Skip to main content

Detonate URL - CrowdStrike

This Playbook is part of the CrowdStrike Falcon Sandbox Pack.#


Use the cs-falcon-sandbox-submit-url command with polling=true instead.

(Deprecated). Use the command cs-falcon-sandbox-submit-url with polling=true instead.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • GenericPolling


  • VxStream


This playbook does not use any scripts.


  • crowdstrike-scan
  • crowdstrike-submit-url

Playbook Inputs#

NameDescriptionDefault ValueSourceRequired
URLThe URL to detonate.DataURLOptional
EnvironmentIDThe environment ID to submit the file to. To get all IDs run the crowdstrike-get-environments command.100-Optional
IntervalThe polling frequency. How often the polling command should run (in minutes).5-Optional
TimeoutHow much time to wait before a timeout occurs (in minutes).30-Optional

Playbook Outputs#

File.SHA256The SHA256 hash of the file.string
File.MaliciousThe file's malicious description.unknown
File.TypeThe file type. For example, "PE".string
File.SizeThe file size.number
File.MD5The MD5 hash of the file.string
File.NameThe filename.string
File.SHA1The SHA1 hash of the file.string
FileThe file object.unknown
File.Malicious.VendorThe vendor that made the decision that the file was malicious.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator we tested.string
DBotScore.TypeThe type of the indicator.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number

Playbook Image#