CrowdStrike Falcon Sandbox - Detonate file

Detonates one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.

The detonation supports the following file types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

• GenericPolling

Integrations

• VxStream

Scripts

• Set

Commands

• crowdstrike-submit-sample
• crowdstrike-scan

Playbook Inputs

---

Name	Description	Default Value	Source	Required
File	The file object of the file to detonate.	None	File	Optional
EnvironmentID	The environment ID to submit the file to. To get all of the IDs run the crowdstrike -get -environments command.	100	-	Optional
Interval	How often the polling command should run (in minutes).	5	-	Optional
Timeout	How much time to wait before a timeout occurs (in minutes).	30	-	Optional

Playbook Outputs

---

Path	Description	Type
File.SHA256	The SHA256 hash of the file.	string
File.Malicious	The file's malicious description.	unknown
File.Type	The file type. For example, "PE".	string
File.Size	The file size.	number
File.MD5	The MD5 hash of the file.	string
File.Name	The filename.	string
File.SHA1	The SHA1 hash of the file.	string
File	The file object.	unknown
File.Malicious.Vendor	The vendor that made the decision that the file is malicious.	string
DBotScore	The DBotScore object.	unknown
DBotScore.Indicator	The indicator that was tested.	string
DBotScore.Type	The type of the indicator.	string
DBotScore.Vendor	The vendor used to calculate the score.	string
DBotScore.Score	The actual score.	number

Playbook Image

---