Falcon Sandbox

Integration version: 14.0

Configure Falcon Sandbox to work with Google Security Operations SOAR

Credentials

Your API Key can be found by navigating to the API Key tab on your profile page and is generated by clicking on the Create API key button.

Network

Function	Default Port	Direction	Protocol
API	Multivalues	Outbound	apikey

Configure Falcon Sandbox integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
API Root	String	`https://www.hybrid-analysis.com/docs/api/v2`	Yes	Address of the CrowdStrike Falcon Sandbox instance.
API Key	String	N/A	Yes	An API key generated in CrowdStrike Falcon Sandbox instance.
Threshold	Integer	50.0	Yes	N/A
Run Remotely	Checkbox	Unchecked	No	Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Analyze File

Submit a file for an analysis and fetch the report.

Parameters

Parameters	Type	Default Value	Is Mandatory	Description
File Path	String	N/A	Yes	The full path of the file to analyze.
Environment	String	N/A	Yes	Environment ID. Available environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'
Include Report	Checkbox	Unchecked	No	If enabled, action will fetch report related to the attachment. Note: this feature requires a premium key.

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
max_threat_score	N/A	N/A

JSON Result

[
    {
        "target_url": null,
        "threat_score": null,
        "environment_id": 100,
        "total_processes": 0,
        "threat_level": null,
        "size": 31261,
        "job_id": "5c4435ef7ca3e109e640b709",
        "vx_family": null,
        "interesting": false,
        "error_origin": null,
        "state": "IN_QUEUE","mitre_attcks": [],
        "certificates": [],
        "hosts": [],
        "sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
        "type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
        "compromised_hosts": [],
        "extracted_files": [],
        "analysis_start_time": "2019-01-20T02:50:01-06:00",
        "tags": [],
        "imphash": null,
        "total_network_connections": 0,
        "av_detect": null,
        "total_signatures": 0,
        "submit_name": "Proofpoint_R_Logo (1).png",
        "ssdeep": null,
        "classification_tags": [],
        "md5": "48703c5d4ea8dc2099c37ea871b640ef",
        "processes": [],
        "sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
        "url_analysis": false,
        "sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
        "file_metadata": null,
        "environment_description": "Windows 7 32 bit",
        "verdict": null, "domains": [],
        "error_type": null,
        "type_short": ["img"]
    }
]

Analyze File Url

Submit a file by URL for analysis and fetch report.

Parameters

Parameters	Type	Default Value	Is Mandatory	Description
File Url	String	N/A	Yes	The URL to the file to analyze. Example: http://example.com/example/Example-Document.zip
Environment	String	N/A	Yes	Environment ID. Available environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
max_threat_score	N/A	N/A

JSON Result

[
    {
        "target_url": null,
        "threat_score": null,
        "environment_id": 100,
        "total_processes": 0,
        "threat_level": null,
        "size": 31261,
        "job_id": "5c4435ef7ca3e109e640b709",
        "vx_family": null,
        "interesting": false,
        "error_origin": null,
        "state": "IN_QUEUE",
        "mitre_attcks": [],
        "certificates": [],
        "hosts": [],
        "sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
        "type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
        "compromised_hosts": [],
        "extracted_files": [],
        "analysis_start_time": "2019-01-20T02:50:01-06:00",
        "tags": [],
        "imphash": null,
        "total_network_connections": 0,
        "av_detect": null,
        "total_signatures": 0,
        "submit_name": "Proofpoint_R_Logo (1).png",
        "ssdeep": null, "classification_tags": [],
        "md5": "48703c5d4ea8dc2099c37ea871b640ef",
        "processes": [],
        "sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
        "url_analysis": false,
        "sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
        "file_metadata": null,
        "environment_description": "Windows 7 32 bit",
        "verdict": null,
        "domains": [],
        "error_type": null,
        "type_short": ["img"]
    }
]

Get Hash Scan Report

Fetch hybrid analysis reports and enrich the file hash entities.

Parameters

N/A

Use cases

N/A

Run On

This action runs on the Filehash entity.

Action Results

Entity Enrichment

Enrichment Field Name	Logic-When to apply
environment_id	Returns if it exists in JSON result
total_processes	Returns if it exists in JSON result
threat_level	Returns if it exists in JSON result
size	Returns if it exists in JSON result
job_id	Returns if it exists in JSON result
target_url	Returns if it exists in JSON result
interesting	Returns if it exists in JSON result
error_type	Returns if it exists in JSON result
state	Returns if it exists in JSON result
environment_description	Returns if it exists in JSON result
mitre_attacks	Returns if it exists in JSON result
certificates	Returns if it exists in JSON result
hosts	Returns if it exists in JSON result
sha256	Returns if it exists in JSON result
sha512	Returns if it exists in JSON result
compromised_hosts	Returns if it exists in JSON result
extracted_files	Returns if it exists in JSON result
analysis_start_time	Returns if it exists in JSON result
tags	Returns if it exists in JSON result
imphash	Returns if it exists in JSON result
total_network_connections	Returns if it exists in JSON result
av_detect	Returns if it exists in JSON result
total_signatures	Returns if it exists in JSON result
submit_name	Returns if it exists in JSON result
ssdeep	Returns if it exists in JSON result
md5	Returns if it exists in JSON result
error_origin	Returns if it exists in JSON result
processes	Returns if it exists in JSON result
shal	Returns if it exists in JSON result
url_analysis	Returns if it exists in JSON result
type	Returns if it exists in JSON result
file_metadata	Returns if it exists in JSON result
vx_family	Returns if it exists in JSON result
threat_score	Returns if it exists in JSON result
verdict	Returns if it exists in JSON result
domains	Returns if it exists in JSON result
type_short	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
max_threat_score	N/A	N/A

JSON Result

[
    {
        "EntityResult":
        [{
            "classification_tags": [],
            "environment_id": 100,
            "total_processes": 0,
            "threat_level": null,
            "size": 31261,
            "job_id": "5c4435ef7ca3e109e640b709",
            "target_url": null,
            "interesting": false,
            "error_type": null,
            "state": "IN_QUEUE",
            "environment_description": "Windows 7 32 bit",
            "mitre_attcks": [],
            "certificates": [],
            "hosts": [],
            "sha256": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac",
            "sha512": "01f48fa1671cdc9e4d6866b9b237430f1b9b7093cbbed57fb010dc3db84a754a7a0457c5fd968d4e693ca74bdc1c7f15efb55f2af2ea236354944cffc8d4efd8",
            "compromised_hosts": [],
            "extracted_files": [],
            "analysis_start_time": "2019-01-20T02:50:01-06:00",
            "tags": [],
            "imphash": null,
            "total_network_connections": 0,
            "av_detect": null,
            "total_signatures": 0,
            "submit_name": "Proofpoint_R_Logo (1).png",
            "ssdeep": null,
            "md5": "48703c5d4ea8dc2099c37ea871b640ef",
            "error_origin": null,
            "processes": [],
            "sha1": "5b30e297b54ef27ffcda06aa212b5aa6c5424e1c",
            "url_analysis": false,
            "type": "PNG image data, 1200 x 413, 8-bit/color RGBA, non-interlaced",
            "file_metadata": null,
            "vx_family": null,
            "threat_score": null,
            "verdict": null,
            "domains": [],
            "type_short": ["img"]
        }],
        "Entity": "26d3c8656a83b06b293b15251617fe2c2c493f842a95b3d9b2ee45b3209d5fac"
    }
]

Ping

Test connectivity to CrowdStrike Falcon Sandbox.

Parameters

N/A

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
success	True/False	success:False

JSON Result

N/A

Search

Search the Falcon databases for existing scan reports and information about files and file URLs.

Parameters

Parameter	Type	Default Value	Is Mandatory	Description
File Name	String	N/A	No	Example: example.exe.
File Type	String	N/A	No	Example: docx.
File Type Description	String	N/A	No	Example: PE32 executable.
Verdict	String	N/A	No	Example: 1 (1=whitelisted, 2=no verdict, 3=no specific threat, 4=suspicious, 5=malicious).
AV Multiscan Range	String	N/A	No	Example: 50-70 (min 0, max 100).
AV Family Substring	String	N/A	No	Example: Agent.AD, nemucod.
Hashtag	String	N/A	No	Example: ransomware
Port	String	N/A	No	Example: 8080
Host	String	N/A	No	Example: 192.0.2.1
Domain	String	N/A	No	Example: checkip.dyndns.org
HTTP Request Substring	String	N/A	No	Example: google
Similar Samples	String	N/A	No	Example: \<sha256>
Sample Context	String	N/A	No	Example: \<sha256>

Use cases

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
results	N/A	N/A

Submit File

Submit files for analysis.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
File Path	String	N/A	Yes	The full path of the file to analyze. For multiple, use comma-separated values.
Environment	Drop-down	Linux	Yes	Available environments Names: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'. The default should be: Linux (Ubuntu 16.04, 64 bit)

Parameter Display Name

Type

Default Value

Is Mandatory

Description

File Path

String

N/A

Yes

The full path of the file to analyze. For multiple, use comma-separated values.

Environment

Drop-down

Linux

Yes

Available environments Names: 300: 'Linux (Ubuntu 16.04, 64 bit)', 200: 'Android Static Analysis', 120: 'Windows 7 64 bit', 110: 'Windows 7 32 bit (HWP Support)', 100: 'Windows 7 32 bit'.

The default should be: Linux (Ubuntu 16.04, 64 bit)

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

Enrichment Field Name	Logic-When to apply
sha256	Returns if it exists in JSON result
job_id	Returns if it exists in JSON result

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

[
    {
        "EntityResult": {
            "sha256": "fa636febca412dd9d1f2e7f7ca66462757bce24adb7cb5fffd2e247ce6dcf7fe",
            "job_id": "5f21459cb80c2d0a182b7967"
        },
        "Entity": "/temp/test.txt"
    }
]

Case Wall

Result type	Value / Description	Type
Output message*	successful files: Successfully submit the following files <files path list> No good submissions at all: No files were submitted for analysis Failed files: An error occurred on the following files: <files path list>. Check logs for more information.	General

Wait For Job and Fetch Report

Wait for a scan job to complete and fetch the scan report.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Job ID	String	N/A	True	Job IDs. For multiple, use comma-separated values (values should be passed as a placeholder from previously executed action- Submit file). Additionally, the job ID can be provided manually.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Job ID

String

N/A

True

Job IDs. For multiple, use comma-separated values (values should be passed as a placeholder from previously executed action- Submit file).

Additionally, the job ID can be provided manually.

Use cases

N/A

Run On

The action doesn't run on entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
    "5f21459cb80c2d0a182b7967": {
        "environment_id": 300,
        "threat_score": 0,
        "target_url": null,
        "total_processes": 0,
        "threat_level": 3,
        "size": 26505,
        "submissions": [{
            "url": null,
            "submission_id": "5f267a34e3e6784e4f180936",
            "created_at": "2020-08-02T08:32:52+00:00",
            "filename": "Test.py"
        }, {
            "url": null,
            "submission_id": "5f2146381a5f6253f266fed9",
            "created_at": "2020-07-29T09:49:44+00:00",
            "filename": "Test.py"
        }, {
            "url": null,
            "submission_id": "5f21461360cae26e4719a6c9",
            "created_at": "2020-07-29T09:49:07+00:00",
            "filename": "Test.py"
        }, {
            "url": null,
            "submission_id": "5f21459cb80c2d0a182b7968",
            "created_at": "2020-07-29T09:47:08+00:00",
            "filename": "Test.py"
        }],
        "job_id": "5f21459cb80c2d0a182b7967",
        "vx_family": null,
        "interesting": false,
        "error_type": null,
        "state": "SUCCESS",
        "mitre_attcks": [],
        "certificates": [],
        "hosts": [],
        "sha256": "fa636febca412dd9d1f2e7f7ca66462757bce24adb7cb5fffd2e247ce6dcf7fe",
        "sha512": "62c6d5c16d647e1361a761553fb1adfa92df3741e53a234fab28d08d3d003bdb4b2a7d7c5a050dc2cdba7b1d915f42d3c56f9694053fa75adae82c1b20e03b02",
        "compromised_hosts": [],
        "extracted_files": [],
        "analysis_start_time": "2020-07-29T09:47:17+00:00",
        "tags": [],
        "imphash": "Unknown",
        "total_network_connections": 0,
        "av_detect": null,
        "classification_tags": [],
        "submit_name": "Test.py",
        "ssdeep": "384:lRGs3v2+nSZUpav/+GUYERs0vZfyh/fyChIRpyCCLqa09NdyDRax9XSmxTAf:lR3fKZUoGGX0xfm/Duyoa09x9+",
        "md5": "bfec680af21539eb0a9f349038c68220",
        "error_origin": null,
        "total_signatures": 0,
        "processes": [],
        "sha1": "0a4e78bb8df401197e925b2643ceabf5b670df17",
        "url_analysis": false,
        "type": "Python script, ASCII text executable, with CRLF line terminators",
        "file_metadata": null,
        "environment_description": "Linux (Ubuntu 16.04, 64 bit)",
        "verdict": "no verdict",
        "domains": [],
        "type_short": ["script", "python"]
    }
}

Case Wall

Result type	Value / Description	Type
Output message*	If action completed successfully for at least one of the provided job ids: "Successfully fetched report the following jobs: <>" If action failed to run for at least one of the provided job ids: "failed to fetch report for the following jobs: If action partiality succeeded (fetched report successfully but failed to fetch misp report for example): Fetched scan report but failed to get MISP report for the following jobs: if all jobs failed: print All jobs have failed(result value should set to false)	General
Attachments	Title: "CrowdStrike Falcon Sandbox Misp Report # <index>" Attachment name: the file name from get_report_by_hash results Attachment content: base64.b64encode(report content)from get_report_by_hash results Note: Don't forget to handle the size limitation from the platform (wrap it it with try-except)

Scan URL

Scan URL or domain for analysis.

Parameters

Parameter Display Name	Type	Is Mandatory	Description
Threshold	Integer	Yes	Mark entity as suspicious if number of av detection is equal or above the given threshold
Environment Name	DDL	Yes	Windows 7 32 bit Windows 7 32 bit (HWP Support) Windows 7 64 bit Android Static Analysis Linux (Ubuntu 16.04, 64 bit)

Parameter Display Name

Type

Is Mandatory

Description

Threshold

Integer

Yes

Mark entity as suspicious if number of av detection is equal or above the given threshold

Environment Name

DDL

Yes

Windows 7 32 bit

Windows 7 32 bit (HWP Support)
Windows 7 64 bit
Android Static Analysis
Linux (Ubuntu 16.04, 64 bit)

Use cases

An analyst can get scan URL or domain files for analysis.

Run On

This action runs on the following entities:

URL
Hostname

Action Results

Entity Enrichment

If scan_info_res.get('av_detect') > Threshold value (parameter), then mark the entity as suspicious.

Insights

Add an insight with the following message:CrowdStrike Falcon Sandbox - Entity was marked as malicious by av detection score {av_detect}. Threshold set to - {threshold}.

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

[
    {
        "EntityResult": {
            "environment_id": 100,
            "threat_score": 13,
            "target_url": null,
            "total_processes": 3,
            "threat_level": 0,
            "size": null,
            "submissions": [{
                "url": "http://example.com/",
                "submission_id": "5f4925f00da24603010641be",
                "created_at": "2020-08-28T15:42:40+00:00",
                "filename": null
            }, {
                "url": "http://example.com/",
                "submission_id": "5f48c011f86f36448901d054",
                "created_at": "2020-08-28T08:28:01+00:00",
                "filename": null
            }],
            "job_id": "5f1332c48161bb7d5b6c9663",
            "vx_family": "Unrated site",
            "interesting": false,
            "error_type": null,
            "state": "SUCCESS",
            "mitre_attcks": [],
            "certificates": [],
            "hosts": ["192.0.2.1", "192.0.2.2", "192.0.2.3", "192.0.2.4", "192.0.2.5", "192.0.2.6", "192.0.2.7", "192.0.2.8"],
            "sha256": "6982da0e6956768fdc206317d429c6b8313cf4ebf298ec0aa35f0f03f07cec6a", "sha512": "c2e12fee8e08b387f91529aaada5c78e86649fbb2fe64d067b630e0c5870284bf0ca22654211513d774357d37d4c9729ea7ddc44bf44144252959004363d7da9",
            "compromised_hosts": [],
            "extracted_files": [{
                "av_label": null,
                "sha1": "0da5de8165c50f6ace4660a6b38031f212917b17",
                "threat_level": 0,
                "name": "rs_ACT90oEMCn26rBYSdHdZAoXYig7gRwLYBA_1_.js",
                "threat_level_readable": "no specific threat",
                "type_tags": ["script", "javascript"],
                "description": "ASCII text, with very long lines",
                "file_available_to_download": false,
                "av_matched": null,
                "runtime_process": null,
                "av_total": null,
                "file_size": 566005,
                "sha256": "d41f46920a017c79fe4e6f4fb0a621af77169168c8645aa4b5094a1e67e127a0",
                "file_path": null,
                "md5": "c8c8076fd2390d47c8bf4a40f4885eeb"
            }],
            "analysis_start_time": "2020-07-18T17:35:09+00:00",
            "tags": ["tag", "the"],
            "imphash": "Unknown",
            "total_network_connections": 8,
            "av_detect": 0,
            "classification_tags": [],
            "submit_name": "http://example.com/",
            "ssdeep": "Unknown",
            "md5": "e6f672151804707d11eb4b840c3ec635",
            "error_origin": null,
            "total_signatures": 14,
            "processes": [{
                "process_flags": [],
                "av_label": null,
                "mutants": [],
                "uid": "00083159-00001692",
                "icon": null,
                "script_calls": [],
                "pid": null,
                "handles": [],
                "command_line": "\\\"%WINDIR%\\\\System32\\\\ieframe.dll\\\",OpenURL C:\\\\6982da0e6956768fdc206317d429c6b8313cf4ebf298ec0aa35f0f03f07cec6a.url",
                "file_accesses": [],
                "parentuid": null,
                "normalized_path": "%WINDIR%System32rundll32.exe",
                "av_matched": null,
                "streams": [],
                "registry": [],
                "av_total": null,
                "sha256": "3fa4912eb43fc304652d7b01f118589259861e2d628fa7c86193e54d5f987670",
                "created_files": [],
                "name": "example.exe"
            }, {
                "process_flags": [],
                "av_label": null,
                "mutants": [],
                "uid": "00083319-00003012",
                "icon": null,
                "script_calls": [],
                "pid": null,
                "handles": [],
                "command_line": "http://example.com/",
                "file_accesses": [],
                "parentuid": "00083159-00001692",
                "normalized_path": "%PROGRAMFILES%Internet Exploreriexplore.exe",
                "av_matched": null,
                "streams": [],
                "registry": [],
                "av_total": null,
                "sha256": "8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba",
                "created_files": [],
                "name": "example.exe"
            }, {
                "process_flags": [],
                "av_label": null,
                "mutants": [],
                "uid": "00083353-00002468",
                "icon": null,
                "script_calls": [],
                "pid": null,
                "handles": [],
                "command_line": "SCODEF:3012 CREDAT:275457 /prefetch:2",
                "file_accesses": [],
                "parentuid": "00083319-00003012",
                "normalized_path": "%PROGRAMFILES%Internet Example.exe",
                "av_matched": null,
                "streams": [],
                "registry": [],
                "av_total": null,
                "sha256": "8abc7daa81c8a20bfd88b6a60ecc9ed1292fbb6cedbd6f872f36512d9a194bba",
                "created_files": [],
                "name": "example.exe"}],
            "sha1": "0a0bec39293c168288c04f575a7a317e29f1878f",
            "url_analysis": true,
            "type": null,
            "file_metadata": null,
            "environment_description": "Windows 7 32 bit",
            "verdict": "no specific threat",
            "domains": ["fonts.example.com", "example.example.net", "example.org", "example.com", "www.example.com"],
            "type_short": []
        },
        "Entity": "example.com"
    }
]

Case Wall

Result type	Value / Description	Type
Output message*	In case of successful scanning: Successfully fetched reports for the following <entities identifiers> In case of an error with misp fetching but no with scan info: Fetched scan report but failed to get MISP report for the following <entities identifiers> In case error with fetching results back: Failed to fetch reports for the following <entities identifier Failed to submit urls/domains for analysis: Failed to scan the following: <entities identifiers>. Check logs for more information.	General
Attachments	Title: "CrowdStrike Falcon Sandbox Misp Report - <job_id> Attachment name: misp_report_name (coming back as a result from the get_report_by_job_id function)