CrowdStrike Falcon Sandbox (Deprecated)
This Integration is part of the CrowdStrike Falcon Sandbox Pack.#
Deprecated
Use CrowdStrike Falcon Sandbox V2 instead.
Use the CrowdStrike Falcon Sandbox integration to submit and analyze files and URLs.
The maximum file upload size is 100 MB.
Supported File Types:
- PEÂ (.exe, .scr, .pif, .dll, .com, .cpl, and so on)
- Microsoft Word (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub)
- APK
- JAR executables
- Windows Script Component (.sct)
- Windows Shortcut (.lnk)
- Windows Help (.chm)
- HTML Application (.hta)
- Windows Script File (*.wsf)
- Javascript (.js)
- Visual Basic (*.vbs, *.vbe)
- Shockwave Flash (.swf)
- Perl (.pl)
- PowerShell (.ps1, .psd1, .psm1)
- Scalable Vector Graphics (.svg)
- Python scripts (.py)
- Perl scripts (.pl)
- Linux ELF executables
- MIME RFC 822 (*.eml)
- Outlook (*.msg files)
Prerequisites
Make sure you have the following CrowdStrike Falcon Sandbox information.
- API key
- Secret key (applicable for v1)
- API version (v1 or v2)
Each API key has an associated authorization level, which determines the available endpoints. By default, all free, non-vetted accounts can issue restricted keys. You can upgrade to full default keys, enabling file submissions and downloads.
Authorization levels:
- Restricted
- Default
- Elevated
- Super
Configure CrowdStrike Falcon Sandbox on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for VxStream.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://216.3.128.82)
- API Key
- Secret Key (applicable only for v1)
- API Version (v1,v2)
- Trust any certificate ( not secure )
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- (Deprecated) Get summary information for a file hash: vx-scan
- Get hash scan results: crowdstrike-scan
- (Deprecated) Get a list of all environments: vx-get-environments
- Get a list of all environments: crowdstrike-get-environments
- (Deprecated) Submit a file sample for analysis: vx-submit-sample
- Submit a file sample for analysis: crowdstrike-submit-sample
- (Deprecated) Query the database: vx-search
- Query the database: crowdstrike-search
- (Deprecated) Get result data for a file: vx-result
- Get result data for a file: crowdstrike-result
- (Deprecated) Detonate a file: vx-detonate-file
- (Deprecated) Detonate a file: crowdstrike-detonate-file
- Submit a URL for analysis: crowdstrike-submit-url
- Get screenshots from a report: crowdstrike-get-screenshots
- (Depecrated) Detonate a URL: crowdstrike-detonate-url
- Submit a file for analysis (by URL): crowdstrike-submit-file-by-url
1. (Deprecated) Get summary information for a file hash
Get summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.
Base Command
vx-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The file hash (MD5, SHA-1, or SHA-256). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.SHA1 | string | SHA1 of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.environmentId | number | The environment ID of the file. |
| File.analysis_start_time | string | The analysis start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | unknown | The list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | number | The total network connections of the file. |
| File.total_processes | number | The total processes count of the file. |
| File.total_signatures | number | The total signatures count of the file. |
| File.hosts | unknown | The list of the file’s hosts. |
| File.isinteresting | boolean | Whether the server found this file interesting. |
| File.domains | unknown | A list of the file’s related domains. |
| File.isurlanalysis | boolean | If file analyzed by url. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
2. Get hash scan results
Returns summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.
Base Command
crowdstrike-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The file hash (MD5, SHA-1, or SHA-256). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.environmentId | string | The environment ID of the file. |
| File.analysis_start_time | string | The analysis start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | unknown | A list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | number | The total network connections of the file. |
| File.total_processes | number | The total processes count of the file. |
| File.total_signatures | number | The total signatures count if the file. |
| File.hosts | unknown | A list of the file’s hosts. |
| File.isinteresting | boolean | If the server found this file interesting. |
| File.domains | unknown | A list of the file’s related domains. |
| File.isurlanalysis | boolean | Whether the file was analyzed by URL. |
| File.Malicious.Vendor | string | or malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason for the vendor to make the decision. |
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
| File.hash | string | The hash used to query the file. |
| File.state | string | The state of the file test. |
Command Example
crowdstrike-scan file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
Context Example
{
"DBotScore": {
"Vendor": "CrowdStrike Falcon Sandbox",
"Indicator": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355",
"Score": 3,
"Type": "hash"
},
"File": [
{
"compromised_hosts": [],
"vxfamily": "Trojan.Generic",
"environmentId": 100,
"JobID": "5ae5ae527ca3e1156459b9f3",
"classification_tags": [],
"total_processes": 1,
"SHA256": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355",
"size": 38400,
"submitname": "Keygen.exe",
"threat_level": 2,
"target_url": null,
"error_type": null,
"state": "SUCCESS",
"mitre_attcks": [],
"certificates": [],
"verdict": "malicious",
"sha512": "d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13",
"extracted_files": [],
"isurlanalysis": false,
"environmentDescription": "Windows 7 32 bit",
"SHA1": "f0fe4ae74cfb7be57c99551b75f00d66915e6900",
"hash": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355",
"analysis_start_time": "2018-04-29T13:42:28+00:00",
"tags": [],
"imphash": "610be5e05d19476fe9370d6dd1347f2a",
"total_network_connections": 0,
"av_detect": 48,
"threatscore": 100,
"total_signatures": 18,
"error_origin": null,
"ssdeep": "768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN",
"MD5": "6ba83f1bf6617dab7990c495cd67dcf6",
"processes": [],
"type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed",
"file_metadata": null,
"hosts": [],
"isinteresting": false,
"domains": [],
"type_short": [
"peexe",
"executable"
]
}
]
}
Human Readable Output
Scan Results:
| Analysis start time | AvDetect | Certificates | Classification tags | CompromisedHosts | Domains | EnvironmentDescription | EnvironmentId | ErrorOrigin | ErrorType | ExtractedFiles | FileMetadata | Hosts | Imphash | Interesting | JobId | Md5 | MitreAttcks | Processes | Sha1 | Sha256 | Sha512 | Size | Ssdeep | State | SubmitName | Tags | TargetUrl | ThreatLevel | ThreatScore | Total network connections | Total processes | Total signatures | Type | TypeShort | UrlAnalysis | Verdict | VxFamily |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018-04-29T13:42:28+00:00 | 48 | Windows 7 32 bit | 100 | 610be5e05d19476fe9370d6dd1347f2a | false | 5ae5ae527ca3e1156459b9f3 | 6ba83f1bf6617dab7990c495cd67dcf6 | f0fe4ae74cfb7be57c99551b75f00d66915e6900 | 59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355 | d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13 | 38400 | 768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN | SUCCESS | Keygen.exe | 2 | 100 | 0 | 1 | 18 | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | peexe,executable | false | malicious | Trojan.Generic |
3. (Deprecated) Get a list of all environments
Returns a list of all available environments. Deprecated, use the
crowdstrike-get-environments
command instead.
Base Command
vx-get-environments
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| VX.Environment.ID | unknown | Environment ID. |
| VX.Environment.description | unknown | The environment description. |
| VX.Environment.architecture | unknown | Environment architecture. |
| VX.Environment.VMs_total | unknown | Total virtual machines in the environment. |
| VX.Environment.VMs_busy | unknown | Busy virtual machines in the environment. |
| VX.Environment.analysisMode | unknown | Analysis mode of environment. |
| VX.Environment.groupicon | unknown | Icon of environment. |
4. Get a list of all environments
Returns a list of all available environments.
Base Command
crowdstrike-get-environments
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CrowdStrike.Environment.ID | number | The environment ID. |
| CrowdStrike.Environment.description | string | The environment description. |
| CrowdStrike.Environment.architecture | string | The environment architecture. |
| CrowdStrike.Environment.VMs_total | number | The total virtual machines in the environment. |
| CrowdStrike.Environment.VMs_busy | number | The busy virtual machines in the environment. |
| CrowdStrike.Environment.analysisMode | string | The analysis mode of the environment. |
| CrowdStrike.Environment.groupicon | string | The icon of the environment. |
Command Example
crowdstrike-get-environments
Context Example
{
"VX.Environment": [
{
"VMs_total": 78,
"description": "Windows 7 32 bit",
"VMs_invalid": 3,
"groupicon": "windows",
"architecture": "WINDOWS",
"ID": 100,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 77,
"description": "Windows 7 32 bit (HWP Support)",
"VMs_invalid": 3,
"groupicon": "windows",
"architecture": "WINDOWS",
"ID": 110,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 86,
"description": "Windows 7 64 bit",
"VMs_invalid": 0,
"groupicon": "windows",
"architecture": "WINDOWS",
"ID": 120,
"VMs_busy": 4,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 18,
"description": "Linux (Ubuntu 16.04, 64 bit)",
"VMs_invalid": 0,
"groupicon": "linux",
"architecture": "WINDOWS",
"ID": 300,
"VMs_busy": 0,
"analysisMode": "USERMODE"
},
{
"VMs_total": 0,
"description": "Android Static Analysis",
"VMs_invalid": 0,
"groupicon": "android",
"architecture": "ANDROID",
"ID": 200,
"VMs_busy": 0,
"analysisMode": "USERMODE"
}
],
"CrowdStrike.Environment": [
{
"VMs_total": 78,
"description": "Windows 7 32 bit",
"VMs_invalid": 3,
"groupicon": "windows",
"architecture": "WINDOWS",
"ID": 100,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 77,
"description": "Windows 7 32 bit (HWP Support)",
"VMs_invalid": 3,
"groupicon": "windows",
"architecture": "WINDOWS",
"ID": 110,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 86,
"description": "Windows 7 64 bit",
"VMs_invalid": 0,
"groupicon": "windows",
"architecture": "WINDOWS",
"ID": 120,
"VMs_busy": 4,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 18,
"description": "Linux (Ubuntu 16.04, 64 bit)",
"VMs_invalid": 0,
"groupicon": "linux",
"architecture": "WINDOWS",
"ID": 300,
"VMs_busy": 0,
"analysisMode": "USERMODE"
},
{
"VMs_total": 0,
"description": "Android Static Analysis",
"VMs_invalid": 0,
"groupicon": "android",
"architecture": "ANDROID",
"ID": 200,
"VMs_busy": 0,
"analysisMode": "USERMODE"
}
]
}
Human Readable Output
All Environments:
| _ID | Description | Architecture | Total VMS | Busy VMS | Analysis mode | Group icon |
|---|---|---|---|---|---|---|
| 100 | Windows 7 32 bit | WINDOWS | 78 | 3 | KERNELMODE | windows |
| 110 | Windows 7 32 bit (HWP Support) | WINDOWS | 77 | 3 | KERNELMODE | windows |
| 120 | Windows 7 64 bit | WINDOWS | 86 | 4 | KERNELMODE | windows |
| 300 | Linux (Ubuntu 16.04, 64 bit) | WINDOWS | 18 | 0 | USERMODE | linux |
| 200 | Android Static Analysis | ANDROID | 0 | 0 | USERMODE | android |
5. (Deprecated) Submit a file sample for analysis
Submits a file from the investigation for analysis. Deprecated, use the
crowdstrike-submit-sample
command instead.
Base Command
vx-submit-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentId |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
Context Output
There is no context output for this command.
6. Submit a file sample for analysis
Submits a file from the investigation for analysis.
Base Command
crowdstrike-submit-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| CrowdStrike.JobID | string | The job ID of the sample. |
| CrowdStrike.EnvironmentID | number | The environment ID of the sample. |
Command Example
crowdstrike-submit-sample entryId=1043@2
Context Example
{
"CrowdStrike": {
"EnvironmentID": 100,
"JobID": "5c98a5860388384f701662c1"
},
"File": {
"SHA256": "955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0"
}
}
Human Readable Output
File submitted successfully
SHA256 - 955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0
Job ID - 5c98a5860388384f701662c1
Environment ID - 100
7. (Deprecated) Query the database
Searches the database using Falcon Sandbox search syntax. Deprecated, use the
crowdstrike-search
command instead.
Base Command
vx-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query |
Falcon Sandbox query syntax (see
<server url>/faq#advanced-search-options
for more details). examples - url:google, host:95.181.53.78
|
Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VX.Search.SHA256 | unknown | The SHA-256 hash of the search result. |
| VX.Search.SHA1 | unknown | The SHA-1 hash of the search result. |
| VX.Search.MD5 | unknown | The MD5 hash of the search result. |
| VX.Search.environmentId | unknown | The environment ID of the search result. |
| VX.Search.start_time | unknown | The start time of the search result. |
| VX.Search.threatscore | unknown | The threat score of the search result (by server). |
| VX.Search.verdict | unknown | Verdict of search result |
| VX.Search.environmentDescription | unknown | The environment description of the search result. |
| VX.Search.submitname | unknown | The submission name of the search result. |
| VX.Search.vxfamily | unknown | The family of the search result |
| VX.Search.threatscore | unknown | The threat score of the search result. |
| VX.Search.type_short | unknown | The type of search result, for example: url or host. |
| VX.Search.size | unknown | The size of the search result. |
| File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | unknown | For malicious files, the reason that the vendor made the decision. |
8. Query the database
Searches the database using Falcon Sandbox search syntax.
Base Command
crowdstrike-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Falcon Sandbox query syntax, for example: url:google,host:95.181.53.78. This argument integrates all other arguments to one, and cannot be passed with the other arguments. | Optional |
| filename | Filename, for example: invoice.exe | Optional |
| filetype | Filetype, for example: docx | Optional |
| filetype_desc | Filetype description, for example: PE32 executable | Optional |
| env_id | Environment ID | Optional |
| country | Country (3 digit ISO), for example: swe, usa, fra | Optional |
| verdict | Verdict | Optional |
| av_detect | AV Multiscan range, for example: 50-70 (min 0, max 100) | Optional |
| vx_family | AV Family Substring, for example: nemucod | Optional |
| tag | Hashtag, for example: ransomware | Optional |
| port | Port, for example: 8080 | Optional |
| host | Host, for example: 192.168.0.1 | Optional |
| domain | Domain, for example: checkip.dyndns.org | Optional |
| url | HTTP Request Substring, for example: google | Optional |
| similar_to | Similar Samples | Optional |
| context | Sample Context | Optional |
| imp_hash | Import Hash | Optional |
| ssdeep | SSDeep | Optional |
| authentihash | Authentication Hash | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the search result. |
| File.SHA1 | string | The SHA-1 of the search result. |
| File.MD5 | string | The MD5 hash of the search result. |
| File.environmentId | number | The environment ID of the search result. |
| File.start_time | unknown | The start time of the search result. |
| File.threatscore | string | The threat score of the search result (by server). |
| File.verdict | string | The verdict of the search result. |
| File.environmentDescription | string | The environment description of search result. |
| File.submitname | string | The submission name of the search result. |
| File.vxfamily | string | The family of the search result. |
| File.threatscore | number | The threat score of the search result. |
| File.type_short | string | The type of search result, for example: url or host. |
| File.size | number | The size of the search result. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
Command Example
crowdstrike-search filetype=.docx
Context Example
{
"VX.Search": [],
"File": []
}
Human Readable Output
No data returned
9. (Deprecated) Get result data for a file
Retrieves result data for a file. This command returns a file. Deprecated, use the
crowdstrike-result
command instead.
Base Command
vx-result
Input
| Argument Name | Description | Required |
|---|---|---|
| file | File hash (MD5, SHA-1, or SHA-256). | Required |
| environmentId |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
Context Output
There is no context output for this command.
10. Get result data for a file
Retrieves result data for a file. This command returns a file.
Base Command
crowdstrike-result
Input
| Argument Name | Description | Required |
|---|---|---|
| file | File hash (MD5, SHA-1, or SHA-256). Madatory in v1. | Optional |
| environmentId | The environment ID to submit file to. To get all environments, run the crowdstrike-get-environments command. Mandatory in v1. | Optional |
| file-type | File type of report to return (supported only in v2). | Optional |
| JobID | Job ID of file to generate report of (supported only in v2). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
Command Example
crowdstrike-result file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
11. (Deprecated) Detonate a file
Detonates file using Falcon Sandbox.
Base Command
vx-detonate-file
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
| delay | The delay wait time between calls (in seconds). | Optional |
| timeout | The total wait time (in seconds). | Optional |
Context Output
There is no context output for this command.
12. (Deprecated) Detonate a file
Detonates a file using Falcon Sandbox.
Base Command
crowdstrike-detonate-file
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
| delay | The delay wait time between calls (in seconds). | Optional |
| timeout | The total wait time (in seconds). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.environmentId | string | The environment ID of the file. |
| File.analysis_start_time | string | The analysis start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | unknown | A list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | number | The total network connections of the file. |
| File.total_processes | number | The total processes count of the file. |
| File.total_signatures | number | The total signatures count of the file. |
| File.hosts | unknown | A list of file’s hosts. |
| File.isinteresting | boolean | Whether the server found this file interesting. |
| File.domains | unknown | A list of the file’s related domains. |
| File.isurlanalysis | boolean | Whether the file was analyzed by URL. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
13. Submit a URL for analysis
Submits a URL for analysis. This command is only supported in v2.
Base Command
crowdstrike-submit-url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to analyze. | Required |
| environmentID | The ID of the environment to submit the URL to. | Required | dontThrowErrorOnFileDetonation | Determine if the command will throw an error on an unsupported file error. Default is false. |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| CrowdStrike.EnvironmentID | string | The ID of the environment in which the URL was analyzed. |
| CrowdStrike.JobID | string | The job ID of the URL analysis. |
Command Example
crowdstrike-submit-url url=www.google.com environmentID=100
Context Example
{
"CrowdStrike": {
"EnvironmentID": 100,
"JobID": "58c1c211aac2eda9503bc31f"
},
"File": {
"SHA256": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1",
"hash": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1"
}
}
Human Readable Output
URL www.google.com was submitted for analysis on CrowdStrike Falcon Sandbox
| EnvironmentId | JobId | Sha256 |
|---|---|---|
| 100 | 58c1c211aac2eda9503bc31f | d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1 |
14. Get screenshots from a report
Retrieves screenshots from a report. This command is only supported in v2.
Base Command
crowdstrike-get-screenshots
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The SHA-2556 hash of the file to retrieve screenshots of. | Optional |
| environmentID | The ID of the environment to retrieve screenshots from. | Optional |
| JobID | The job ID to retrieve screenshots from. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the search result. |
| File.SHA1 | string | The SHA-1 hash of the search result. |
| File.MD5 | string | The MD5 hash of the search result. |
| File.environmentId | number | The ID of the search result environment. |
| File.start_time | unknown | The start time of the search result. |
| File.threatscore | string | The threat score of the search result (by server). |
| File.verdict | string | The verdict of the search result. |
| File.environmentDescription | string | The description of the search result environment. |
| File.submitname | string | The submission name of the search result. |
| File.vxfamily | string | The family of search result. |
| File.threatscore | number | The threat score of the search result. |
| File.type_short | string | The type of search result, for example: url or host. |
| File.size | number | Size of the search result. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
Command Example
crowdstrike-get-screenshots file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
15. (Deprecated) Detonate a URL
Detonates a URL address using Falcon Sandbox. This command is only supported in v2.
Base Command
crowdstrike-detonate-url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL address to be submitted. | Required |
| environmentID |
The ID of the environment to submit the URL to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
| delay | Delay wait time between calls (in seconds). | Optional |
| timeout | Total wait time (in seconds). | Optional |
| file-type | The report file type. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
16. Submit a file for analysis (by URL)
Submit a file for analysis (by URL). This command is only supported only in v2.
Base Command
crowdstrike-submit-file-by-url
Input
| Argument Name | Description | Required |
|---|---|---|
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
| url | The URL of the file to submit. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| CrowdStrike.EnvironmentID | string | The ID of the environment in which the file was analyzed. |
| CrowdStrike.JobID | string | The job ID of the file analysis. |
Command Example
crowdstrike-submit-file-by-url url=https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf
Context Example
{
"CrowdStrike": {
"EnvironmentID": 100,
"JobID": "5c98a51e028838377b1662c0"
},
"File": {
"SHA256": "f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1"
}
}
Human Readable Output
File https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf was submitted for analysis on CrowdStrike Falcon Sandbox
| EnvironmentId | JobId | Sha256 |
|---|---|---|
| 100 | 5c98a51e028838377b1662c0 | f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1 |