Falcon Sandbox
Integration version: 15.0
Configure Falcon Sandbox to work with Google Security Operations SOAR
Credentials
Your API Key can be found by navigating to the API Key tab on your profile page and is generated by clicking on the Create API key button.
Network
Function | Default Port | Direction | Protocol |
---|---|---|---|
API | Multivalues | Outbound | apikey |
Configure Falcon Sandbox integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
Parameter Display Name | Type | Default Value | Is mandatory | Description |
---|---|---|---|---|
Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
Description | String | N/A | No | Description of the Instance. |
API Root | String | https://www.hybrid-analysis.com/docs/api/v2 |
Yes | Address of the CrowdStrike Falcon Sandbox instance. |
API Key | String | N/A | Yes | An API key generated in CrowdStrike Falcon Sandbox instance. |
Threshold | Integer | 50.0 | Yes | N/A |
Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Analyze File
Submit a file for an analysis and fetch the report.
Parameters
Parameters | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
File Path | String | N/A | Yes | The full path of the file to analyze. |
Environment | String | N/A | Yes | Environment ID. Available environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit' |
Include Report | Checkbox | Unchecked | No | If enabled, action will fetch report related to the attachment. Note: this feature requires a premium key. |
Use cases
N/A
Run On
The action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
max_threat_score | N/A | N/A |
JSON Result
[
{
"target_url": null,
"threat_score": null,
"environment_id": 100,
"total_processes": 0,
"threat_level": null,
"size": 31261,
"job_id": "5c4435ef7ca3e109e640b709",
"vx_family": null,
"interesting": false,
"error_origin": null,
"state": "IN_QUEUE","mitre_attcks": [],
"certificates": [],
"hosts": [],
"sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
"type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
"compromised_hosts": [],
"extracted_files": [],
"analysis_start_time": "2019-01-20T02:50:01-06:00",
"tags": [],
"imphash": null,
"total_network_connections": 0,
"av_detect": null,
"total_signatures": 0,
"submit_name": "Proofpoint_R_Logo (1).png",
"ssdeep": null,
"classification_tags": [],
"md5": "48703c5d4ea8dc2099c37ea871b640ef",
"processes": [],
"sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
"url_analysis": false,
"sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
"file_metadata": null,
"environment_description": "Windows 7 32 bit",
"verdict": null, "domains": [],
"error_type": null,
"type_short": ["img"]
}
]
Analyze File Url
Submit a file by URL for analysis and fetch report.
Parameters
Parameters | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
File Url | String | N/A | Yes | The URL to the file to analyze. Example: http://example.com/example/Example-Document.zip |
Environment | String | N/A | Yes | Environment ID. Available environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit' |
Use cases
N/A
Run On
The action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
max_threat_score | N/A | N/A |
JSON Result
[
{
"target_url": null,
"threat_score": null,
"environment_id": 100,
"total_processes": 0,
"threat_level": null,
"size": 31261,
"job_id": "5c4435ef7ca3e109e640b709",
"vx_family": null,
"interesting": false,
"error_origin": null,
"state": "IN_QUEUE",
"mitre_attcks": [],
"certificates": [],
"hosts": [],
"sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
"type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
"compromised_hosts": [],
"extracted_files": [],
"analysis_start_time": "2019-01-20T02:50:01-06:00",
"tags": [],
"imphash": null,
"total_network_connections": 0,
"av_detect": null,
"total_signatures": 0,
"submit_name": "Proofpoint_R_Logo (1).png",
"ssdeep": null, "classification_tags": [],
"md5": "48703c5d4ea8dc2099c37ea871b640ef",
"processes": [],
"sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
"url_analysis": false,
"sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
"file_metadata": null,
"environment_description": "Windows 7 32 bit",
"verdict": null,
"domains": [],
"error_type": null,
"type_short": ["img"]
}
]
Get Hash Scan Report
Fetch hybrid analysis reports and enrich the file hash entities.
Parameters
N/A
Use cases
N/A
Run On
This action runs on the Filehash entity.
Action Results
Entity Enrichment
Enrichment Field Name | Logic-When to apply |
---|---|
environment_id | Returns if it exists in JSON result |
total_processes | Returns if it exists in JSON result |
threat_level | Returns if it exists in JSON result |
size | Returns if it exists in JSON result |
job_id | Returns if it exists in JSON result |
target_url | Returns if it exists in JSON result |
interesting | Returns if it exists in JSON result |
error_type | Returns if it exists in JSON result |
state | Returns if it exists in JSON result |
environment_description | Returns if it exists in JSON result |
mitre_attacks | Returns if it exists in JSON result |
certificates | Returns if it exists in JSON result |
hosts | Returns if it exists in JSON result |
sha256 | Returns if it exists in JSON result |
sha512 | Returns if it exists in JSON result |
compromised_hosts | Returns if it exists in JSON result |
extracted_files | Returns if it exists in JSON result |
analysis_start_time | Returns if it exists in JSON result |
tags | Returns if it exists in JSON result |
imphash | Returns if it exists in JSON result |
total_network_connections | Returns if it exists in JSON result |
av_detect | Returns if it exists in JSON result |
total_signatures | Returns if it exists in JSON result |
submit_name | Returns if it exists in JSON result |
ssdeep | Returns if it exists in JSON result |
md5 | Returns if it exists in JSON result |
error_origin | Returns if it exists in JSON result |
processes | Returns if it exists in JSON result |
shal | Returns if it exists in JSON result |
url_analysis | Returns if it exists in JSON result |
type | Returns if it exists in JSON result |
file_metadata | Returns if it exists in JSON result |
vx_family | Returns if it exists in JSON result |
threat_score | Returns if it exists in JSON result |
verdict | Returns if it exists in JSON result |
domains | Returns if it exists in JSON result |
type_short | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
max_threat_score | N/A | N/A |
JSON Result
[
{
"EntityResult":
[{
"classification_tags": [],
"environment_id": 100,
"total_processes": 0,
"threat_level": null,
"size": 31261,
"job_id": "5c4435ef7ca3e109e640b709",
"target_url": null,
"interesting": false,
"error_type": null,
"state": "IN_QUEUE",
"environment_description": "Windows 7 32 bit",
"mitre_attcks": [],
"certificates": [],
"hosts": [],
"sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
"sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
"compromised_hosts": [],
"extracted_files": [],
"analysis_start_time": "2019-01-20T02:50:01-06:00",
"tags": [],
"imphash": null,
"total_network_connections": 0,
"av_detect": null,
"total_signatures": 0,
"submit_name": "Proofpoint_R_Logo (1).png",
"ssdeep": null,
"md5": "48703c5d4ea8dc2099c37ea871b640ef",
"error_origin": null,
"processes": [],
"sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
"url_analysis": false,
"type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
"file_metadata": null,
"vx_family": null,
"threat_score": null,
"verdict": null,
"domains": [],
"type_short": ["img"]
}],
"Entity": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac"
}
]
Ping
Test connectivity to CrowdStrike Falcon Sandbox.
Parameters
N/A
Use cases
N/A
Run On
The action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
success | True/False | success:False |
JSON Result
N/A
Search
Search the Falcon databases for existing scan reports and information about files and file URLs.
Parameters
Parameter | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
File Name | String | N/A | No | Example: example.exe. |
File Type | String | N/A | No | Example: docx. |
File Type Description | String | N/A | No | Example: PE32 executable. |
Verdict | String | N/A | No | Example: 1 (1=whitelisted, 2=no verdict, 3=no specific threat, 4=suspicious, 5=malicious). |
AV Multiscan Range | String | N/A | No | Example: 50-70 (min 0, max 100). |
AV Family Substring | String | N/A | No | Example: Agent.AD, nemucod. |
Hashtag | String | N/A | No | Example: ransomware |
Port | String | N/A | No | Example: 8080 |
Host | String | N/A | No | Example: 192.0.2.1 |
Domain | String | N/A | No | Example: checkip.dyndns.org |
HTTP Request Substring | String | N/A | No | Example: google |
Similar Samples | String | N/A | No | Example: \<sha256> |
Sample Context | String | N/A | No | Example: \<sha256> |
Use cases
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
results | N/A | N/A |
Submit File
Submit files for analysis.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
File Path | String | N/A | Yes | The full path of the file to analyze. For multiple, use comma-separated values. |
Environment | Drop-down | Linux | Yes | Available environments Names: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'. The default should be: Linux (Ubuntu 16.04, 64 bit) |
Use cases
N/A
Run On
The action doesn't run on entities.
Action Results
Entity Enrichment
Enrichment Field Name | Logic-When to apply |
---|---|
sha256 | Returns if it exists in JSON result |
job_id | Returns if it exists in JSON result |
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"sha256": "fa636febca412dd9d1f2e7f7ca66462757bce24adb7cb5fffd2e247ce6dcf7fe",
"job_id": "5f21459cb80c2d0a182b7967"
},
"Entity": "/temp/test.txt"
}
]
Case Wall
Result type | Value / Description | Type |
---|---|---|
Output message* |
|
General |
Wait For Job and Fetch Report
Wait for a scan job to complete and fetch the scan report.
Parameters
Parameter Display Name | Type | Default Value | Is Mandatory | Description |
---|---|---|---|---|
Job ID | String | N/A | True | Job IDs. For multiple, use comma-separated values (values should be passed as a placeholder from previously executed action- Submit file). Additionally, the job ID can be provided manually. |
Use cases
N/A
Run On
The action doesn't run on entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
{
"5f21459cb80c2d0a182b7967": {
"environment_id": 300,
"threat_score": 0,
"target_url": null,
"total_processes": 0,
"threat_level": 3,
"size": 26505,
"submissions": [{
"url": null,
"submission_id": "5f267a34e3e6784e4f180936",
"created_at": "2020-08-02T08:32:52+00:00",
"filename": "Test.py"
}, {
"url": null,
"submission_id": "5f2146381a5f6253f266fed9",
"created_at": "2020-07-29T09:49:44+00:00",
"filename": "Test.py"
}, {
"url": null,
"submission_id": "5f21461360cae26e4719a6c9",
"created_at": "2020-07-29T09:49:07+00:00",
"filename": "Test.py"
}, {
"url": null,
"submission_id": "5f21459cb80c2d0a182b7968",
"created_at": "2020-07-29T09:47:08+00:00",
"filename": "Test.py"
}],
"job_id": "5f21459cb80c2d0a182b7967",
"vx_family": null,
"interesting": false,
"error_type": null,
"state": "SUCCESS",
"mitre_attcks": [],
"certificates": [],
"hosts": [],
"sha256": "fa636febca412dd9d1f2e7f7ca66462757bce24adb7cb5fffd2e247ce6dcf7fe",
"sha512": "62c6d5c16d647e1361a761553fb1adfa92df3741e53a234fab28d08d3d003bdb4b2a7d7c5a050dc2cdba7b1d915f42d3c56f9694053fa75adae82c1b20e03b02",
"compromised_hosts": [],
"extracted_files": [],
"analysis_start_time": "2020-07-29T09:47:17+00:00",
"tags": [],
"imphash": "Unknown",
"total_network_connections": 0,
"av_detect": null,
"classification_tags": [],
"submit_name": "Test.py",
"ssdeep": "384:lRGs3v2+nSZUpav/+GUYERs0vZfyh/fyChIRpyCCLqa09NdyDRax9XSmxTAf:lR3fKZUoGGX0xfm/Duyoa09x9+",
"md5": "bfec680af21539eb0a9f349038c68220",
"error_origin": null,
"total_signatures": 0,
"processes": [],
"sha1": "0a4e78bb8df401197e925b2643ceabf5b670df17",
"url_analysis": false,
"type": "Python script, ASCII text executable, with CRLF line terminators",
"file_metadata": null,
"environment_description": "Linux (Ubuntu 16.04, 64 bit)",
"verdict": "no verdict",
"domains": [],
"type_short": ["script", "python"]
}
}
Case Wall
Result type | Value / Description | Type |
---|---|---|
Output message* |
|
General |
Attachments |
|
Scan URL
Scan URL or domain for analysis.
Parameters
Parameter Display Name | Type | Is Mandatory | Description |
---|---|---|---|
Threshold | Integer | Yes | Mark entity as suspicious if number of av detection is equal or above the given threshold |
Environment Name | DDL | Yes | Windows 7 32 bit Windows 7 32 bit (HWP Support) |
Use cases
An analyst can get scan URL or domain files for analysis.
Run On
This action runs on the following entities:
- URL
- Hostname
Action Results
Entity Enrichment
If scan_info_res.get('av_detect') > Threshold value (parameter), then mark the entity as suspicious.
Insights
Add an insight with the following message:CrowdStrike Falcon Sandbox - Entity was marked as malicious by av detection score {av_detect}. Threshold set to - {threshold}.
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"environment_id": 100,
"threat_score": 13,
"target_url": null,
"total_processes": 3,
"threat_level": 0,
"size": null,
"submissions": [{
"url": "http://example.com/",
"submission_id": "5f4925f00da24603010641be",
"created_at": "2020-08-28T15:42:40+00:00",
"filename": null
}, {
"url": "http://example.com/",
"submission_id": "5f48c011f86f36448901d054",
"created_at": "2020-08-28T08:28:01+00:00",
"filename": null
}],
"job_id": "5f1332c48161bb7d5b6c9663",
"vx_family": "Unrated site",
"interesting": false,
"error_type": null,
"state": "SUCCESS",
"mitre_attcks": [],
"certificates": [],
"hosts": ["192.0.2.1", "192.0.2.2", "192.0.2.3", "192.0.2.4", "192.0.2.5", "192.0.2.6", "192.0.2.7", "192.0.2.8"],
"sha256": "6982da0e6956768fdc206317d429c6b8313cf4ebf298ec0aa35f0f03f07cec6a", "sha512": "c2e12fee8e08b387f91529aaada5c78e86649fbb2fe64d067b630e0c5870284bf0ca22654211513d774357d37d4c9729ea7ddc44bf44144252959004363d7da9",
"compromised_hosts": [],
"extracted_files": [{
"av_label": null,
"sha1": "0da5de8165c50f6ace4660a6b38031f212917b17",
"threat_level": 0,
"name": "rs_ACT90oEMCn26rBYSdHdZAoXYig7gRwLYBA_1_.js",
"threat_level_readable": "no specific threat",
"type_tags": ["script", "javascript"],
"description": "ASCII text, with very long lines",
"file_available_to_download": false,
"av_matched": null,
"runtime_process": null,
"av_total": null,
"file_size": 566005,
"sha256": "d41f46920a017c79fe4e6f4fb0a621af77169168c8645aa4b5094a1e67e127a0",
"file_path": null,
"md5": "c8c8076fd2390d47c8bf4a40f4885eeb"
}],
"analysis_start_time": "2020-07-18T17:35:09+00:00",
"tags": ["tag", "the"],
"imphash": "Unknown",
"total_network_connections": 8,
"av_detect": 0,
"classification_tags": [],
"submit_name": "http://example.com/",
"ssdeep": "Unknown",
"md5": "e6f672151804707d11eb4b840c3ec635",
"error_origin": null,
"total_signatures": 14,
"processes": [{
"process_flags": [],
"av_label": null,
"mutants": [],
"uid": "00083159-00001692",
"icon": null,
"script_calls": [],
"pid": null,
"handles": [],
"command_line": "\\\"%WINDIR%\\\\System32\\\\ieframe.dll\\\",OpenURL C:\\\\6982da0e6956768fdc206317d429c6b8313cf4ebf298ec0aa35f0f03f07cec6a.url",
"file_accesses": [],
"parentuid": null,
"normalized_path": "%WINDIR%System32rundll32.exe",
"av_matched": null,
"streams": [],
"registry": [],
"av_total": null,
"sha256": "3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670",
"created_files": [],
"name": "example.exe"
}, {
"process_flags": [],
"av_label": null,
"mutants": [],
"uid": "00083319-00003012",
"icon": null,
"script_calls": [],
"pid": null,
"handles": [],
"command_line": "http://example.com/",
"file_accesses": [],
"parentuid": "00083159-00001692",
"normalized_path": "%PROGRAMFILES%Internet Exploreriexplore.exe",
"av_matched": null,
"streams": [],
"registry": [],
"av_total": null,
"sha256": "8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba",
"created_files": [],
"name": "example.exe"
}, {
"process_flags": [],
"av_label": null,
"mutants": [],
"uid": "00083353-00002468",
"icon": null,
"script_calls": [],
"pid": null,
"handles": [],
"command_line": "SCODEF:3012 CREDAT:275457 /prefetch:2",
"file_accesses": [],
"parentuid": "00083319-00003012",
"normalized_path": "%PROGRAMFILES%Internet Example.exe",
"av_matched": null,
"streams": [],
"registry": [],
"av_total": null,
"sha256": "8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba",
"created_files": [],
"name": "example.exe"}],
"sha1": "0a0bec39293c168288c04f575a7a317e29f1878f",
"url_analysis": true,
"type": null,
"file_metadata": null,
"environment_description": "Windows 7 32 bit",
"verdict": "no specific threat",
"domains": ["fonts.example.com", "example.example.net", "example.org", "example.com", "www.example.com"],
"type_short": []
},
"Entity": "example.com"
}
]
Case Wall
Result type | Value / Description | Type |
---|---|---|
Output message* |
|
General |
Attachments |
|