled with the CrowdStrike Falcon Sandbox connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Sandbox connector.

*The Submit File And Get Report playbook utilized a number of CrowdStrike Falcon Sandbox actions such as Submit File to Sandbox, Get Submission State, etc and submits a file to the CrowdStrike Falcon Sandbox for analysis and retrieve its analysis report from CrowdStrike Falcon Sandbox.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.