Falcon Sandbox

Integration version: 15.0

Configure Falcon Sandbox to work with Google Security Operations SOAR

Credentials

Your API Key can be found by navigating to the API Key tab on your profile page and is generated by clicking on the Create API key button.

Network

Function Default Port Direction Protocol
API Multivalues Outbound apikey

Configure Falcon Sandbox integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
API Root String https://www.hybrid-analysis.com/docs/api/v2 Yes Address of the CrowdStrike Falcon Sandbox instance.
API Key String N/A Yes An API key generated in CrowdStrike Falcon Sandbox instance.
Threshold Integer 50.0 Yes N/A
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Analyze File

Submit a file for an analysis and fetch the report.

Parameters

Parameters Type Default Value Is Mandatory Description
File Path String N/A Yes The full path of the file to analyze.
Environment String N/A Yes Environment ID. Available environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'
Include Report Checkbox Unchecked No If enabled, action will fetch report related to the attachment. Note: this feature requires a premium key.

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
max_threat_score N/A N/A
JSON Result
[
    {
        "target_url": null,
        "threat_score": null,
        "environment_id": 100,
        "total_processes": 0,
        "threat_level": null,
        "size": 31261,
        "job_id": "5c4435ef7ca3e109e640b709",
        "vx_family": null,
        "interesting": false,
        "error_origin": null,
        "state": "IN_QUEUE","mitre_attcks": [],
        "certificates": [],
        "hosts": [],
        "sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
        "type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
        "compromised_hosts": [],
        "extracted_files": [],
        "analysis_start_time": "2019-01-20T02:50:01-06:00",
        "tags": [],
        "imphash": null,
        "total_network_connections": 0,
        "av_detect": null,
        "total_signatures": 0,
        "submit_name": "Proofpoint_R_Logo (1).png",
        "ssdeep": null,
        "classification_tags": [],
        "md5": "48703c5d4ea8dc2099c37ea871b640ef",
        "processes": [],
        "sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
        "url_analysis": false,
        "sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
        "file_metadata": null,
        "environment_description": "Windows 7 32 bit",
        "verdict": null, "domains": [],
        "error_type": null,
        "type_short": ["img"]
    }
]

Analyze File Url

Submit a file by URL for analysis and fetch report.

Parameters

Parameters Type Default Value Is Mandatory Description
File Url String N/A Yes The URL to the file to analyze. Example: http://example.com/example/Example-Document.zip
Environment String N/A Yes Environment ID. Available environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
max_threat_score N/A N/A
JSON Result
[
    {
        "target_url": null,
        "threat_score": null,
        "environment_id": 100,
        "total_processes": 0,
        "threat_level": null,
        "size": 31261,
        "job_id": "5c4435ef7ca3e109e640b709",
        "vx_family": null,
        "interesting": false,
        "error_origin": null,
        "state": "IN_QUEUE",
        "mitre_attcks": [],
        "certificates": [],
        "hosts": [],
        "sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
        "type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
        "compromised_hosts": [],
        "extracted_files": [],
        "analysis_start_time": "2019-01-20T02:50:01-06:00",
        "tags": [],
        "imphash": null,
        "total_network_connections": 0,
        "av_detect": null,
        "total_signatures": 0,
        "submit_name": "Proofpoint_R_Logo (1).png",
        "ssdeep": null, "classification_tags": [],
        "md5": "48703c5d4ea8dc2099c37ea871b640ef",
        "processes": [],
        "sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
        "url_analysis": false,
        "sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
        "file_metadata": null,
        "environment_description": "Windows 7 32 bit",
        "verdict": null,
        "domains": [],
        "error_type": null,
        "type_short": ["img"]
    }
]

Get Hash Scan Report

Fetch hybrid analysis reports and enrich the file hash entities.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment
Enrichment Field Name Logic-When to apply
environment_id Returns if it exists in JSON result
total_processes Returns if it exists in JSON result
threat_level Returns if it exists in JSON result
size Returns if it exists in JSON result
job_id Returns if it exists in JSON result
target_url Returns if it exists in JSON result
interesting Returns if it exists in JSON result
error_type Returns if it exists in JSON result
state Returns if it exists in JSON result
environment_description Returns if it exists in JSON result
mitre_attacks Returns if it exists in JSON result
certificates Returns if it exists in JSON result
hosts Returns if it exists in JSON result
sha256 Returns if it exists in JSON result
sha512 Returns if it exists in JSON result
compromised_hosts Returns if it exists in JSON result
extracted_files Returns if it exists in JSON result
analysis_start_time Returns if it exists in JSON result
tags Returns if it exists in JSON result
imphash Returns if it exists in JSON result
total_network_connections Returns if it exists in JSON result
av_detect Returns if it exists in JSON result
total_signatures Returns if it exists in JSON result
submit_name Returns if it exists in JSON result
ssdeep Returns if it exists in JSON result
md5 Returns if it exists in JSON result
error_origin Returns if it exists in JSON result
processes Returns if it exists in JSON result
shal Returns if it exists in JSON result
url_analysis Returns if it exists in JSON result
type Returns if it exists in JSON result
file_metadata Returns if it exists in JSON result
vx_family Returns if it exists in JSON result
threat_score Returns if it exists in JSON result
verdict Returns if it exists in JSON result
domains Returns if it exists in JSON result
type_short Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
max_threat_score N/A N/A
JSON Result
[
    {
        "EntityResult":
        [{
            "classification_tags": [],
            "environment_id": 100,
            "total_processes": 0,
            "threat_level": null,
            "size": 31261,
            "job_id": "5c4435ef7ca3e109e640b709",
            "target_url": null,
            "interesting": false,
            "error_type": null,
            "state": "IN_QUEUE",
            "environment_description": "Windows 7 32 bit",
            "mitre_attcks": [],
            "certificates": [],
            "hosts": [],
            "sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
            "sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
            "compromised_hosts": [],
            "extracted_files": [],
            "analysis_start_time": "2019-01-20T02:50:01-06:00",
            "tags": [],
            "imphash": null,
            "total_network_connections": 0,
            "av_detect": null,
            "total_signatures": 0,
            "submit_name": "Proofpoint_R_Logo (1).png",
            "ssdeep": null,
            "md5": "48703c5d4ea8dc2099c37ea871b640ef",
            "error_origin": null,
            "processes": [],
            "sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
            "url_analysis": false,
            "type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
            "file_metadata": null,
            "vx_family": null,
            "threat_score": null,
            "verdict": null,
            "domains": [],
            "type_short": ["img"]
        }],
        "Entity": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac"
    }
]

Ping

Test connectivity to CrowdStrike Falcon Sandbox.

Parameters

N/A

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
success True/False success:False
JSON Result

N/A

Search the Falcon databases for existing scan reports and information about files and file URLs.

Parameters

Parameter Type Default Value Is Mandatory Description
File Name String N/A No Example: example.exe.
File Type String N/A No Example: docx.
File Type Description String N/A No Example: PE32 executable.
Verdict String N/A No Example: 1 (1=whitelisted, 2=no verdict, 3=no specific threat, 4=suspicious, 5=malicious).
AV Multiscan Range String N/A No Example: 50-70 (min 0, max 100).
AV Family Substring String N/A No Example: Agent.AD, nemucod.
Hashtag String N/A No Example: ransomware
Port String N/A No Example: 8080
Host String N/A No Example: 192.0.2.1
Domain String N/A No Example: checkip.dyndns.org
HTTP Request Substring String N/A No Example: google
Similar Samples String N/A No Example: \<sha256>
Sample Context String N/A No Example: \<sha256>

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
results N/A N/A

Submit File

Submit files for analysis.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
File Path String N/A Yes The full path of the file to analyze. For multiple, use comma-separated values.
Environment Drop-down Linux Yes

Available environments Names: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'.

The default should be: Linux (Ubuntu 16.04, 64 bit)

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment
Enrichment Field Name Logic-When to apply
sha256 Returns if it exists in JSON result
job_id Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult": {
            "sha256": "fa636febca412dd9d1f2e7f7ca66462757bce24adb7cb5fffd2e247ce6dcf7fe",
            "job_id": "5f21459cb80c2d0a182b7967"
        },
        "Entity": "/temp/test.txt"
    }
]
Case Wall
Result type Value / Description Type
Output message*
  1. successful files: Successfully submit the following files <files path list>
  2. No good submissions at all: No files were submitted for analysis
  3. Failed files: An error occurred on the following files: <files path list>. Check logs for more information.
General

Wait For Job and Fetch Report

Wait for a scan job to complete and fetch the scan report.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Job ID String N/A True

Job IDs. For multiple, use comma-separated values (values should be passed as a placeholder from previously executed action- Submit file).

Additionally, the job ID can be provided manually.

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
    "5f21459cb80c2d0a182b7967": {
        "environment_id": 300,
        "threat_score": 0,
        "target_url": null,
        "total_processes": 0,
        "threat_level": 3,
        "size": 26505,
        "submissions": [{
            "url": null,
            "submission_id": "5f267a34e3e6784e4f180936",
            "created_at": "2020-08-02T08:32:52+00:00",
            "filename": "Test.py"
        }, {
            "url": null,
            "submission_id": "5f2146381a5f6253f266fed9",
            "created_at": "2020-07-29T09:49:44+00:00",
            "filename": "Test.py"
        }, {
            "url": null,
            "submission_id": "5f21461360cae26e4719a6c9",
            "created_at": "2020-07-29T09:49:07+00:00",
            "filename": "Test.py"
        }, {
            "url": null,
            "submission_id": "5f21459cb80c2d0a182b7968",
            "created_at": "2020-07-29T09:47:08+00:00",
            "filename": "Test.py"
        }],
        "job_id": "5f21459cb80c2d0a182b7967",
        "vx_family": null,
        "interesting": false,
        "error_type": null,
        "state": "SUCCESS",
        "mitre_attcks": [],
        "certificates": [],
        "hosts": [],
        "sha256": "fa636febca412dd9d1f2e7f7ca66462757bce24adb7cb5fffd2e247ce6dcf7fe",
        "sha512": "62c6d5c16d647e1361a761553fb1adfa92df3741e53a234fab28d08d3d003bdb4b2a7d7c5a050dc2cdba7b1d915f42d3c56f9694053fa75adae82c1b20e03b02",
        "compromised_hosts": [],
        "extracted_files": [],
        "analysis_start_time": "2020-07-29T09:47:17+00:00",
        "tags": [],
        "imphash": "Unknown",
        "total_network_connections": 0,
        "av_detect": null,
        "classification_tags": [],
        "submit_name": "Test.py",
        "ssdeep": "384:lRGs3v2+nSZUpav/+GUYERs0vZfyh/fyChIRpyCCLqa09NdyDRax9XSmxTAf:lR3fKZUoGGX0xfm/Duyoa09x9+",
        "md5": "bfec680af21539eb0a9f349038c68220",
        "error_origin": null,
        "total_signatures": 0,
        "processes": [],
        "sha1": "0a4e78bb8df401197e925b2643ceabf5b670df17",
        "url_analysis": false,
        "type": "Python script, ASCII text executable, with CRLF line terminators",
        "file_metadata": null,
        "environment_description": "Linux (Ubuntu 16.04, 64 bit)",
        "verdict": "no verdict",
        "domains": [],
        "type_short": ["script", "python"]
    }
}
Case Wall
Result type Value / Description Type
Output message*
  1. If action completed successfully for at least one of the provided job ids: "Successfully fetched report the following jobs: <>"
  2. If action failed to run for at least one of the provided job ids: "failed to fetch report for the following jobs:
  3. If action partiality succeeded (fetched report successfully but failed to fetch misp report for example): Fetched scan report but failed to get MISP report for the following jobs:
  4. if all jobs failed: print All jobs have failed(result value should set to false)
General
Attachments
  1. Title: "CrowdStrike Falcon Sandbox Misp Report # <index>"
  2. Attachment name: the file name from get_report_by_hash results
  3. Attachment content: base64.b64encode(report content)from get_report_by_hash results
  4. Note: Don't forget to handle the size limitation from the platform (wrap it it with try-except)

Scan URL

Scan URL or domain for analysis.

Parameters

Parameter Display Name Type Is Mandatory Description
Threshold Integer Yes Mark entity as suspicious if number of av detection is equal or above the given threshold
Environment Name DDL Yes

Windows 7 32 bit

Windows 7 32 bit (HWP Support)
Windows 7 64 bit
Android Static Analysis
Linux (Ubuntu 16.04, 64 bit)

Use cases

An analyst can get scan URL or domain files for analysis.

Run On

This action runs on the following entities:

  • URL
  • Hostname

Action Results

Entity Enrichment

If scan_info_res.get('av_detect') > Threshold value (parameter), then mark the entity as suspicious.

Insights

Add an insight with the following message:CrowdStrike Falcon Sandbox - Entity was marked as malicious by av detection score {av_detect}. Threshold set to - {threshold}.

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult": {
            "environment_id": 100,
            "threat_score": 13,
            "target_url": null,
            "total_processes": 3,
            "threat_level": 0,
            "size": null,
            "submissions": [{
                "url": "http://example.com/",
                "submission_id": "5f4925f00da24603010641be",
                "created_at": "2020-08-28T15:42:40+00:00",
                "filename": null
            }, {
                "url": "http://example.com/",
                "submission_id": "5f48c011f86f36448901d054",
                "created_at": "2020-08-28T08:28:01+00:00",
                "filename": null
            }],
            "job_id": "5f1332c48161bb7d5b6c9663",
            "vx_family": "Unrated site",
            "interesting": false,
            "error_type": null,
            "state": "SUCCESS",
            "mitre_attcks": [],
            "certificates": [],
            "hosts": ["192.0.2.1", "192.0.2.2", "192.0.2.3", "192.0.2.4", "192.0.2.5", "192.0.2.6", "192.0.2.7", "192.0.2.8"],
            "sha256": "6982da0e6956768fdc206317d429c6b8313cf4ebf298ec0aa35f0f03f07cec6a", "sha512": "c2e12fee8e08b387f91529aaada5c78e86649fbb2fe64d067b630e0c5870284bf0ca22654211513d774357d37d4c9729ea7ddc44bf44144252959004363d7da9",
            "compromised_hosts": [],
            "extracted_files": [{
                "av_label": null,
                "sha1": "0da5de8165c50f6ace4660a6b38031f212917b17",
                "threat_level": 0,
                "name": "rs_ACT90oEMCn26rBYSdHdZAoXYig7gRwLYBA_1_.js",
                "threat_level_readable": "no specific threat",
                "type_tags": ["script", "javascript"],
                "description": "ASCII text, with very long lines",
                "file_available_to_download": false,
                "av_matched": null,
                "runtime_process": null,
                "av_total": null,
                "file_size": 566005,
                "sha256": "d41f46920a017c79fe4e6f4fb0a621af77169168c8645aa4b5094a1e67e127a0",
                "file_path": null,
                "md5": "c8c8076fd2390d47c8bf4a40f4885eeb"
            }],
            "analysis_start_time": "2020-07-18T17:35:09+00:00",
            "tags": ["tag", "the"],
            "imphash": "Unknown",
            "total_network_connections": 8,
            "av_detect": 0,
            "classification_tags": [],
            "submit_name": "http://example.com/",
            "ssdeep": "Unknown",
            "md5": "e6f672151804707d11eb4b840c3ec635",
            "error_origin": null,
            "total_signatures": 14,
            "processes": [{
                "process_flags": [],
                "av_label": null,
                "mutants": [],
                "uid": "00083159-00001692",
                "icon": null,
                "script_calls": [],
                "pid": null,
                "handles": [],
                "command_line": "\\\"%WINDIR%\\\\System32\\\\ieframe.dll\\\",OpenURL C:\\\\6982da0e6956768fdc206317d429c6b8313cf4ebf298ec0aa35f0f03f07cec6a.url",
                "file_accesses": [],
                "parentuid": null,
                "normalized_path": "%WINDIR%System32rundll32.exe",
                "av_matched": null,
                "streams": [],
                "registry": [],
                "av_total": null,
                "sha256": "3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670",
                "created_files": [],
                "name": "example.exe"
            }, {
                "process_flags": [],
                "av_label": null,
                "mutants": [],
                "uid": "00083319-00003012",
                "icon": null,
                "script_calls": [],
                "pid": null,
                "handles": [],
                "command_line": "http://example.com/",
                "file_accesses": [],
                "parentuid": "00083159-00001692",
                "normalized_path": "%PROGRAMFILES%Internet Exploreriexplore.exe",
                "av_matched": null,
                "streams": [],
                "registry": [],
                "av_total": null,
                "sha256": "8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba",
                "created_files": [],
                "name": "example.exe"
            }, {
                "process_flags": [],
                "av_label": null,
                "mutants": [],
                "uid": "00083353-00002468",
                "icon": null,
                "script_calls": [],
                "pid": null,
                "handles": [],
                "command_line": "SCODEF:3012 CREDAT:275457 /prefetch:2",
                "file_accesses": [],
                "parentuid": "00083319-00003012",
                "normalized_path": "%PROGRAMFILES%Internet Example.exe",
                "av_matched": null,
                "streams": [],
                "registry": [],
                "av_total": null,
                "sha256": "8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba",
                "created_files": [],
                "name": "example.exe"}],
            "sha1": "0a0bec39293c168288c04f575a7a317e29f1878f",
            "url_analysis": true,
            "type": null,
            "file_metadata": null,
            "environment_description": "Windows 7 32 bit",
            "verdict": "no specific threat",
            "domains": ["fonts.example.com", "example.example.net", "example.org", "example.com", "www.example.com"],
            "type_short": []
        },
        "Entity": "example.com"
    }
]
Case Wall
Result type Value / Description Type
Output message*
  1. In case of successful scanning: Successfully fetched reports for the following <entities identifiers>
  2. In case of an error with misp fetching but no with scan info: Fetched scan report but failed to get MISP report for the following <entities identifiers>
  3. In case error with fetching results back: Failed to fetch reports for the following <entities identifier
  4. Failed to submit urls/domains for analysis: Failed to scan the following: <entities identifiers>. Check logs for more information.
General
Attachments
  1. Title: "CrowdStrike Falcon Sandbox Misp Report - <job_id>
  2. Attachment name: misp_report_name (coming back as a result from the get_report_by_job_id function)