CrowdStrike Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of a powerful sandbox solution.
This document provides information about the CrowdStrike Falcon Sandbox connector, which facilitates automated interactions, with a CrowdStrike Falcon Sandbox server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Sandbox connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files or URLs to the sandbox, search for analysis summary in the sandbox or retrieving a summary of the analysis data of a submitted sample from the sandbox.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 6.4.1-2133
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the CrowdStrike Falcon connector in version 2.1.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-crowd-strike-falcon-sandbox
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon Sandbox connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server Address | URL of the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations. |
API Key | API key that is configured for your account for the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File To Sandbox | Submits a file that is present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified. | submit_file_to_sandbox Investigation |
Submit URL To Sandbox | Submit a website URL for analysis to CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified. | submit_url_to_sandbox Investigation |
Submit URL For Hash | Submits a URL to CrowdStrike Falcon Sandbox to determine the SHA256 of the online file or the submitted URL has when it is being processed by the system based on the URL you have specified. Note: The value of the SHA256 is useful when you are performing a URL analysis lookup. |
submit_url_hash_to_sandbox Investigation |
Quick Scan File | Submits a file for a quick scan to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified. Note: You can check the results of the quick scan in the overview endpoint. |
quick_scan_file Investigation |
Quick Scan URL | Submits a URL for a quick scan on CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified. Note: You can check the results of the quick scan in the overview endpoint. |
quick_scan_url Investigation |
Get Analysis Overview | Retrieves an overview of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. | get_analysis_overview Investigation |
Get Analysis Summary | Retrieves a summary of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. | get_analysis_summary Investigation |
Search Query | Search for analysis summary in CrowdStrike Falcon Sandbox using either hash values or search terms such as file name, file type, etc. | search_query Investigation |
Get Scanners | Retrieves a list of available scanners from CrowdStrike Falcon Sandbox. | get_scanners_list Investigation |
Download Report | Downloads report files from CrowdStrike Falcon Sandbox based on download type and corresponding ID you have specified. | download_report Investigation |
Get Report Summary | Retrieves a summary of a report (submission) from CrowdStrike Falcon Sandbox based on the report ID you have specified. | get_report_summary Investigation |
Get Submission State | Retrieves the state of a submission from CrowdStrike Falcon Sandbox based on the report ID you have specified. | get_submission_state Investigation |
Get Environments | Retrieves information about all available execution environments. | get_environments Investigation |
Parameter | Description |
---|---|
File IRI/Attachment ID |
Select the method using which you want to submit the file present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI. If you choose the 'Attachment ID' option, then you must specify the following option:
|
Environment | Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’. Note: This parameter makes an API call named "get_environments_list" to dynamically populate its dropdown selections. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
No Hash Lookup | Select this option, i.e. set it to 'true', this operation will not perform a lookup for any hash value. |
Action Script | (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'. |
Hybrid Analysis | Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'. |
Script Logging | Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'. |
Input Sample Tampering | Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'. |
Offline Analysis | Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'. |
Email Address | (Optional) Enter the email addresses that you want to associate with the submission of the specified file. These email addresses can be used for notification purposes. |
Comment | (Optional) Comment text that you want to associate with the submission of the specified file. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"job_id": "",
"environment_id": "",
"sha256": "",
"submission_id": ""
}
Parameter | Description |
---|---|
URL | URL or URL with a file that you want to submit for analysis to CrowdStrike Falcon Sandbox. |
Environment | Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’. Note: This parameter makes an API call named "get_environments_list" to dynamically populate its dropdown selections. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
No Hash Lookup | Select this option, i.e. set it to 'true', this operation will not perform lookup for any hash value. |
Action Script | (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'. |
Hybrid Analysis | Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'. |
Script Logging | Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'. |
Input Sample Tampering | Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'. |
Offline Analysis | Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'. |
Email Address | (Optional) Enter the email addresses that you want to associate with the submission of the specified URL. These email addresses can be used for notification purposes. |
Comment | (Optional) Comment text that you want to associate with the submission of the specified URL. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"job_id": "",
"environment_id": "",
"submission_type": "",
"sha256": "",
"submission_id": ""
}
Parameter | Description |
---|---|
URL | URL or URL with a file whose SHA256 value, when it is being processed by the system, you want to retrieve from CrowdStrike Falcon Sandbox. |
The output contains the following populated JSON schema:
{
"sha256": ""
}
Parameter | Description |
---|---|
File IRI/Attachment ID |
Select the method using which you want to submit the file present in FortiSOAR™ for a quick scan on CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI. If you choose the 'Attachment ID' option, then you must specify the following option:
|
Scan Type | Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox, Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
Comment | (Optional) Comment text that you want to associate with the submission of the specified file. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"reports": [],
"finished": "",
"scanners": [
{
"anti_virus_results": [],
"total": "",
"progress": "",
"name": "",
"positives": "",
"status": "",
"percent": ""
}
],
"whitelist": [
{
"value": "",
"id": ""
}
],
"id": "",
"sha256": ""
}
Parameter | Description |
---|---|
URL | URL or URL with a file that you want to submit for a quick scan on CrowdStrike Falcon Sandbox. |
Scan Type | Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox, Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
Comment | (Optional) Comment text that you want to associate with the submission of the specified URL. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"reports": [],
"finished": "",
"scanners": [
{
"anti_virus_results": [],
"total": "",
"progress": "",
"name": "",
"positives": "",
"status": "",
"percent": ""
}
],
"submission_type": "",
"whitelist": "",
"id": "",
"sha256": ""
}
Parameter | Description |
---|---|
SHA256 | SHA256 values whose analysis data overview you want to lookup and retrieve from CrowdStrike Falcon Sandbox. |
Refresh | Select this option to refresh the overview retrieved from CrowdStrike Falcon Sandbox and fetch fresh data from CrowdStrike Falcon Sandbox. |
The output contains the following populated JSON schema:
{
"related_reports": [],
"children_in_progress": "",
"scanners": [
{
"anti_virus_results": [],
"total": "",
"progress": "",
"name": "",
"positives": "",
"status": "",
"percent": ""
}
],
"size": "",
"tags": [],
"url_analysis": "",
"other_file_name": [],
"multiscan_result": "",
"related_parent_hashes": [],
"whitelisted": "",
"type_short": [],
"children_in_queue": "",
"related_children_hashes": [],
"architecture": "",
"type": "",
"threat_score": "",
"last_file_name": "",
"verdict": "",
"analysis_start_time": "",
"submit_context": [],
"reports": [],
"last_multi_scan": "",
"sha256": ""
}
Parameter | Description |
---|---|
SHA256 | SHA256 values whose analysis data summary you want to lookup and retrieve from CrowdStrike Falcon Sandbox. |
The output contains the following populated JSON schema:
{
"verdict": "",
"multiscan_result": "",
"analysis_start_time": "",
"last_multi_scan": "",
"sha256": "",
"threat_score": ""
}
Parameter | Description |
---|---|
Search By | Select the option based on which you want to perform a search in CrowdStrike Falcon Sandbox. You can choose between 'Hash Values' or 'Search Terms'. If you choose 'Hash Values' then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"total_network_connections": "",
"target_url": "",
"environment_id": "",
"extracted_files": [],
"file_metadata": "",
"threat_level": "",
"interesting": "",
"certificates": [],
"error_type": "",
"total_processes": "",
"compromised_hosts": [],
"error_origin": "",
"ssdeep": "",
"total_signatures": "",
"size": "",
"sha512": "",
"hosts": [],
"submit_name": "",
"state": "",
"url_analysis": "",
"domains": [],
"environment_description": "",
"classification_tags": [],
"submissions": [
{
"filename": "",
"created_at": "",
"submission_id": "",
"url": ""
}
],
"processes": [],
"type": "",
"verdict": "no verdict",
"sha1": "",
"threat_score": "",
"sha256": "",
"tags": [],
"job_id": "",
"md5": "",
"analysis_start_time": "",
"av_detect": "",
"vx_family": "",
"type_short": [],
"mitre_attcks": [],
"imphash": ""
}
{
"count": "",
"search_terms": [
{
"value": "",
"id": ""
}
],
"result": [
{
"environment_description": "",
"environment_id": "",
"type": "",
"av_detect": "",
"threat_score": "",
"job_id": "",
"verdict": "",
"analysis_start_time": "",
"size": "",
"vx_family": "",
"type_short": "",
"submit_name": "",
"sha256": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"name": "",
"description": "",
"available": "",
"supported_types": []
}
Parameter | Description |
---|---|
Download Type | Select the download type based on which you want to download the report from CrowdStrike Falcon Sandbox. The available options are: Download Certificate Files, Download Memory Dump Files, Download Memory Strings, Download Network PCAP File, Download Report Data, Download Sample File If you choose 'Download Sample File', then you must specify the following parameter:
|
The output contains a non-dictionary value.
Parameter | Description |
---|---|
ID | ID of the report whose summary you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId". |
The output contains the following populated JSON schema:
{
&nbnbsp; "total_network_connections": "",
"target_url": "",
"environment_id": "",
"extracted_files": [
{
"threat_level": "",
"type_tags": [],
"description": "",
"name": "",
"file_available_to_download": "",
"av_matched": "",
"av_label": "",
"file_size": "",
"sha1": "",
"md5": "",
"threat_level_readable": "",
"file_path": "",
"av_total": "",
"sha256": "",
"runtime_process": ""
}
],
"file_metadata": {
"file_compositions": [],
"imported_objects": [],
"file_analysis": [],
"total_file_compositions_imports": ""
},
"threat_level": "",
"interesting": "",
"certificates": [],
"error_type": "",
"total_processes": "",
"compromised_hosts": [],
"error_origin": "",
"ssdeep": "",
"total_signatures": "",
"size": "",
"sha512": "",
"hosts": [],
"submit_name": "",
"state": "",
"url_analysis": "",
"domains": [],
"environment_description": "",
"classification_tags": [],
"submissions": [
{
"filename": "",
"created_at": "",
"submission_id": "",
"url": ""
}
],
"processes": [
{
"file_accesses": [],
"uid": "",
"mutants": [],
"command_line": "",
"streams": [],
"name": "",
"handles": [],
"created_files": [],
"av_label": "",
"pid": "",
"script_calls": [],
"av_matched": "",
"icon": "",
"normalized_path": "",
"registry": [],
"parentuid": "",
"av_total": "",
"process_flags": [],
"sha256": ""
}
],
"type": "",
"verdict": "",
"sha1": "",
"threat_score": "",
"sha256": "",
"tags": [],
"job_id": "",
"md5": "",
"analysis_start_time": "",
"av_detect": "",
"vx_family": "",
"type_short": [],
"mitre_attcks": [],
"imphash": ""
}
Parameter | Description |
---|---|
ID | ID of the report whose submission state you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId". |
The output contains the following populated JSON schema:
{
"error_origin": "",
"error_type": "",
"state": "",
"related_reports": [],
"error": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"environment_id": "",
"description": "",
"architecture": "",
"virtual_machines": [],
"total_virtual_machines": "",
"busy_virtual_machines": "",
"invalid_virtual_machines": "",
"group_icon": "",
"analysis_mode": ""
}
The Sample - CrowdStrike Falcon Sandbox - 2.1.0
playbook collection comes bundled with the CrowdStrike Falcon Sandbox connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Sandbox connector.
*The Submit File And Get Report playbook utilized a number of CrowdStrike Falcon Sandbox actions such as Submit File to Sandbox, Get Submission State, etc and submits a file to the CrowdStrike Falcon Sandbox for analysis and retrieve its analysis report from CrowdStrike Falcon Sandbox.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
CrowdStrike Falcon Sandbox is an automated malware analysis solution that empowers security teams by overlaying comprehensive threat intelligence with the results of a powerful sandbox solution.
This document provides information about the CrowdStrike Falcon Sandbox connector, which facilitates automated interactions, with a CrowdStrike Falcon Sandbox server using FortiSOAR™ playbooks. Add the CrowdStrike Falcon Sandbox connector as a step in FortiSOAR™ playbooks and perform automated operations, such as submitting files or URLs to the sandbox, search for analysis summary in the sandbox or retrieving a summary of the analysis data of a submitted sample from the sandbox.
Connector Version: 2.1.0
FortiSOAR™ Version Tested on: 6.4.1-2133
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the CrowdStrike Falcon connector in version 2.1.0:
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-crowd-strike-falcon-sandbox
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the CrowdStrike Falcon Sandbox connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server Address | URL of the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations. |
API Key | API key that is configured for your account for the CrowdStrike Falcon Sandbox server to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 and onwards:
Function | Description | Annotation and Category |
---|---|---|
Submit File To Sandbox | Submits a file that is present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified. | submit_file_to_sandbox Investigation |
Submit URL To Sandbox | Submit a website URL for analysis to CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified. | submit_url_to_sandbox Investigation |
Submit URL For Hash | Submits a URL to CrowdStrike Falcon Sandbox to determine the SHA256 of the online file or the submitted URL has when it is being processed by the system based on the URL you have specified. Note: The value of the SHA256 is useful when you are performing a URL analysis lookup. |
submit_url_hash_to_sandbox Investigation |
Quick Scan File | Submits a file for a quick scan to CrowdStrike Falcon Sandbox based on the IRI or the attachment ID of the file and other input parameters you have specified. Note: You can check the results of the quick scan in the overview endpoint. |
quick_scan_file Investigation |
Quick Scan URL | Submits a URL for a quick scan on CrowdStrike Falcon Sandbox based on the URL and other input parameters you have specified. Note: You can check the results of the quick scan in the overview endpoint. |
quick_scan_url Investigation |
Get Analysis Overview | Retrieves an overview of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. | get_analysis_overview Investigation |
Get Analysis Summary | Retrieves a summary of the analysis data from CrowdStrike Falcon Sandbox based on SHA246 value you have specified. | get_analysis_summary Investigation |
Search Query | Search for analysis summary in CrowdStrike Falcon Sandbox using either hash values or search terms such as file name, file type, etc. | search_query Investigation |
Get Scanners | Retrieves a list of available scanners from CrowdStrike Falcon Sandbox. | get_scanners_list Investigation |
Download Report | Downloads report files from CrowdStrike Falcon Sandbox based on download type and corresponding ID you have specified. | download_report Investigation |
Get Report Summary | Retrieves a summary of a report (submission) from CrowdStrike Falcon Sandbox based on the report ID you have specified. | get_report_summary Investigation |
Get Submission State | Retrieves the state of a submission from CrowdStrike Falcon Sandbox based on the report ID you have specified. | get_submission_state Investigation |
Get Environments | Retrieves information about all available execution environments. | get_environments Investigation |
Parameter | Description |
---|---|
File IRI/Attachment ID |
Select the method using which you want to submit the file present in FortiSOAR™ for analysis to CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI. If you choose the 'Attachment ID' option, then you must specify the following option:
|
Environment | Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’. Note: This parameter makes an API call named "get_environments_list" to dynamically populate its dropdown selections. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
No Hash Lookup | Select this option, i.e. set it to 'true', this operation will not perform a lookup for any hash value. |
Action Script | (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'. |
Hybrid Analysis | Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'. |
Script Logging | Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'. |
Input Sample Tampering | Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'. |
Offline Analysis | Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'. |
Email Address | (Optional) Enter the email addresses that you want to associate with the submission of the specified file. These email addresses can be used for notification purposes. |
Comment | (Optional) Comment text that you want to associate with the submission of the specified file. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"job_id": "",
"environment_id": "",
"sha256": "",
"submission_id": ""
}
Parameter | Description |
---|---|
URL | URL or URL with a file that you want to submit for analysis to CrowdStrike Falcon Sandbox. |
Environment | Select the Environment in which you want to run the sandbox. You can choose from the following environments: ‘Windows 7 32 bit’, 'Windows 7 64 bit’, 'Windows 10 64 bit’, 'Linux (Ubuntu 16.04, 64 bit)', or 'Android Static Analysis’. Note: This parameter makes an API call named "get_environments_list" to dynamically populate its dropdown selections. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
No Hash Lookup | Select this option, i.e. set it to 'true', this operation will not perform lookup for any hash value. |
Action Script | (Optional) Select a custom runtime action script that you want to run with this operation. You can choose from the following runtime scripts: 'Default', 'Default Max Anti Evasion', 'Default Random Files', 'Default Random Theme', or 'Default Openie'. |
Hybrid Analysis | Select this option, i.e. set it to 'true', to analyze memory and memory dumps. By default, this is set to 'true'. |
Script Logging | Select this option, i.e. set it to 'true', to enable in-depth script logging engine of the Kernelmode Monitor. By default, this is set to 'false'. |
Input Sample Tampering | Select this option, i.e. set it to 'true', to allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. By default, this is set to 'false'. |
Offline Analysis | Select this option, i.e. set it to 'true', to disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). By default, this is set to 'false'. |
Email Address | (Optional) Enter the email addresses that you want to associate with the submission of the specified URL. These email addresses can be used for notification purposes. |
Comment | (Optional) Comment text that you want to associate with the submission of the specified URL. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"job_id": "",
"environment_id": "",
"submission_type": "",
"sha256": "",
"submission_id": ""
}
Parameter | Description |
---|---|
URL | URL or URL with a file whose SHA256 value, when it is being processed by the system, you want to retrieve from CrowdStrike Falcon Sandbox. |
The output contains the following populated JSON schema:
{
"sha256": ""
}
Parameter | Description |
---|---|
File IRI/Attachment ID |
Select the method using which you want to submit the file present in FortiSOAR™ for a quick scan on CrowdStrike Falcon Sandbox. You can choose between Attachment ID and File IRI. If you choose the 'Attachment ID' option, then you must specify the following option:
|
Scan Type | Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox, Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
Comment | (Optional) Comment text that you want to associate with the submission of the specified file. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"reports": [],
"finished": "",
"scanners": [
{
"anti_virus_results": [],
"total": "",
"progress": "",
"name": "",
"positives": "",
"status": "",
"percent": ""
}
],
"whitelist": [
{
"value": "",
"id": ""
}
],
"id": "",
"sha256": ""
}
Parameter | Description |
---|---|
URL | URL or URL with a file that you want to submit for a quick scan on CrowdStrike Falcon Sandbox. |
Scan Type | Type of quick scan that you want to run on the file submitted to CrowdStrike Falcon Sandbox, Note: Use the 'Get Scanners' action to retrieve a list of available scanners from CrowdStrike Falcon Sandbox. |
Share With Third Party | Select this option, i.e. set it to 'true', to share the sample with third parties. By default, this is set to 'false'. |
Allow Community Access | Select this option, i.e. set it to 'true', to make the sample available for the community. By default, this is set to 'true'. Note: When you set the ‘Share With Third Party’ parameter to 'true’, then it is not possible to set any other value than ‘true’) |
Comment | (Optional) Comment text that you want to associate with the submission of the specified URL. Note: Usage of '#tags' is supported. |
Submission Name | (Optional) Name that you want to specify for the submission name. This name field is used for file type detection and analysis. |
The output contains the following populated JSON schema:
{
"reports": [],
"finished": "",
"scanners": [
{
"anti_virus_results": [],
"total": "",
"progress": "",
"name": "",
"positives": "",
"status": "",
"percent": ""
}
],
"submission_type": "",
"whitelist": "",
"id": "",
"sha256": ""
}
Parameter | Description |
---|---|
SHA256 | SHA256 values whose analysis data overview you want to lookup and retrieve from CrowdStrike Falcon Sandbox. |
Refresh | Select this option to refresh the overview retrieved from CrowdStrike Falcon Sandbox and fetch fresh data from CrowdStrike Falcon Sandbox. |
The output contains the following populated JSON schema:
{
"related_reports": [],
"children_in_progress": "",
"scanners": [
{
"anti_virus_results": [],
"total": "",
"progress": "",
"name": "",
"positives": "",
"status": "",
"percent": ""
}
],
"size": "",
"tags": [],
"url_analysis": "",
"other_file_name": [],
"multiscan_result": "",
"related_parent_hashes": [],
"whitelisted": "",
"type_short": [],
"children_in_queue": "",
"related_children_hashes": [],
"architecture": "",
"type": "",
"threat_score": "",
"last_file_name": "",
"verdict": "",
"analysis_start_time": "",
"submit_context": [],
"reports": [],
"last_multi_scan": "",
"sha256": ""
}
Parameter | Description |
---|---|
SHA256 | SHA256 values whose analysis data summary you want to lookup and retrieve from CrowdStrike Falcon Sandbox. |
The output contains the following populated JSON schema:
{
"verdict": "",
"multiscan_result": "",
"analysis_start_time": "",
"last_multi_scan": "",
"sha256": "",
"threat_score": ""
}
Parameter | Description |
---|---|
Search By | Select the option based on which you want to perform a search in CrowdStrike Falcon Sandbox. You can choose between 'Hash Values' or 'Search Terms'. If you choose 'Hash Values' then you must specify the following parameter:
|
The output contains the following populated JSON schema:
{
"total_network_connections": "",
"target_url": "",
"environment_id": "",
"extracted_files": [],
"file_metadata": "",
"threat_level": "",
"interesting": "",
"certificates": [],
"error_type": "",
"total_processes": "",
"compromised_hosts": [],
"error_origin": "",
"ssdeep": "",
"total_signatures": "",
"size": "",
"sha512": "",
"hosts": [],
"submit_name": "",
"state": "",
"url_analysis": "",
"domains": [],
"environment_description": "",
"classification_tags": [],
"submissions": [
{
"filename": "",
"created_at": "",
"submission_id": "",
"url": ""
}
],
"processes": [],
"type": "",
"verdict": "no verdict",
"sha1": "",
"threat_score": "",
"sha256": "",
"tags": [],
"job_id": "",
"md5": "",
"analysis_start_time": "",
"av_detect": "",
"vx_family": "",
"type_short": [],
"mitre_attcks": [],
"imphash": ""
}
{
"count": "",
"search_terms": [
{
"value": "",
"id": ""
}
],
"result": [
{
"environment_description": "",
"environment_id": "",
"type": "",
"av_detect": "",
"threat_score": "",
"job_id": "",
"verdict": "",
"analysis_start_time": "",
"size": "",
"vx_family": "",
"type_short": "",
"submit_name": "",
"sha256": ""
}
]
}
None.
The output contains the following populated JSON schema:
{
"name": "",
"description": "",
"available": "",
"supported_types": []
}
Parameter | Description |
---|---|
Download Type | Select the download type based on which you want to download the report from CrowdStrike Falcon Sandbox. The available options are: Download Certificate Files, Download Memory Dump Files, Download Memory Strings, Download Network PCAP File, Download Report Data, Download Sample File If you choose 'Download Sample File', then you must specify the following parameter:
|
The output contains a non-dictionary value.
Parameter | Description |
---|---|
ID | ID of the report whose summary you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId". |
The output contains the following populated JSON schema:
{
&nbnbsp; "total_network_connections": "",
"target_url": "",
"environment_id": "",
"extracted_files": [
{
"threat_level": "",
"type_tags": [],
"description": "",
"name": "",
"file_available_to_download": "",
"av_matched": "",
"av_label": "",
"file_size": "",
"sha1": "",
"md5": "",
"threat_level_readable": "",
"file_path": "",
"av_total": "",
"sha256": "",
"runtime_process": ""
}
],
"file_metadata": {
"file_compositions": [],
"imported_objects": [],
"file_analysis": [],
"total_file_compositions_imports": ""
},
"threat_level": "",
"interesting": "",
"certificates": [],
"error_type": "",
"total_processes": "",
"compromised_hosts": [],
"error_origin": "",
"ssdeep": "",
"total_signatures": "",
"size": "",
"sha512": "",
"hosts": [],
"submit_name": "",
"state": "",
"url_analysis": "",
"domains": [],
"environment_description": "",
"classification_tags": [],
"submissions": [
{
"filename": "",
"created_at": "",
"submission_id": "",
"url": ""
}
],
"processes": [
{
"file_accesses": [],
"uid": "",
"mutants": [],
"command_line": "",
"streams": [],
"name": "",
"handles": [],
"created_files": [],
"av_label": "",
"pid": "",
"script_calls": [],
"av_matched": "",
"icon": "",
"normalized_path": "",
"registry": [],
"parentuid": "",
"av_total": "",
"process_flags": [],
"sha256": ""
}
],
"type": "",
"verdict": "",
"sha1": "",
"threat_score": "",
"sha256": "",
"tags": [],
"job_id": "",
"md5": "",
"analysis_start_time": "",
"av_detect": "",
"vx_family": "",
"type_short": [],
"mitre_attcks": [],
"imphash": ""
}
Parameter | Description |
---|---|
ID | ID of the report whose submission state you want to retrieve from CrowdStrike Falcon Sandbox. The ID you specify must be in one of the following formats: "jobId" or "sha256:environmentId". |
The output contains the following populated JSON schema:
{
"error_origin": "",
"error_type": "",
"state": "",
"related_reports": [],
"error": ""
}
None.
The output contains the following populated JSON schema:
{
"id": "",
"environment_id": "",
"description": "",
"architecture": "",
"virtual_machines": [],
"total_virtual_machines": "",
"busy_virtual_machines": "",
"invalid_virtual_machines": "",
"group_icon": "",
"analysis_mode": ""
}
The Sample - CrowdStrike Falcon Sandbox - 2.1.0
playbook collection comes bundled with the CrowdStrike Falcon Sandbox connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the CrowdStrike Falcon Sandbox connector.
*The Submit File And Get Report playbook utilized a number of CrowdStrike Falcon Sandbox actions such as Submit File to Sandbox, Get Submission State, etc and submits a file to the CrowdStrike Falcon Sandbox for analysis and retrieve its analysis report from CrowdStrike Falcon Sandbox.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.