CrowdStrike Falcon Sandbox
Use the CrowdStrike Falcon Sandbox integration to submit and analyze files and URLs.
The maximum file upload size is 100 MB.
Supported File Types:
- PEÂ (.exe, .scr, .pif, .dll, .com, .cpl, and so on)
- Microsoft Word (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub)
- APK
- JAR executables
- Windows Script Component (.sct)
- Windows Shortcut (.lnk)
- Windows Help (.chm)
- HTML Application (.hta)
- Windows Script File (*.wsf)
- Javascript (.js)
- Visual Basic (*.vbs, *.vbe)
- Shockwave Flash (.swf)
- Perl (.pl)
- PowerShell (.ps1, .psd1, .psm1)
- Scalable Vector Graphics (.svg)
- Python scripts (.py)
- Perl scripts (.pl)
- Linux ELF executables
- MIME RFC 822 (*.eml)
- Outlook (*.msg files)
Prerequisites
Make sure you have the following CrowdStrike Falcon Sandbox information.
- API key
- Secret key (applicable for v1)
- API version (v1 or v2)
Each API key has an associated authorization level, which determines the available endpoints. By default, all free, non-vetted accounts can issue restricted keys. You can upgrade to full default keys, enabling file submissions and downloads.
Authorization levels:
- Restricted
- Default
- Elevated
- Super
Configure CrowdStrike Falcon Sandbox on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for VxStream.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://216.3.128.82)
- API Key
- Secret Key (applicable only for v1)
- API Version (v1,v2)
- Trust any certificate ( not secure )
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- (Deprecated) Get summary information for a file hash: vx-scan
- Get hash scan results: crowdstrike-scan
- (Deprecated) Get a list of all environments: vx-get-environments
- Get a list of all environments: crowdstrike-get-environments
- (Deprecated) Submit a file sample for analysis: vx-submit-sample
- Submit a file sample for analysis: crowdstrike-submit-sample
- (Deprecated) Query the database: vx-search
- Query the database: crowdstrike-search
- (Deprecated) Get result data for a file: vx-result
- Get result data for a file: crowdstrike-result
- (Deprecated) Detonate a file: vx-detonate-file
- (Deprecated) Detonate a file: crowdstrike-detonate-file
- Submit a URL for analysis: crowdstrike-submit-url
- Get screenshots from a report: crowdstrike-get-screenshots
- (Depecrated) Detonate a URL: crowdstrike-detonate-url
- Submit a file for analysis (by URL): crowdstrike-submit-file-by-url
1. (Deprecated) Get summary information for a file hash
Get summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.
Base Command
vx-scan
Input
Argument Name | Description | Required |
---|---|---|
file | The file hash (MD5, SHA-1, or SHA-256). | Required |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the file. |
File.SHA1 | string | SHA1 of the file. |
File.MD5 | string | The MD5 hash of the file. |
File.environmentId | number | The environment ID of the file. |
File.analysis_start_time | string | The analysis start time of the file. |
File.submitname | string | The submission name of the file. |
File.classification_tags | unknown | The list of classification tags of the file. |
File.vxfamily | string | The family classification of the file. |
File.total_network_connections | number | The total network connections of the file. |
File.total_processes | number | The total processes count of the file. |
File.total_signatures | number | The total signatures count of the file. |
File.hosts | unknown | The list of the file’s hosts. |
File.isinteresting | boolean | Whether the server found this file interesting. |
File.domains | unknown | A list of the file’s related domains. |
File.isurlanalysis | boolean | If file analyzed by url. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
2. Get hash scan results
Returns summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.
Base Command
crowdstrike-scan
Input
Argument Name | Description | Required |
---|---|---|
file | The file hash (MD5, SHA-1, or SHA-256). | Required |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the file. |
File.SHA1 | string | The SHA-1 hash of the file. |
File.MD5 | string | The MD5 hash of the file. |
File.environmentId | string | The environment ID of the file. |
File.analysis_start_time | string | The analysis start time of the file. |
File.submitname | string | The submission name of the file. |
File.classification_tags | unknown | A list of classification tags of the file. |
File.vxfamily | string | The family classification of the file. |
File.total_network_connections | number | The total network connections of the file. |
File.total_processes | number | The total processes count of the file. |
File.total_signatures | number | The total signatures count if the file. |
File.hosts | unknown | A list of the file’s hosts. |
File.isinteresting | boolean | If the server found this file interesting. |
File.domains | unknown | A list of the file’s related domains. |
File.isurlanalysis | boolean | Whether the file was analyzed by URL. |
File.Malicious.Vendor | string | or malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the reason for the vendor to make the decision. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
File.hash | string | The hash used to query the file. |
File.state | string | The state of the file test. |
Command Example
crowdstrike-scan file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
Context Example
{ "DBotScore": { "Vendor": "CrowdStrike Falcon Sandbox", "Indicator": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355", "Score": 3, "Type": "hash" }, "File": [ { "compromised_hosts": [], "vxfamily": "Trojan.Generic", "environmentId": 100, "JobID": "5ae5ae527ca3e1156459b9f3", "classification_tags": [], "total_processes": 1, "SHA256": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355", "size": 38400, "submitname": "Keygen.exe", "threat_level": 2, "target_url": null, "error_type": null, "state": "SUCCESS", "mitre_attcks": [], "certificates": [], "verdict": "malicious", "sha512": "d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13", "extracted_files": [], "isurlanalysis": false, "environmentDescription": "Windows 7 32 bit", "SHA1": "f0fe4ae74cfb7be57c99551b75f00d66915e6900", "hash": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355", "analysis_start_time": "2018-04-29T13:42:28+00:00", "tags": [], "imphash": "610be5e05d19476fe9370d6dd1347f2a", "total_network_connections": 0, "av_detect": 48, "threatscore": 100, "total_signatures": 18, "error_origin": null, "ssdeep": "768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN", "MD5": "6ba83f1bf6617dab7990c495cd67dcf6", "processes": [], "type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed", "file_metadata": null, "hosts": [], "isinteresting": false, "domains": [], "type_short": [ "peexe", "executable" ] } ] }
Human Readable Output
Scan Results:
Analysis start time | AvDetect | Certificates | Classification tags | CompromisedHosts | Domains | EnvironmentDescription | EnvironmentId | ErrorOrigin | ErrorType | ExtractedFiles | FileMetadata | Hosts | Imphash | Interesting | JobId | Md5 | MitreAttcks | Processes | Sha1 | Sha256 | Sha512 | Size | Ssdeep | State | SubmitName | Tags | TargetUrl | ThreatLevel | ThreatScore | Total network connections | Total processes | Total signatures | Type | TypeShort | UrlAnalysis | Verdict | VxFamily |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2018-04-29T13:42:28+00:00 | 48 | Windows 7 32 bit | 100 | 610be5e05d19476fe9370d6dd1347f2a | false | 5ae5ae527ca3e1156459b9f3 | 6ba83f1bf6617dab7990c495cd67dcf6 | f0fe4ae74cfb7be57c99551b75f00d66915e6900 | 59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355 | d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13 | 38400 | 768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN | SUCCESS | Keygen.exe | 2 | 100 | 0 | 1 | 18 | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | peexe,executable | false | malicious | Trojan.Generic |
3. (Deprecated) Get a list of all environments
Returns a list of all available environments. Deprecated, use the
crowdstrike-get-environments
command instead.
Base Command
vx-get-environments
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
VX.Environment.ID | unknown | Environment ID. |
VX.Environment.description | unknown | The environment description. |
VX.Environment.architecture | unknown | Environment architecture. |
VX.Environment.VMs_total | unknown | Total virtual machines in the environment. |
VX.Environment.VMs_busy | unknown | Busy virtual machines in the environment. |
VX.Environment.analysisMode | unknown | Analysis mode of environment. |
VX.Environment.groupicon | unknown | Icon of environment. |
4. Get a list of all environments
Returns a list of all available environments.
Base Command
crowdstrike-get-environments
Input
There are no input arguments for this command.
Context Output
Path | Type | Description |
---|---|---|
CrowdStrike.Environment.ID | number | The environment ID. |
CrowdStrike.Environment.description | string | The environment description. |
CrowdStrike.Environment.architecture | string | The environment architecture. |
CrowdStrike.Environment.VMs_total | number | The total virtual machines in the environment. |
CrowdStrike.Environment.VMs_busy | number | The busy virtual machines in the environment. |
CrowdStrike.Environment.analysisMode | string | The analysis mode of the environment. |
CrowdStrike.Environment.groupicon | string | The icon of the environment. |
Command Example
crowdstrike-get-environments
Context Example
{ "VX.Environment": [ { "VMs_total": 78, "description": "Windows 7 32 bit", "VMs_invalid": 3, "groupicon": "windows", "architecture": "WINDOWS", "ID": 100, "VMs_busy": 3, "analysisMode": "KERNELMODE" }, { "VMs_total": 77, "description": "Windows 7 32 bit (HWP Support)", "VMs_invalid": 3, "groupicon": "windows", "architecture": "WINDOWS", "ID": 110, "VMs_busy": 3, "analysisMode": "KERNELMODE" }, { "VMs_total": 86, "description": "Windows 7 64 bit", "VMs_invalid": 0, "groupicon": "windows", "architecture": "WINDOWS", "ID": 120, "VMs_busy": 4, "analysisMode": "KERNELMODE" }, { "VMs_total": 18, "description": "Linux (Ubuntu 16.04, 64 bit)", "VMs_invalid": 0, "groupicon": "linux", "architecture": "WINDOWS", "ID": 300, "VMs_busy": 0, "analysisMode": "USERMODE" }, { "VMs_total": 0, "description": "Android Static Analysis", "VMs_invalid": 0, "groupicon": "android", "architecture": "ANDROID", "ID": 200, "VMs_busy": 0, "analysisMode": "USERMODE" } ], "CrowdStrike.Environment": [ { "VMs_total": 78, "description": "Windows 7 32 bit", "VMs_invalid": 3, "groupicon": "windows", "architecture": "WINDOWS", "ID": 100, "VMs_busy": 3, "analysisMode": "KERNELMODE" }, { "VMs_total": 77, "description": "Windows 7 32 bit (HWP Support)", "VMs_invalid": 3, "groupicon": "windows", "architecture": "WINDOWS", "ID": 110, "VMs_busy": 3, "analysisMode": "KERNELMODE" }, { "VMs_total": 86, "description": "Windows 7 64 bit", "VMs_invalid": 0, "groupicon": "windows", "architecture": "WINDOWS", "ID": 120, "VMs_busy": 4, "analysisMode": "KERNELMODE" }, { "VMs_total": 18, "description": "Linux (Ubuntu 16.04, 64 bit)", "VMs_invalid": 0, "groupicon": "linux", "architecture": "WINDOWS", "ID": 300, "VMs_busy": 0, "analysisMode": "USERMODE" }, { "VMs_total": 0, "description": "Android Static Analysis", "VMs_invalid": 0, "groupicon": "android", "architecture": "ANDROID", "ID": 200, "VMs_busy": 0, "analysisMode": "USERMODE" } ] }
Human Readable Output
All Environments:
_ID | Description | Architecture | Total VMS | Busy VMS | Analysis mode | Group icon |
---|---|---|---|---|---|---|
100 | Windows 7 32 bit | WINDOWS | 78 | 3 | KERNELMODE | windows |
110 | Windows 7 32 bit (HWP Support) | WINDOWS | 77 | 3 | KERNELMODE | windows |
120 | Windows 7 64 bit | WINDOWS | 86 | 4 | KERNELMODE | windows |
300 | Linux (Ubuntu 16.04, 64 bit) | WINDOWS | 18 | 0 | USERMODE | linux |
200 | Android Static Analysis | ANDROID | 0 | 0 | USERMODE | android |
5. (Deprecated) Submit a file sample for analysis
Submits a file from the investigation for analysis. Deprecated, use the
crowdstrike-submit-sample
command instead.
Base Command
vx-submit-sample
Input
Argument Name | Description | Required |
---|---|---|
entryId | The War Room entry ID of the sample file. | Required |
environmentId |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
Context Output
There is no context output for this command.
6. Submit a file sample for analysis
Submits a file from the investigation for analysis.
Base Command
crowdstrike-submit-sample
Input
Argument Name | Description | Required |
---|---|---|
entryId | The War Room entry ID of the sample file. | Required |
environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Required |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the file. |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA-1 hash of the file. |
CrowdStrike.JobID | string | The job ID of the sample. |
CrowdStrike.EnvironmentID | number | The environment ID of the sample. |
Command Example
crowdstrike-submit-sample entryId=1043@2
Context Example
{ "CrowdStrike": { "EnvironmentID": 100, "JobID": "5c98a5860388384f701662c1" }, "File": { "SHA256": "955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0" } }
Human Readable Output
File submitted successfully
SHA256 - 955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0
Job ID - 5c98a5860388384f701662c1
Environment ID - 100
7. (Deprecated) Query the database
Searches the database using Falcon Sandbox search syntax. Deprecated, use the
crowdstrike-search
command instead.
Base Command
vx-search
Input
Argument Name | Description | Required |
---|---|---|
query |
Falcon Sandbox query syntax (see
<server url>/faq#advanced-search-options
for more details). examples - url:google, host:95.181.53.78
|
Required |
Context Output
Path | Type | Description |
---|---|---|
VX.Search.SHA256 | unknown | The SHA-256 hash of the search result. |
VX.Search.SHA1 | unknown | The SHA-1 hash of the search result. |
VX.Search.MD5 | unknown | The MD5 hash of the search result. |
VX.Search.environmentId | unknown | The environment ID of the search result. |
VX.Search.start_time | unknown | The start time of the search result. |
VX.Search.threatscore | unknown | The threat score of the search result (by server). |
VX.Search.verdict | unknown | Verdict of search result |
VX.Search.environmentDescription | unknown | The environment description of the search result. |
VX.Search.submitname | unknown | The submission name of the search result. |
VX.Search.vxfamily | unknown | The family of the search result |
VX.Search.threatscore | unknown | The threat score of the search result. |
VX.Search.type_short | unknown | The type of search result, for example: url or host. |
VX.Search.size | unknown | The size of the search result. |
File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
File.Malicious.Description | unknown | For malicious files, the reason that the vendor made the decision. |
8. Query the database
Searches the database using Falcon Sandbox search syntax.
Base Command
crowdstrike-search
Input
Argument Name | Description | Required |
---|---|---|
query | Falcon Sandbox query syntax, for example: url:google,host:95.181.53.78. This argument integrates all other arguments to one, and cannot be passed with the other arguments. | Optional |
filename | Filename, for example: invoice.exe | Optional |
filetype | Filetype, for example: docx | Optional |
filetype_desc | Filetype description, for example: PE32 executable | Optional |
env_id | Environment ID | Optional |
country | Country (3 digit ISO), for example: swe, usa, fra | Optional |
verdict | Verdict | Optional |
av_detect | AV Multiscan range, for example: 50-70 (min 0, max 100) | Optional |
vx_family | AV Family Substring, for example: nemucod | Optional |
tag | Hashtag, for example: ransomware | Optional |
port | Port, for example: 8080 | Optional |
host | Host, for example: 192.168.0.1 | Optional |
domain | Domain, for example: checkip.dyndns.org | Optional |
url | HTTP Request Substring, for example: google | Optional |
similar_to | Similar Samples | Optional |
context | Sample Context | Optional |
imp_hash | Import Hash | Optional |
ssdeep | SSDeep | Optional |
authentihash | Authentication Hash | Optional |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the search result. |
File.SHA1 | string | The SHA-1 of the search result. |
File.MD5 | string | The MD5 hash of the search result. |
File.environmentId | number | The environment ID of the search result. |
File.start_time | unknown | The start time of the search result. |
File.threatscore | string | The threat score of the search result (by server). |
File.verdict | string | The verdict of the search result. |
File.environmentDescription | string | The environment description of search result. |
File.submitname | string | The submission name of the search result. |
File.vxfamily | string | The family of the search result. |
File.threatscore | number | The threat score of the search result. |
File.type_short | string | The type of search result, for example: url or host. |
File.size | number | The size of the search result. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
Command Example
crowdstrike-search filetype=.docx
Context Example
{ "VX.Search": [], "File": [] }
Human Readable Output
No data returned
9. (Deprecated) Get result data for a file
Retrieves result data for a file. This command returns a file. Deprecated, use the
crowdstrike-result
command instead.
Base Command
vx-result
Input
Argument Name | Description | Required |
---|---|---|
file | File hash (MD5, SHA-1, or SHA-256). | Required |
environmentId |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
Context Output
There is no context output for this command.
10. Get result data for a file
Retrieves result data for a file. This command returns a file.
Base Command
crowdstrike-result
Input
Argument Name | Description | Required |
---|---|---|
file | File hash (MD5, SHA-1, or SHA-256). Madatory in v1. | Optional |
environmentId | The environment ID to submit file to. To get all environments, run the crowdstrike-get-environments command. Mandatory in v1. | Optional |
file-type | File type of report to return (supported only in v2). | Optional |
JobID | Job ID of file to generate report of (supported only in v2). | Optional |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
Command Example
crowdstrike-result file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
11. (Deprecated) Detonate a file
Detonates file using Falcon Sandbox.
Base Command
vx-detonate-file
Input
Argument Name | Description | Required |
---|---|---|
entryId | The War Room entry ID of the sample file. | Required |
environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
delay | The delay wait time between calls (in seconds). | Optional |
timeout | The total wait time (in seconds). | Optional |
Context Output
There is no context output for this command.
12. (Deprecated) Detonate a file
Detonates a file using Falcon Sandbox.
Base Command
crowdstrike-detonate-file
Input
Argument Name | Description | Required |
---|---|---|
entryId | The War Room entry ID of the sample file. | Required |
environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
delay | The delay wait time between calls (in seconds). | Optional |
timeout | The total wait time (in seconds). | Optional |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the file. |
File.SHA1 | string | The SHA-1 hash of the file. |
File.MD5 | string | The MD5 hash of the file. |
File.environmentId | string | The environment ID of the file. |
File.analysis_start_time | string | The analysis start time of the file. |
File.submitname | string | The submission name of the file. |
File.classification_tags | unknown | A list of classification tags of the file. |
File.vxfamily | string | The family classification of the file. |
File.total_network_connections | number | The total network connections of the file. |
File.total_processes | number | The total processes count of the file. |
File.total_signatures | number | The total signatures count of the file. |
File.hosts | unknown | A list of file’s hosts. |
File.isinteresting | boolean | Whether the server found this file interesting. |
File.domains | unknown | A list of the file’s related domains. |
File.isurlanalysis | boolean | Whether the file was analyzed by URL. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
13. Submit a URL for analysis
Submits a URL for analysis. This command is only supported in v2.
Base Command
crowdstrike-submit-url
Input
Argument Name | Description | Required |
---|---|---|
url | The URL to analyze. | Required |
environmentID | The ID of the environment to submit the URL to. | Required | dontThrowErrorOnFileDetonation | Determine if the command will throw an error on an unsupported file error. Default is false. |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the file. |
CrowdStrike.EnvironmentID | string | The ID of the environment in which the URL was analyzed. |
CrowdStrike.JobID | string | The job ID of the URL analysis. |
Command Example
crowdstrike-submit-url url=www.google.com environmentID=100
Context Example
{ "CrowdStrike": { "EnvironmentID": 100, "JobID": "58c1c211aac2eda9503bc31f" }, "File": { "SHA256": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1", "hash": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1" } }
Human Readable Output
URL www.google.com was submitted for analysis on CrowdStrike Falcon Sandbox
EnvironmentId | JobId | Sha256 |
---|---|---|
100 | 58c1c211aac2eda9503bc31f | d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1 |
14. Get screenshots from a report
Retrieves screenshots from a report. This command is only supported in v2.
Base Command
crowdstrike-get-screenshots
Input
Argument Name | Description | Required |
---|---|---|
file | The SHA-2556 hash of the file to retrieve screenshots of. | Optional |
environmentID | The ID of the environment to retrieve screenshots from. | Optional |
JobID | The job ID to retrieve screenshots from. | Optional |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the search result. |
File.SHA1 | string | The SHA-1 hash of the search result. |
File.MD5 | string | The MD5 hash of the search result. |
File.environmentId | number | The ID of the search result environment. |
File.start_time | unknown | The start time of the search result. |
File.threatscore | string | The threat score of the search result (by server). |
File.verdict | string | The verdict of the search result. |
File.environmentDescription | string | The description of the search result environment. |
File.submitname | string | The submission name of the search result. |
File.vxfamily | string | The family of search result. |
File.threatscore | number | The threat score of the search result. |
File.type_short | string | The type of search result, for example: url or host. |
File.size | number | Size of the search result. |
File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
Command Example
crowdstrike-get-screenshots file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
15. (Deprecated) Detonate a URL
Detonates a URL address using Falcon Sandbox. This command is only supported in v2.
Base Command
crowdstrike-detonate-url
Input
Argument Name | Description | Required |
---|---|---|
url | The URL address to be submitted. | Required |
environmentID |
The ID of the environment to submit the URL to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
delay | Delay wait time between calls (in seconds). | Optional |
timeout | Total wait time (in seconds). | Optional |
file-type | The report file type. | Optional |
Context Output
Path | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
16. Submit a file for analysis (by URL)
Submit a file for analysis (by URL). This command is only supported only in v2.
Base Command
crowdstrike-submit-file-by-url
Input
Argument Name | Description | Required |
---|---|---|
environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
url | The URL of the file to submit. | Required |
Context Output
Path | Type | Description |
---|---|---|
File.SHA256 | string | The SHA-256 hash of the file. |
CrowdStrike.EnvironmentID | string | The ID of the environment in which the file was analyzed. |
CrowdStrike.JobID | string | The job ID of the file analysis. |
Command Example
crowdstrike-submit-file-by-url url=https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf
Context Example
{ "CrowdStrike": { "EnvironmentID": 100, "JobID": "5c98a51e028838377b1662c0" }, "File": { "SHA256": "f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1" } }
Human Readable Output
File https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf was submitted for analysis on CrowdStrike Falcon Sandbox
EnvironmentId | JobId | Sha256 |
---|---|---|
100 | 5c98a51e028838377b1662c0 | f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1 |