Skip to main content

Detonate File - CrowdStrike Falcon Intelligence Sandbox v2

This Playbook is part of the CrowdStrike Falcon Intelligence Sandbox Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Detonates a file using CrowdStrike Falcon Intelligence Sandbox. Accepted file formats: Portable executables: .exe, .scr, .pif, .dll, .com, .cpl, etc. Office documents: .doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub PDF APK Executable JAR Windows script component: .sct Windows shortcut: .lnk Windows help: .chm HTML application: .hta Windows script file: .wsf Javascript: .js Visual Basic: .vbs, .vbe Shockwave Flash: .swf Perl: .pl Powershell: .ps1, .psd1, .psm1 Scalable vector graphics: .svg Python: .py Linux ELF executables Email files: MIME RFC 822 .eml, Outlook .msg.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


  • CrowdStrikeFalconX
  • CrowdStrike Falcon X


This playbook does not use any scripts.


  • cs-fx-get-report-summary
  • cs-fx-upload-file
  • cs-fx-get-full-report

Playbook Inputs#

NameDescriptionDefault ValueRequired
FileThe file to detonate. The file is taken from the context.FileOptional
IntervalPolling frequency - how often the polling command should run (in minutes).1Optional
TimeoutHow much time to wait before a timeout occurs (in minutes).10Optional
EnvironmentIDSandbox environment used for analysis.160: Windows 10Optional
ActionScriptRuntime script for sandbox analysis.Optional
CommandLineCommand line script passed to the submitted file at runtime. Max length: 2048 characters.Optional
DocumentPasswordAuto-filled for Adobe or Office files that prompt for a password. Max length: 32 characters.Optional
SubmitNameName of the malware sample that's used for file type detection and analysis.Optional
SystemDateSet a custom date for the sandbox environment in the format yyyy-MM-dd.Optional
SystemTimeSets a custom time for the sandbox environment in the format HH:mm.Optional
FullReportWhether to get a full report or report summary from Falcon X.
Set to "False" to get report summary.

Playbook Outputs#

csfalconx.resource.idAnalysis ID.String
csfalconx.resource.verdictAnalysis verdict.String
csfalconx.resource.created_timestampAnalysis start time.String
csfalconx.resource.environment_idEnvironment ID.String
csfalconx.resource.snadbox.environment_descriptionEnvironment description.String
csfalconx.resource.threat_scoreScore of the threat.Int
csfalconx.resource.submit_urlURL submitted for analysis.String
csfalconx.resource.submission_typeType of submitted artifact, for example file, URL, etc.String
csfalconx.resource.filetypeFile type.String
csfalconx.resource.filesizeFile size.Int
csfalconx.resource.sha256SHA256 hash of the submitted file.String
csfalconx.resource.ioc_report_strict_csv_artifact_idID of the IOC pack to download (CSV).String
csfalconx.resource.ioc_report_broad_csv_artifact_idID of the IOC pack to download (CSV).String
csfalconx.resource.ioc_report_strict_json_artifact_idID of the IOC pack to download (JSON).Int
csfalconx.resource.ioc_report_broad_json_artifact_idID of the IOC pack to download (JSON).String
csfalconx.resource.ioc_report_strict_stix_artifact_idID of the IOC pack to download (STIX).String
csfalconx.resource.ioc_report_broad_stix_artifact_idID of the IOC pack to download (STIX).Int
csfalconx.resource.ioc_report_strict_maec_artifact_idID of the IOC pack to download (MAEC).String
csfalconx.resource.ioc_report_broad_maec_artifact_idID of the IOC pack to download (MAEC).String

Playbook Image#

Detonate File - CrowdStrike Falcon Intelligence Sandbox v2