Cortex XSOAR for Developers (Formerly Demisto)

CrowdStrike Falcon Sandbox

Use the CrowdStrike Falcon Sandbox integration to submit and analyze files and URLs.

Supported File Types

The maximum file upload size is 100 MB.

  • PE (.exe, .scr, .pif, .dll, .com, .cpl, and so on)
  • Microsoft Word (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub)
  • PDF
  • APK
  • JAR executables
  • Windows Script Component (.sct)
  • Windows Shortcut (.lnk)
  • Windows Help (.chm)
  • HTML Application (.hta)
  • Windows Script File (*.wsf)
  • Javascript (.js)
  • Visual Basic (*.vbs, *.vbe)
  • Shockwave Flash (.swf)
  • Perl (.pl)
  • PowerShell (.ps1, .psd1, .psm1)
  • Scalable Vector Graphics (.svg)
  • Python scripts (.py)
  • Perl scripts (.pl)
  • Linux ELF executables
  • MIME RFC 822 (*.eml)
  • Outlook (*.msg files)

Prerequisites

Make sure you have the following CrowdStrike Falcon Sandbox information.

  • API key
  • Secret key (applicable for v1)
  • API version (v1 or v2)

Each API key has an associated authorization level, which determines the available endpoints. By default, all free, non-vetted accounts can issue restricted keys. You can upgrade to full default keys, enabling file submissions and downloads.

Authorization levels:

  • Restricted
  • Default
  • Elevated
  • Super

Configure CrowdStrike Falcon Sandbox on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for VxStream.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://216.3.128.82 )
    • API Key
    • Secret Key (applicable only for v1)
    • API Version (v1,v2)
    • Trust any certificate ( not secure )
    • Use system proxy settings
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. (Deprecated) Get summary information for a file hash: vx-scan
  2. Get hash scan results: crowdstrike-scan
  3. (Deprecated) Get a list of all environments: vx-get-environments
  4. Get a list of all environments: crowdstrike-get-environments
  5. (Deprecated) Submit a file sample for analysis: vx-submit-sample
  6. Submit a file sample for analysis: crowdstrike-submit-sample
  7. (Deprecated) Query the database: vx-search
  8. Query the database: crowdstrike-search
  9. (Deprecated) Get result data for a file: vx-result
  10. Get result data for a file: crowdstrike-result
  11. (Deprecated) Detonate a file: vx-detonate-file
  12. (Deprecated) Detonate a file: crowdstrike-detonate-file
  13. Submit a URL for analysis: crowdstrike-submit-url
  14. Get screenshots from a report: crowdstrike-get-screenshots
  15. (Depecrated) Detonate a URL: crowdstrike-detonate-url
  16. Submit a file for analysis (by URL): crowdstrike-submit-file-by-url

1. (Deprecated) Get summary information for a file hash

Get summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.

Base Command

vx-scan

Input
Argument Name Description Required
file The file hash (MD5, SHA-1, or SHA-256). Required

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the file.
File.SHA1 string SHA1 of the file.
File.MD5 string The MD5 hash of the file.
File.environmentId number The environment ID of the file.
File.analysis_start_time string The analysis start time of the file.
File.submitname string The submission name of the file.
File.classification_tags unknown The list of classification tags of the file.
File.vxfamily string The family classification of the file.
File.total_network_connections number The total network connections of the file.
File.total_processes number The total processes count of the file.
File.total_signatures number The total signatures count of the file.
File.hosts unknown The list of the file’s hosts.
File.isinteresting boolean Whether the server found this file interesting.
File.domains unknown A list of the file’s related domains.
File.isurlanalysis boolean If file analyzed by url.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.

2. Get hash scan results

Returns summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.

Base Command

crowdstrike-scan

Input
Argument Name Description Required
file The file hash (MD5, SHA-1, or SHA-256). Required

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the file.
File.SHA1 string The SHA-1 hash of the file.
File.MD5 string The MD5 hash of the file.
File.environmentId string The environment ID of the file.
File.analysis_start_time string The analysis start time of the file.
File.submitname string The submission name of the file.
File.classification_tags unknown A list of classification tags of the file.
File.vxfamily string The family classification of the file.
File.total_network_connections number The total network connections of the file.
File.total_processes number The total processes count of the file.
File.total_signatures number The total signatures count if the file.
File.hosts unknown A list of the file’s hosts.
File.isinteresting boolean If the server found this file interesting.
File.domains unknown A list of the file’s related domains.
File.isurlanalysis boolean Whether the file was analyzed by URL.
File.Malicious.Vendor string or malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason for the vendor to make the decision.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The vendor used to calculate the score.
DBotScore.Score number The actual score.
File.hash string The hash used to query the file.
File.state string The state of the file test.

Command Example 
crowdstrike-scan file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
Context Example 
{
    "DBotScore": {
        "Vendor": "CrowdStrike Falcon Sandbox", 
        "Indicator": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355", 
        "Score": 3, 
        "Type": "hash"
    }, 
    "File": [
        {
            "compromised_hosts": [], 
            "vxfamily": "Trojan.Generic", 
            "environmentId": 100, 
            "JobID": "5ae5ae527ca3e1156459b9f3", 
            "classification_tags": [], 
            "total_processes": 1, 
            "SHA256": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355", 
            "size": 38400, 
            "submitname": "Keygen.exe", 
            "threat_level": 2, 
            "target_url": null, 
            "error_type": null, 
            "state": "SUCCESS", 
            "mitre_attcks": [], 
            "certificates": [], 
            "verdict": "malicious", 
            "sha512": "d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13", 
            "extracted_files": [], 
            "isurlanalysis": false, 
            "environmentDescription": "Windows 7 32 bit", 
            "SHA1": "f0fe4ae74cfb7be57c99551b75f00d66915e6900", 
            "hash": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355", 
            "analysis_start_time": "2018-04-29T13:42:28+00:00", 
            "tags": [], 
            "imphash": "610be5e05d19476fe9370d6dd1347f2a", 
            "total_network_connections": 0, 
            "av_detect": 48, 
            "threatscore": 100, 
            "total_signatures": 18, 
            "error_origin": null, 
            "ssdeep": "768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN", 
            "MD5": "6ba83f1bf6617dab7990c495cd67dcf6", 
            "processes": [], 
            "type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed", 
            "file_metadata": null, 
            "hosts": [], 
            "isinteresting": false, 
            "domains": [], 
            "type_short": [
                "peexe", 
                "executable"
            ]
        }
    ]
}
Human Readable Output

Scan Results:

Analysis start time AvDetect Certificates Classification tags CompromisedHosts Domains EnvironmentDescription EnvironmentId ErrorOrigin ErrorType ExtractedFiles FileMetadata Hosts Imphash Interesting JobId Md5 MitreAttcks Processes Sha1 Sha256 Sha512 Size Ssdeep State SubmitName Tags TargetUrl ThreatLevel ThreatScore Total network connections Total processes Total signatures Type TypeShort UrlAnalysis Verdict VxFamily
2018-04-29T13:42:28+00:00 48 Windows 7 32 bit 100 610be5e05d19476fe9370d6dd1347f2a false 5ae5ae527ca3e1156459b9f3 6ba83f1bf6617dab7990c495cd67dcf6 f0fe4ae74cfb7be57c99551b75f00d66915e6900 59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355 d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13 38400 768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN SUCCESS Keygen.exe 2 100 0 1 18 PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed peexe,executable false malicious Trojan.Generic

3. (Deprecated) Get a list of all environments

Returns a list of all available environments. Deprecated, use the crowdstrike-get-environments command instead.

Base Command

vx-get-environments

Input

There are no input arguments for this command.

Context Output
Path Type Description
VX.Environment.ID unknown Environment ID.
VX.Environment.description unknown The environment description.
VX.Environment.architecture unknown Environment architecture.
VX.Environment.VMs_total unknown Total virtual machines in the environment.
VX.Environment.VMs_busy unknown Busy virtual machines in the environment.
VX.Environment.analysisMode unknown Analysis mode of environment.
VX.Environment.groupicon unknown Icon of environment.

4. Get a list of all environments

Returns a list of all available environments.

Base Command

crowdstrike-get-environments

Input

There are no input arguments for this command.

Context Output
Path Type Description
CrowdStrike.Environment.ID number The environment ID.
CrowdStrike.Environment.description string The environment description.
CrowdStrike.Environment.architecture string The environment architecture.
CrowdStrike.Environment.VMs_total number The total virtual machines in the environment.
CrowdStrike.Environment.VMs_busy number The busy virtual machines in the environment.
CrowdStrike.Environment.analysisMode string The analysis mode of the environment.
CrowdStrike.Environment.groupicon string The icon of the environment.

Command Example 
crowdstrike-get-environments
Context Example 
{
    "VX.Environment": [
        {
            "VMs_total": 78, 
            "description": "Windows 7 32 bit", 
            "VMs_invalid": 3, 
            "groupicon": "windows", 
            "description_long": "", 
            "architecture": "WINDOWS", 
            "is32bit": "true", 
            "ID": 100, 
            "VMs_busy": 3, 
            "analysisMode": "KERNELMODE"
        }, 
        {
            "VMs_total": 77, 
            "description": "Windows 7 32 bit (HWP Support)", 
            "VMs_invalid": 3, 
            "groupicon": "windows", 
            "description_long": "This environment can process Hangul Word Processor (HWP) files", 
            "architecture": "WINDOWS", 
            "is32bit": "true", 
            "ID": 110, 
            "VMs_busy": 3, 
            "analysisMode": "KERNELMODE"
        }, 
        {
            "VMs_total": 86, 
            "description": "Windows 7 64 bit", 
            "VMs_invalid": 0, 
            "groupicon": "windows", 
            "description_long": null, 
            "architecture": "WINDOWS", 
            "is32bit": "false", 
            "ID": 120, 
            "VMs_busy": 4, 
            "analysisMode": "KERNELMODE"
        }, 
        {
            "VMs_total": 18, 
            "description": "Linux (Ubuntu 16.04, 64 bit)", 
            "VMs_invalid": 0, 
            "groupicon": "linux", 
            "description_long": null, 
            "architecture": "WINDOWS", 
            "is32bit": "false", 
            "ID": 300, 
            "VMs_busy": 0, 
            "analysisMode": "USERMODE"
        }, 
        {
            "VMs_total": 0, 
            "description": "Android Static Analysis", 
            "VMs_invalid": 0, 
            "groupicon": "android", 
            "description_long": "", 
            "architecture": "ANDROID", 
            "is32bit": "false", 
            "ID": 200, 
            "VMs_busy": 0, 
            "analysisMode": "USERMODE"
        }
    ], 
    "CrowdStrike.Environment": [
        {
            "VMs_total": 78, 
            "description": "Windows 7 32 bit", 
            "VMs_invalid": 3, 
            "groupicon": "windows", 
            "description_long": "", 
            "architecture": "WINDOWS", 
            "is32bit": "true", 
            "ID": 100, 
            "VMs_busy": 3, 
            "analysisMode": "KERNELMODE"
        }, 
        {
            "VMs_total": 77, 
            "description": "Windows 7 32 bit (HWP Support)", 
            "VMs_invalid": 3, 
            "groupicon": "windows", 
            "description_long": "This environment can process Hangul Word Processor (HWP) files", 
            "architecture": "WINDOWS", 
            "is32bit": "true", 
            "ID": 110, 
            "VMs_busy": 3, 
            "analysisMode": "KERNELMODE"
        }, 
        {
            "VMs_total": 86, 
            "description": "Windows 7 64 bit", 
            "VMs_invalid": 0, 
            "groupicon": "windows", 
            "description_long": null, 
            "architecture": "WINDOWS", 
            "is32bit": "false", 
            "ID": 120, 
            "VMs_busy": 4, 
            "analysisMode": "KERNELMODE"
        }, 
        {
            "VMs_total": 18, 
            "description": "Linux (Ubuntu 16.04, 64 bit)", 
            "VMs_invalid": 0, 
            "groupicon": "linux", 
            "description_long": null, 
            "architecture": "WINDOWS", 
            "is32bit": "false", 
            "ID": 300, 
            "VMs_busy": 0, 
            "analysisMode": "USERMODE"
        }, 
        {
            "VMs_total": 0, 
            "description": "Android Static Analysis", 
            "VMs_invalid": 0, 
            "groupicon": "android", 
            "description_long": "", 
            "architecture": "ANDROID", 
            "is32bit": "false", 
            "ID": 200, 
            "VMs_busy": 0, 
            "analysisMode": "USERMODE"
        }
    ]
}
Human Readable Output

All Environments:

_ID Description Architecture Total VMS Busy VMS Analysis mode Group icon
100 Windows 7 32 bit WINDOWS 78 3 KERNELMODE windows
110 Windows 7 32 bit (HWP Support) WINDOWS 77 3 KERNELMODE windows
120 Windows 7 64 bit WINDOWS 86 4 KERNELMODE windows
300 Linux (Ubuntu 16.04, 64 bit) WINDOWS 18 0 USERMODE linux
200 Android Static Analysis ANDROID 0 0 USERMODE android

5. (Deprecated) Submit a file sample for analysis

Submits a file from the investigation for analysis. Deprecated, use the crowdstrike-submit-sample command instead.

Base Command

vx-submit-sample

Input
Argument Name Description Required
entryId The War Room entry ID of the sample file. Required
environmentId The ID of the environment to submit the file to. To get all IDs, run the crowdstrike-get-environments command. Optional

Context Output

There is no context output for this command.

6. Submit a file sample for analysis

Submits a file from the investigation for analysis.

Base Command

crowdstrike-submit-sample

Input
Argument Name Description Required
entryId The War Room entry ID of the sample file. Required
environmentID The ID of the environment to submit the file to. To get all IDs, run the crowdstrike-get-environments command. Required

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the file.
File.MD5 string The MD5 hash of the file.
File.SHA1 string The SHA-1 hash of the file.
CrowdStrike.JobID string The job ID of the sample.
CrowdStrike.EnvironmentID number The environment ID of the sample.

Command Example 
crowdstrike-submit-sample entryId=1043@2
Context Example 
{
    "CrowdStrike": {
        "EnvironmentID": 100, 
        "JobID": "5c98a5860388384f701662c1"
    }, 
    "File": {
        "SHA256": "955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0"
    }
}
Human Readable Output

File submitted successfully
SHA256 - 955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0
Job ID - 5c98a5860388384f701662c1
Environment ID - 100

7. (Deprecated) Query the database

Searches the database using Falcon Sandbox search syntax. Deprecated, use the crowdstrike-search command instead.

Base Command

vx-search

Input
Argument Name Description Required
query Falcon Sandbox query syntax (see <server url>/faq#advanced-search-options for more details). examples - url:google, host:95.181.53.78 Required

Context Output
Path Type Description
VX.Search.SHA256 unknown The SHA-256 hash of the search result.
VX.Search.SHA1 unknown The SHA-1 hash of the search result.
VX.Search.MD5 unknown The MD5 hash of the search result.
VX.Search.environmentId unknown The environment ID of the search result.
VX.Search.start_time unknown The start time of the search result.
VX.Search.threatscore unknown The threat score of the search result (by server).
VX.Search.verdict unknown Verdict of search result
VX.Search.environmentDescription unknown The environment description of the search result.
VX.Search.submitname unknown The submission name of the search result.
VX.Search.vxfamily unknown The family of the search result
VX.Search.threatscore unknown The threat score of the search result.
VX.Search.type_short unknown The type of search result, for example: url or host.
VX.Search.size unknown The size of the search result.
File.Malicious.Vendor unknown For malicious files, the vendor that made the decision.
File.Malicious.Description unknown For malicious files, the reason that the vendor made the decision.

8. Query the database

Searches the database using Falcon Sandbox search syntax.

Base Command

crowdstrike-search

Input
Argument Name Description Required
query Falcon Sandbox query syntax, for example: url:google,host:95.181.53.78. This argument integrates all other arguments to one, and cannot be passed with the other arguments. Optional
filename Filename, for example: invoice.exe Optional
filetype Filetype, for example: docx Optional
filetype_desc Filetype description, for example: PE32 executable Optional
env_id Environment ID Optional
country Country (3 digit ISO), for example: swe, usa, fra Optional
verdict Verdict Optional
av_detect AV Multiscan range, for example: 50-70 (min 0, max 100) Optional
vx_family AV Family Substring, for example: nemucod Optional
tag Hashtag, for example: ransomware Optional
port Port, for example: 8080 Optional
host Host, for example: 192.168.0.1 Optional
domain Domain, for example: checkip.dyndns.org Optional
url HTTP Request Substring, for example: google Optional
similar_to Similar Samples Optional
context Sample Context Optional
imp_hash Import Hash Optional
ssdeep SSDeep Optional
authentihash Authentication Hash Optional

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the search result.
File.SHA1 string The SHA-1 of the search result.
File.MD5 string The MD5 hash of the search result.
File.environmentId number The environment ID of the search result.
File.start_time unknown The start time of the search result.
File.threatscore string The threat score of the search result (by server).
File.verdict string The verdict of the search result.
File.environmentDescription string The environment description of search result.
File.submitname string The submission name of the search result.
File.vxfamily string The family of the search result.
File.threatscore number The threat score of the search result.
File.type_short string The type of search result, for example: url or host.
File.size number The size of the search result.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.

Command Example 
crowdstrike-search filetype=.docx
Context Example 
{
    "VX.Search": [], 
    "File": []
}
Human Readable Output

No data returned

9. (Deprecated) Get result data for a file

Retrieves result data for a file. This command returns a file. Deprecated, use the crowdstrike-result command instead.

Base Command

vx-result

Input
Argument Name Description Required
file File hash (MD5, SHA-1, or SHA-256). Required
environmentId The ID of the environment to submit the file to. To get all IDs, run the crowdstrike-get-environments command. Optional

Context Output

There is no context output for this command.

10. Get result data for a file

Retrieves result data for a file. This command returns a file.

Base Command

crowdstrike-result

Input
Argument Name Description Required
file File hash (MD5, SHA-1, or SHA-256). Madatory in v1. Optional
environmentId The environment ID to submit file to. To get all environments, run the crowdstrike-get-environments command. Mandatory in v1. Optional
file-type File type of report to return (supported only in v2). Optional
JobID Job ID of file to generate report of (supported only in v2). Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The vendor used to calculate the score.
DBotScore.Score number The actual score.

Command Example 
crowdstrike-result file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355

11. (Deprecated) Detonate a file

Detonates file using Falcon Sandbox.

Base Command

vx-detonate-file

Input
Argument Name Description Required
entryId The War Room entry ID of the sample file. Required
environmentID The ID of the environment to submit the file to. To get all IDs, run the crowdstrike-get-environments command. Default is 100, or other WINDOWS ID. Optional
delay The delay wait time between calls (in seconds). Optional
timeout The total wait time (in seconds). Optional

Context Output

There is no context output for this command.

12. (Deprecated) Detonate a file

Detonates a file using Falcon Sandbox.

Base Command

crowdstrike-detonate-file

Input
Argument Name Description Required
entryId The War Room entry ID of the sample file. Required
environmentID The ID of the environment to submit the file to. To get all IDs, run the crowdstrike-get-environments command. Default is 100, or other WINDOWS ID. Optional
delay The delay wait time between calls (in seconds). Optional
timeout The total wait time (in seconds). Optional

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the file.
File.SHA1 string The SHA-1 hash of the file.
File.MD5 string The MD5 hash of the file.
File.environmentId string The environment ID of the file.
File.analysis_start_time string The analysis start time of the file.
File.submitname string The submission name of the file.
File.classification_tags unknown A list of classification tags of the file.
File.vxfamily string The family classification of the file.
File.total_network_connections number The total network connections of the file.
File.total_processes number The total processes count of the file.
File.total_signatures number The total signatures count of the file.
File.hosts unknown A list of file’s hosts.
File.isinteresting boolean Whether the server found this file interesting.
File.domains unknown A list of the file’s related domains.
File.isurlanalysis boolean Whether the file was analyzed by URL.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The vendor used to calculate the score.
DBotScore.Score number The actual score.

13. Submit a URL for analysis

Submits a URL for analysis. This command is only supported in v2.

Base Command

crowdstrike-submit-url

Input
Argument Name Description Required
url The URL to analyze. Required
environmentID The ID of the environment to submit the URL to. Required

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the file.
CrowdStrike.EnvironmentID string The ID of the environment in which the URL was analyzed.
CrowdStrike.JobID string The job ID of the URL analysis.

Command Example 
crowdstrike-submit-url url=www.google.com environmentID=100
Context Example 
{
    "CrowdStrike": {
        "EnvironmentID": 100, 
        "JobID": "58c1c211aac2eda9503bc31f"
    }, 
    "File": {
        "SHA256": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1", 
        "hash": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1"
    }
}
Human Readable Output

URL www.google.com was submitted for analysis on CrowdStrike Falcon Sandbox

EnvironmentId JobId Sha256
100 58c1c211aac2eda9503bc31f d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1

14. Get screenshots from a report

Retrieves screenshots from a report. This command is only supported in v2.

Base Command

crowdstrike-get-screenshots

Input
Argument Name Description Required
file The SHA-2556 hash of the file to retrieve screenshots of. Optional
environmentID The ID of the environment to retrieve screenshots from. Optional
JobID The job ID to retrieve screenshots from. Optional

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the search result.
File.SHA1 string The SHA-1 hash of the search result.
File.MD5 string The MD5 hash of the search result.
File.environmentId number The ID of the search result environment.
File.start_time unknown The start time of the search result.
File.threatscore string The threat score of the search result (by server).
File.verdict string The verdict of the search result.
File.environmentDescription string The description of the search result environment.
File.submitname string The submission name of the search result.
File.vxfamily string The family of search result.
File.threatscore number The threat score of the search result.
File.type_short string The type of search result, for example: url or host.
File.size number Size of the search result.
File.Malicious.Vendor string For malicious files, the vendor that made the decision.
File.Malicious.Description string For malicious files, the reason that the vendor made the decision.

Command Example 
crowdstrike-get-screenshots file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355

15. (Deprecated) Detonate a URL

Detonates a URL address using Falcon Sandbox. This command is only supported in v2.

Base Command

crowdstrike-detonate-url

Input
Argument Name Description Required
url The URL address to be submitted. Required
environmentID The ID of the environment to submit the URL to. To get all IDs, run the crowdstrike-get-environments command. Default is 100, or other WINDOWS ID. Optional
delay Delay wait time between calls (in seconds). Optional
timeout Total wait time (in seconds). Optional
file-type The report file type. Optional

Context Output
Path Type Description
DBotScore.Indicator string The indicator that was tested.
DBotScore.Type string The indicator type.
DBotScore.Vendor string The vendor used to calculate the score.
DBotScore.Score number The actual score.

16. Submit a file for analysis (by URL)

Submit a file for analysis (by URL). This command is only supported only in v2.

Base Command

crowdstrike-submit-file-by-url

Input
Argument Name Description Required
environmentID The ID of the environment to submit the file to. To get all IDs, run the crowdstrike-get-environments command. Optional
url The URL of the file to submit. Required

Context Output
Path Type Description
File.SHA256 string The SHA-256 hash of the file.
CrowdStrike.EnvironmentID string The ID of the environment in which the file was analyzed.
CrowdStrike.JobID string The job ID of the file analysis.

Command Example 
crowdstrike-submit-file-by-url url=https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf
Context Example 
{
    "CrowdStrike": {
        "EnvironmentID": 100, 
        "JobID": "5c98a51e028838377b1662c0"
    }, 
    "File": {
        "SHA256": "f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1"
    }
}
Human Readable Output

File https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf was submitted for analysis on CrowdStrike Falcon Sandbox

EnvironmentId JobId Sha256
100 5c98a51e028838377b1662c0 f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1
Edit this page
Report an Issue