CrowdStrike Falcon Sandbox
Use the CrowdStrike Falcon Sandbox integration to submit and analyze files and URLs.
Supported File Types
The maximum file upload size is 100 MB.
- PE (.exe, .scr, .pif, .dll, .com, .cpl, and so on)
- Microsoft Word (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub)
- APK
- JAR executables
- Windows Script Component (.sct)
- Windows Shortcut (.lnk)
- Windows Help (.chm)
- HTML Application (.hta)
- Windows Script File (*.wsf)
- Javascript (.js)
- Visual Basic (*.vbs, *.vbe)
- Shockwave Flash (.swf)
- Perl (.pl)
- PowerShell (.ps1, .psd1, .psm1)
- Scalable Vector Graphics (.svg)
- Python scripts (.py)
- Perl scripts (.pl)
- Linux ELF executables
- MIME RFC 822 (*.eml)
- Outlook (*.msg files)
Prerequisites
Make sure you have the following CrowdStrike Falcon Sandbox information.
- API key
- Secret key (applicable for v1)
- API version (v1 or v2)
Each API key has an associated authorization level, which determines the available endpoints. By default, all free, non-vetted accounts can issue restricted keys. You can upgrade to full default keys, enabling file submissions and downloads.
Authorization levels:
- Restricted
- Default
- Elevated
- Super
Configure CrowdStrike Falcon Sandbox on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for VxStream.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g., https://216.3.128.82 )
- API Key
- Secret Key (applicable only for v1)
- API Version (v1,v2)
- Trust any certificate ( not secure )
- Use system proxy settings
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- (Deprecated) Get summary information for a file hash: vx-scan
- Get hash scan results: crowdstrike-scan
- (Deprecated) Get a list of all environments: vx-get-environments
- Get a list of all environments: crowdstrike-get-environments
- (Deprecated) Submit a file sample for analysis: vx-submit-sample
- Submit a file sample for analysis: crowdstrike-submit-sample
- (Deprecated) Query the database: vx-search
- Query the database: crowdstrike-search
- (Deprecated) Get result data for a file: vx-result
- Get result data for a file: crowdstrike-result
- (Deprecated) Detonate a file: vx-detonate-file
- (Deprecated) Detonate a file: crowdstrike-detonate-file
- Submit a URL for analysis: crowdstrike-submit-url
- Get screenshots from a report: crowdstrike-get-screenshots
- (Depecrated) Detonate a URL: crowdstrike-detonate-url
- Submit a file for analysis (by URL): crowdstrike-submit-file-by-url
1. (Deprecated) Get summary information for a file hash
Get summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.
Base Command
vx-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The file hash (MD5, SHA-1, or SHA-256). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.SHA1 | string | SHA1 of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.environmentId | number | The environment ID of the file. |
| File.analysis_start_time | string | The analysis start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | unknown | The list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | number | The total network connections of the file. |
| File.total_processes | number | The total processes count of the file. |
| File.total_signatures | number | The total signatures count of the file. |
| File.hosts | unknown | The list of the file’s hosts. |
| File.isinteresting | boolean | Whether the server found this file interesting. |
| File.domains | unknown | A list of the file’s related domains. |
| File.isurlanalysis | boolean | If file analyzed by url. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
2. Get hash scan results
Returns summary information for a given MD5 hash, SHA-1 hash, or SHA-256 hash, and all the reports generated for any environment ID.
Base Command
crowdstrike-scan
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The file hash (MD5, SHA-1, or SHA-256). | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.environmentId | string | The environment ID of the file. |
| File.analysis_start_time | string | The analysis start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | unknown | A list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | number | The total network connections of the file. |
| File.total_processes | number | The total processes count of the file. |
| File.total_signatures | number | The total signatures count if the file. |
| File.hosts | unknown | A list of the file’s hosts. |
| File.isinteresting | boolean | If the server found this file interesting. |
| File.domains | unknown | A list of the file’s related domains. |
| File.isurlanalysis | boolean | Whether the file was analyzed by URL. |
| File.Malicious.Vendor | string | or malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason for the vendor to make the decision. |
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
| File.hash | string | The hash used to query the file. |
| File.state | string | The state of the file test. |
Command Example
crowdstrike-scan file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
Context Example
{
"DBotScore": {
"Vendor": "CrowdStrike Falcon Sandbox",
"Indicator": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355",
"Score": 3,
"Type": "hash"
},
"File": [
{
"compromised_hosts": [],
"vxfamily": "Trojan.Generic",
"environmentId": 100,
"JobID": "5ae5ae527ca3e1156459b9f3",
"classification_tags": [],
"total_processes": 1,
"SHA256": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355",
"size": 38400,
"submitname": "Keygen.exe",
"threat_level": 2,
"target_url": null,
"error_type": null,
"state": "SUCCESS",
"mitre_attcks": [],
"certificates": [],
"verdict": "malicious",
"sha512": "d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13",
"extracted_files": [],
"isurlanalysis": false,
"environmentDescription": "Windows 7 32 bit",
"SHA1": "f0fe4ae74cfb7be57c99551b75f00d66915e6900",
"hash": "59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355",
"analysis_start_time": "2018-04-29T13:42:28+00:00",
"tags": [],
"imphash": "610be5e05d19476fe9370d6dd1347f2a",
"total_network_connections": 0,
"av_detect": 48,
"threatscore": 100,
"total_signatures": 18,
"error_origin": null,
"ssdeep": "768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN",
"MD5": "6ba83f1bf6617dab7990c495cd67dcf6",
"processes": [],
"type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed",
"file_metadata": null,
"hosts": [],
"isinteresting": false,
"domains": [],
"type_short": [
"peexe",
"executable"
]
}
]
}
Human Readable Output
Scan Results:
| Analysis start time | AvDetect | Certificates | Classification tags | CompromisedHosts | Domains | EnvironmentDescription | EnvironmentId | ErrorOrigin | ErrorType | ExtractedFiles | FileMetadata | Hosts | Imphash | Interesting | JobId | Md5 | MitreAttcks | Processes | Sha1 | Sha256 | Sha512 | Size | Ssdeep | State | SubmitName | Tags | TargetUrl | ThreatLevel | ThreatScore | Total network connections | Total processes | Total signatures | Type | TypeShort | UrlAnalysis | Verdict | VxFamily |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018-04-29T13:42:28+00:00 | 48 | Windows 7 32 bit | 100 | 610be5e05d19476fe9370d6dd1347f2a | false | 5ae5ae527ca3e1156459b9f3 | 6ba83f1bf6617dab7990c495cd67dcf6 | f0fe4ae74cfb7be57c99551b75f00d66915e6900 | 59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355 | d771eb56097a771b9faab47b3d32007a8a5c2c06c3fa2c590d48d7000bf120f69d41340490d61564cab7f2e9135e3f9465a62b69f8e922602f946cff4a76fc13 | 38400 | 768:IXD4nBg7xSUrIzAx9BNVk3aEKmICkm2oxAlGrPbKjol0qcDg2p9LjLJvN:I6W8yIzAx9r+UkzaG6Y0qcz9nVvN | SUCCESS | Keygen.exe | 2 | 100 | 0 | 1 | 18 | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed | peexe,executable | false | malicious | Trojan.Generic |
3. (Deprecated) Get a list of all environments
Returns a list of all available environments. Deprecated, use the
crowdstrike-get-environments
command instead.
Base Command
vx-get-environments
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| VX.Environment.ID | unknown | Environment ID. |
| VX.Environment.description | unknown | The environment description. |
| VX.Environment.architecture | unknown | Environment architecture. |
| VX.Environment.VMs_total | unknown | Total virtual machines in the environment. |
| VX.Environment.VMs_busy | unknown | Busy virtual machines in the environment. |
| VX.Environment.analysisMode | unknown | Analysis mode of environment. |
| VX.Environment.groupicon | unknown | Icon of environment. |
4. Get a list of all environments
Returns a list of all available environments.
Base Command
crowdstrike-get-environments
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| CrowdStrike.Environment.ID | number | The environment ID. |
| CrowdStrike.Environment.description | string | The environment description. |
| CrowdStrike.Environment.architecture | string | The environment architecture. |
| CrowdStrike.Environment.VMs_total | number | The total virtual machines in the environment. |
| CrowdStrike.Environment.VMs_busy | number | The busy virtual machines in the environment. |
| CrowdStrike.Environment.analysisMode | string | The analysis mode of the environment. |
| CrowdStrike.Environment.groupicon | string | The icon of the environment. |
Command Example
crowdstrike-get-environments
Context Example
{
"VX.Environment": [
{
"VMs_total": 78,
"description": "Windows 7 32 bit",
"VMs_invalid": 3,
"groupicon": "windows",
"description_long": "",
"architecture": "WINDOWS",
"is32bit": "true",
"ID": 100,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 77,
"description": "Windows 7 32 bit (HWP Support)",
"VMs_invalid": 3,
"groupicon": "windows",
"description_long": "This environment can process Hangul Word Processor (HWP) files",
"architecture": "WINDOWS",
"is32bit": "true",
"ID": 110,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 86,
"description": "Windows 7 64 bit",
"VMs_invalid": 0,
"groupicon": "windows",
"description_long": null,
"architecture": "WINDOWS",
"is32bit": "false",
"ID": 120,
"VMs_busy": 4,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 18,
"description": "Linux (Ubuntu 16.04, 64 bit)",
"VMs_invalid": 0,
"groupicon": "linux",
"description_long": null,
"architecture": "WINDOWS",
"is32bit": "false",
"ID": 300,
"VMs_busy": 0,
"analysisMode": "USERMODE"
},
{
"VMs_total": 0,
"description": "Android Static Analysis",
"VMs_invalid": 0,
"groupicon": "android",
"description_long": "",
"architecture": "ANDROID",
"is32bit": "false",
"ID": 200,
"VMs_busy": 0,
"analysisMode": "USERMODE"
}
],
"CrowdStrike.Environment": [
{
"VMs_total": 78,
"description": "Windows 7 32 bit",
"VMs_invalid": 3,
"groupicon": "windows",
"description_long": "",
"architecture": "WINDOWS",
"is32bit": "true",
"ID": 100,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 77,
"description": "Windows 7 32 bit (HWP Support)",
"VMs_invalid": 3,
"groupicon": "windows",
"description_long": "This environment can process Hangul Word Processor (HWP) files",
"architecture": "WINDOWS",
"is32bit": "true",
"ID": 110,
"VMs_busy": 3,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 86,
"description": "Windows 7 64 bit",
"VMs_invalid": 0,
"groupicon": "windows",
"description_long": null,
"architecture": "WINDOWS",
"is32bit": "false",
"ID": 120,
"VMs_busy": 4,
"analysisMode": "KERNELMODE"
},
{
"VMs_total": 18,
"description": "Linux (Ubuntu 16.04, 64 bit)",
"VMs_invalid": 0,
"groupicon": "linux",
"description_long": null,
"architecture": "WINDOWS",
"is32bit": "false",
"ID": 300,
"VMs_busy": 0,
"analysisMode": "USERMODE"
},
{
"VMs_total": 0,
"description": "Android Static Analysis",
"VMs_invalid": 0,
"groupicon": "android",
"description_long": "",
"architecture": "ANDROID",
"is32bit": "false",
"ID": 200,
"VMs_busy": 0,
"analysisMode": "USERMODE"
}
]
}
Human Readable Output
All Environments:
| _ID | Description | Architecture | Total VMS | Busy VMS | Analysis mode | Group icon |
|---|---|---|---|---|---|---|
| 100 | Windows 7 32 bit | WINDOWS | 78 | 3 | KERNELMODE | windows |
| 110 | Windows 7 32 bit (HWP Support) | WINDOWS | 77 | 3 | KERNELMODE | windows |
| 120 | Windows 7 64 bit | WINDOWS | 86 | 4 | KERNELMODE | windows |
| 300 | Linux (Ubuntu 16.04, 64 bit) | WINDOWS | 18 | 0 | USERMODE | linux |
| 200 | Android Static Analysis | ANDROID | 0 | 0 | USERMODE | android |
5. (Deprecated) Submit a file sample for analysis
Submits a file from the investigation for analysis. Deprecated, use the
crowdstrike-submit-sample
command instead.
Base Command
vx-submit-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentId |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
Context Output
There is no context output for this command.
6. Submit a file sample for analysis
Submits a file from the investigation for analysis.
Base Command
crowdstrike-submit-sample
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| CrowdStrike.JobID | string | The job ID of the sample. |
| CrowdStrike.EnvironmentID | number | The environment ID of the sample. |
Command Example
crowdstrike-submit-sample entryId=1043@2
Context Example
{
"CrowdStrike": {
"EnvironmentID": 100,
"JobID": "5c98a5860388384f701662c1"
},
"File": {
"SHA256": "955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0"
}
}
Human Readable Output
File submitted successfully
SHA256 - 955017fdfeb29962d42f2273c4c9535a0da5bd4b4a430b7c9f7ad03e5a42b7a0
Job ID - 5c98a5860388384f701662c1
Environment ID - 100
7. (Deprecated) Query the database
Searches the database using Falcon Sandbox search syntax. Deprecated, use the
crowdstrike-search
command instead.
Base Command
vx-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query |
Falcon Sandbox query syntax (see
<server url>/faq#advanced-search-options
for more details). examples - url:google, host:95.181.53.78
|
Required |
Context Output
| Path | Type | Description |
|---|---|---|
| VX.Search.SHA256 | unknown | The SHA-256 hash of the search result. |
| VX.Search.SHA1 | unknown | The SHA-1 hash of the search result. |
| VX.Search.MD5 | unknown | The MD5 hash of the search result. |
| VX.Search.environmentId | unknown | The environment ID of the search result. |
| VX.Search.start_time | unknown | The start time of the search result. |
| VX.Search.threatscore | unknown | The threat score of the search result (by server). |
| VX.Search.verdict | unknown | Verdict of search result |
| VX.Search.environmentDescription | unknown | The environment description of the search result. |
| VX.Search.submitname | unknown | The submission name of the search result. |
| VX.Search.vxfamily | unknown | The family of the search result |
| VX.Search.threatscore | unknown | The threat score of the search result. |
| VX.Search.type_short | unknown | The type of search result, for example: url or host. |
| VX.Search.size | unknown | The size of the search result. |
| File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | unknown | For malicious files, the reason that the vendor made the decision. |
8. Query the database
Searches the database using Falcon Sandbox search syntax.
Base Command
crowdstrike-search
Input
| Argument Name | Description | Required |
|---|---|---|
| query | Falcon Sandbox query syntax, for example: url:google,host:95.181.53.78. This argument integrates all other arguments to one, and cannot be passed with the other arguments. | Optional |
| filename | Filename, for example: invoice.exe | Optional |
| filetype | Filetype, for example: docx | Optional |
| filetype_desc | Filetype description, for example: PE32 executable | Optional |
| env_id | Environment ID | Optional |
| country | Country (3 digit ISO), for example: swe, usa, fra | Optional |
| verdict | Verdict | Optional |
| av_detect | AV Multiscan range, for example: 50-70 (min 0, max 100) | Optional |
| vx_family | AV Family Substring, for example: nemucod | Optional |
| tag | Hashtag, for example: ransomware | Optional |
| port | Port, for example: 8080 | Optional |
| host | Host, for example: 192.168.0.1 | Optional |
| domain | Domain, for example: checkip.dyndns.org | Optional |
| url | HTTP Request Substring, for example: google | Optional |
| similar_to | Similar Samples | Optional |
| context | Sample Context | Optional |
| imp_hash | Import Hash | Optional |
| ssdeep | SSDeep | Optional |
| authentihash | Authentication Hash | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the search result. |
| File.SHA1 | string | The SHA-1 of the search result. |
| File.MD5 | string | The MD5 hash of the search result. |
| File.environmentId | number | The environment ID of the search result. |
| File.start_time | unknown | The start time of the search result. |
| File.threatscore | string | The threat score of the search result (by server). |
| File.verdict | string | The verdict of the search result. |
| File.environmentDescription | string | The environment description of search result. |
| File.submitname | string | The submission name of the search result. |
| File.vxfamily | string | The family of the search result. |
| File.threatscore | number | The threat score of the search result. |
| File.type_short | string | The type of search result, for example: url or host. |
| File.size | number | The size of the search result. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
Command Example
crowdstrike-search filetype=.docx
Context Example
{
"VX.Search": [],
"File": []
}
Human Readable Output
No data returned
9. (Deprecated) Get result data for a file
Retrieves result data for a file. This command returns a file. Deprecated, use the
crowdstrike-result
command instead.
Base Command
vx-result
Input
| Argument Name | Description | Required |
|---|---|---|
| file | File hash (MD5, SHA-1, or SHA-256). | Required |
| environmentId |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
Context Output
There is no context output for this command.
10. Get result data for a file
Retrieves result data for a file. This command returns a file.
Base Command
crowdstrike-result
Input
| Argument Name | Description | Required |
|---|---|---|
| file | File hash (MD5, SHA-1, or SHA-256). Madatory in v1. | Optional |
| environmentId | The environment ID to submit file to. To get all environments, run the crowdstrike-get-environments command. Mandatory in v1. | Optional |
| file-type | File type of report to return (supported only in v2). | Optional |
| JobID | Job ID of file to generate report of (supported only in v2). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
Command Example
crowdstrike-result file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
11. (Deprecated) Detonate a file
Detonates file using Falcon Sandbox.
Base Command
vx-detonate-file
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
| delay | The delay wait time between calls (in seconds). | Optional |
| timeout | The total wait time (in seconds). | Optional |
Context Output
There is no context output for this command.
12. (Deprecated) Detonate a file
Detonates a file using Falcon Sandbox.
Base Command
crowdstrike-detonate-file
Input
| Argument Name | Description | Required |
|---|---|---|
| entryId | The War Room entry ID of the sample file. | Required |
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
| delay | The delay wait time between calls (in seconds). | Optional |
| timeout | The total wait time (in seconds). | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| File.SHA1 | string | The SHA-1 hash of the file. |
| File.MD5 | string | The MD5 hash of the file. |
| File.environmentId | string | The environment ID of the file. |
| File.analysis_start_time | string | The analysis start time of the file. |
| File.submitname | string | The submission name of the file. |
| File.classification_tags | unknown | A list of classification tags of the file. |
| File.vxfamily | string | The family classification of the file. |
| File.total_network_connections | number | The total network connections of the file. |
| File.total_processes | number | The total processes count of the file. |
| File.total_signatures | number | The total signatures count of the file. |
| File.hosts | unknown | A list of file’s hosts. |
| File.isinteresting | boolean | Whether the server found this file interesting. |
| File.domains | unknown | A list of the file’s related domains. |
| File.isurlanalysis | boolean | Whether the file was analyzed by URL. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
13. Submit a URL for analysis
Submits a URL for analysis. This command is only supported in v2.
Base Command
crowdstrike-submit-url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL to analyze. | Required |
| environmentID | The ID of the environment to submit the URL to. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| CrowdStrike.EnvironmentID | string | The ID of the environment in which the URL was analyzed. |
| CrowdStrike.JobID | string | The job ID of the URL analysis. |
Command Example
crowdstrike-submit-url url=www.google.com environmentID=100
Context Example
{
"CrowdStrike": {
"EnvironmentID": 100,
"JobID": "58c1c211aac2eda9503bc31f"
},
"File": {
"SHA256": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1",
"hash": "d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1"
}
}
Human Readable Output
URL www.google.com was submitted for analysis on CrowdStrike Falcon Sandbox
| EnvironmentId | JobId | Sha256 |
|---|---|---|
| 100 | 58c1c211aac2eda9503bc31f | d2edef8e43054be586d17ddcc761e7a1f4a6946c39e653d7e095a826ef34b6a1 |
14. Get screenshots from a report
Retrieves screenshots from a report. This command is only supported in v2.
Base Command
crowdstrike-get-screenshots
Input
| Argument Name | Description | Required |
|---|---|---|
| file | The SHA-2556 hash of the file to retrieve screenshots of. | Optional |
| environmentID | The ID of the environment to retrieve screenshots from. | Optional |
| JobID | The job ID to retrieve screenshots from. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the search result. |
| File.SHA1 | string | The SHA-1 hash of the search result. |
| File.MD5 | string | The MD5 hash of the search result. |
| File.environmentId | number | The ID of the search result environment. |
| File.start_time | unknown | The start time of the search result. |
| File.threatscore | string | The threat score of the search result (by server). |
| File.verdict | string | The verdict of the search result. |
| File.environmentDescription | string | The description of the search result environment. |
| File.submitname | string | The submission name of the search result. |
| File.vxfamily | string | The family of search result. |
| File.threatscore | number | The threat score of the search result. |
| File.type_short | string | The type of search result, for example: url or host. |
| File.size | number | Size of the search result. |
| File.Malicious.Vendor | string | For malicious files, the vendor that made the decision. |
| File.Malicious.Description | string | For malicious files, the reason that the vendor made the decision. |
Command Example
crowdstrike-get-screenshots file=59e17f98cef7dd1bf4fb791eb1dcd0cea6dd870b6e36af7c37bd732c84d43355
15. (Deprecated) Detonate a URL
Detonates a URL address using Falcon Sandbox. This command is only supported in v2.
Base Command
crowdstrike-detonate-url
Input
| Argument Name | Description | Required |
|---|---|---|
| url | The URL address to be submitted. | Required |
| environmentID |
The ID of the environment to submit the URL to. To get all IDs, run the
crowdstrike-get-environments
command. Default is 100, or other WINDOWS ID.
|
Optional |
| delay | Delay wait time between calls (in seconds). | Optional |
| timeout | Total wait time (in seconds). | Optional |
| file-type | The report file type. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| DBotScore.Indicator | string | The indicator that was tested. |
| DBotScore.Type | string | The indicator type. |
| DBotScore.Vendor | string | The vendor used to calculate the score. |
| DBotScore.Score | number | The actual score. |
16. Submit a file for analysis (by URL)
Submit a file for analysis (by URL). This command is only supported only in v2.
Base Command
crowdstrike-submit-file-by-url
Input
| Argument Name | Description | Required |
|---|---|---|
| environmentID |
The ID of the environment to submit the file to. To get all IDs, run the
crowdstrike-get-environments
command.
|
Optional |
| url | The URL of the file to submit. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| File.SHA256 | string | The SHA-256 hash of the file. |
| CrowdStrike.EnvironmentID | string | The ID of the environment in which the file was analyzed. |
| CrowdStrike.JobID | string | The job ID of the file analysis. |
Command Example
crowdstrike-submit-file-by-url url=https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf
Context Example
{
"CrowdStrike": {
"EnvironmentID": 100,
"JobID": "5c98a51e028838377b1662c0"
},
"File": {
"SHA256": "f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1"
}
}
Human Readable Output
File https://swagger.io/swagger/media/blog/wp-content/uploads/2017/06/Whitepaper_APIDocumentationDX.pdf was submitted for analysis on CrowdStrike Falcon Sandbox
| EnvironmentId | JobId | Sha256 |
|---|---|---|
| 100 | 5c98a51e028838377b1662c0 | f317cc246bc0fe55db49a8eb40acab49d9689f3ea764d19abbc464008f01b6d1 |