CrowdStrike Falcon Sandbox 2.0.0

Cyware Orchestrate

CrowdStrike Falcon Sandbox 2.0.0

App Vendor: CrowrdStrike

App Category: Forensics & Malware Analysis

Connector Version: 2.0.0

API Version: 2.0.0

About App

This app provides integrations with CrowdStrike Falcon Sandbox. CrowdStrike Falcon Sandbox is a high-end malware analysis framework with an agile architecture. It can be implemented as a large-scale system processing hundreds of thousands of files automatically or as a web service for incident response, and forensics as an enterprise self-service portal.

The Crowdstrike Falcon Sandbox app is configured with the Orchestrate application to perform the following actions:

Action Name	Description
Get Available Scanners	This action retrieves a list of available scanners.
Get Environments	This action retrieves a list of available scanners.
Get Feeds	This action retrieves a JSON feed (summary information) of the last 250 reports from 24 hours.
Get Quick Scan Details	This action retrieves the details of a quick scan.
Get Report Details	This action retrieves the details of a sandbox report.
Get Report Status	This action retrieves the status of a sandbox report.
Get Report Summary	This action retrieves the summary of a sandbox report.
Global Query Search	This action performs a global query search.
Lookup Hash History	This action retrieves the summary of a hash value.
Quick Scan File	This action submits a file for a quick scan.
Quick URL Scan	This action submits a URL for a quick analysis.
Submit File for Sandbox Analysis	This action submits a file for analysis.
Submit URL for Sandbox Analysis	This action submits a URL for analysis.
Submit URL to Determine Hash	This action submits a URL to determine the SHA-256 hash.

Configuration Parameters

The following configuration parameters are required for the Crowdstrike Falcon Sandbox app to communicate with the Crowdstrike Falcon Sandbox enterprise application. The parameters can be configured by creating instances in the app.

Parameter	Description	Field Type	Required/Optional	Comments
Server FQDN	Enter the fully qualified domain name (FQDN) of the server. Example: "https://falcon-sandbox.com"	Text	Required
API Key	Enter the API key to authenticate the client.	Password	Required
SSL Verify	Choose to verify the SSL certificate. Example: false	Boolean	Optional	Default value: false Allowed values: true false

Parameter

Description

Field Type

Required/Optional

Comments

Server FQDN

Enter the fully qualified domain name (FQDN) of the server.

Example: "https://falcon-sandbox.com"

Text

Required

API Key

Enter the API key to authenticate the client.

Password

Required

SSL Verify

Choose to verify the SSL certificate.

Example:

false

Boolean

Optional

Default value:

false

Allowed values:

true
false

Action: Get Available Scanners

This action retrieves a list of available scanners.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter the extra parameters.

Example:

{'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "extra_params": {'timestamp':'1657883421'}
    }
]

Action: Get Environments

This action retrieves information about available execution environments.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter the extra parameters.

Example:

{'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "extra_params": {'timestamp':'1657883421'}
    }
]

Action: Get Feeds

This action retrieves a JSON feed (summary information) of the last 250 reports from 24 hours.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Extra Params

Enter the extra parameters.

Example: {'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "extra_params": {'timestamp':'1657883421'}
    }
]

Action: Get Quick Scan Details

This action retrieves the details of a quick scan.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Job ID	Enter the job ID to retrieve quick scan details. Example: "61a593b82d8c3b27e521d683"	Text	Required

Parameter

Description

Field Type

Required/Optional

Comments

Job ID

Enter the job ID to retrieve quick scan details.

Example:

"61a593b82d8c3b27e521d683"

Text

Required

Example Request

[
    {
        "job_id": "61a593b82d8c3b27e521d683"
    }
]

Action: Get Report Details

This action retrieves the details of a sandbox report

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Job ID	Enter the job ID. Example: "61a593b82d8c3b27e521d683"	Text	Required

Parameter

Description

Field Type

Required/Optional

Comments

Job ID

Enter the job ID.

Example:

"61a593b82d8c3b27e521d683"

Text

Required

Example Request

[
    {
        "job_id": "61a593b82d8c3b27e521d683"
    }
]

Action: Get Report Status

This action retrieves a sandbox report state.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Job ID	Enter the job ID to retrieve the status of a sandbox report.	Text	Required
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Job ID

Enter the job ID to retrieve the status of a sandbox report.

Text

Required

Extra Params

Enter the extra parameters.

Example:

{'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "job_id": "61a593b82d8c3b27e521d683"
    }
]

Action: Get Report Summary

This action retrieves a sandbox report summary.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Job ID	Enter the job ID to retrieve the report summary. Example: "61a593b82d8c3b27e521d683"	Text	Required
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Job ID

Enter the job ID to retrieve the report summary.

Example:

"61a593b82d8c3b27e521d683"

Text

Required

Extra Params

Enter the extra parameters.

Example:

{'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "job_id": "61a593b82d8c3b27e521d683"
    }
]

Action: Global Query Search

This action performs a global query search.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Search Terms	Enter the search terms to perform a global query search. Example: { "verdict":"1" }	Key Value	Required	Allowed keys: filename (str) filetype (str) filetype_desc (str) env_id (str) country (str, 3 digit ISO) verdict (int): 1 'whitelisted’, 2 'no verdict’, 3 'no specific threat’, 4 'suspicious’, 5 ‘malicious’ av_detect (range): (min 0, max 100) vx_family ( str) tag (str) date_from (Y-m-d H:i:s): for example, 2018-09-28 15:30:00 date_to (Y-m-d H:i:s): for example, 2018-09-28 15:30:00 port (int) host (str): the value of IP address domain (str): the value of FQDN URL (str): the value of URL similar_to (str): similar samples, for example, <sha256> context (str): sample context, for example, <sha256> imp_hash (str) ssdeep (str) authentihash (str) uses_tactic (bool) uses_technique (bool)
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Search Terms

Enter the search terms to perform a global query search.

Example:

{ "verdict":"1" }

Key Value

Required

Allowed keys:

filename (str)
filetype (str)
filetype_desc (str)
env_id (str)
country (str, 3 digit ISO)
verdict (int): 1 'whitelisted’, 2 'no verdict’, 3 'no specific threat’, 4 'suspicious’, 5 ‘malicious’
av_detect (range): (min 0, max 100)
vx_family ( str)
tag (str)
date_from (Y-m-d H:i:s): for example, 2018-09-28 15:30:00
date_to (Y-m-d H:i:s): for example, 2018-09-28 15:30:00
port (int)
host (str): the value of IP address
domain (str): the value of FQDN
URL (str): the value of URL
similar_to (str): similar samples, for example, <sha256>
context (str): sample context, for example, <sha256>
imp_hash (str)
ssdeep (str)
authentihash (str)
uses_tactic (bool)
uses_technique (bool)

Extra Params

Enter the extra parameters.

Example:

{'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
   {
      "search_query":{
         "verdict":"1"
      }
   }
]

Action: Lookup Hash History

This action retrieves the summary of a hash value.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
Hash Value	Enter the hash value to retrieve its history. Example: "1d04c6a0de45640841f5ad06644830e9535e4221315abdae55c898e340c0bd85"	Text	Required	Supported hash value type: MD-5 SHA-1 SHA-256
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

Hash Value

Enter the hash value to retrieve its history.

Example:

"1d04c6a0de45640841f5ad06644830e9535e4221315abdae55c898e340c0bd85"

Text

Required

Supported hash value type:

MD-5
SHA-1
SHA-256

Extra Params

Enter the extra parameters.

Example:

{'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "hash_value": "1d04c6a0de45640841f5ad06644830e9535e4221315abdae55c898e340c0bd85"
    }
]

Action: Quick Scan File

This action submits a file for a quick scan.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
File Path	Enter the file path. Example: "/tmp/71b5abd5-a5f0-464c-800c-8e05f68188dd/asdf.txt"	Text	Required
Scan Type	Enter the scan type. Example: "all"	Text	Optional	Default value: all Allowed values: all all_lookup all_scan lookup_ha scan_crowdstrike_ml scan_urlscanio scan_metadefender lookup_virustotal lookup_whitelists_external lookup_whitelists_nsrl lookup_whitelists_internal lookup_whitelists You can retrieve the scan types using the action Get Available Scanners.
Extra Payload	Enter the extra payload.	Key Value	Optional	Allowed keys: no_share_third_party (bool) allow_community_access (bool) comment (str) submit_name (str)

Parameter

Description

Field Type

Required/Optional

Comments

File Path

Enter the file path.

Example:

"/tmp/71b5abd5-a5f0-464c-800c-8e05f68188dd/asdf.txt"

Text

Required

Scan Type

Enter the scan type.

Example:

"all"

Text

Optional

Default value:

all

Allowed values:

all
all_lookup
all_scan
lookup_ha
scan_crowdstrike_ml
scan_urlscanio
scan_metadefender
lookup_virustotal
lookup_whitelists_external
lookup_whitelists_nsrl
lookup_whitelists_internal
lookup_whitelists

You can retrieve the scan types using the action Get Available Scanners.

Extra Payload

Enter the extra payload.

Key Value

Optional

Allowed keys:

no_share_third_party (bool)
allow_community_access (bool)
comment (str)
submit_name (str)

Example Request

[
    {
        "file_path": "/tmp/71b5abd5-a5f0-464c-800c-8e05f68188dd/asdf.txt",
        "scan_type": "all"
    }
]

Action: Quick URL Scan

This action submits a URL for a quick analysis.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
URL	Enter the URL. Example: "https://sampleurl.com"	Text	Required
Scan Type	Enter the scan type. Example: "all"	Text	Optional	Default value: all Allowed values: all all_lookup all_scan lookup_ha scan_crowdstrike_ml scan_urlscanio scan_metadefender lookup_virustotal lookup_whitelists_external lookup_whitelists_nsrl lookup_whitelists_internal lookup_whitelists You can retrieve the scan types using the action Get Available Scanners.
Extra Payload	Enter the extra payload.	Key Value	Optional	Allowed keys: no_share_third_party (bool) allow_community_access (bool) comment (str) submit_name (str)
Extra Params	Enter the extra params. Example: {'timestamp':'1657883421'}	Key Value	Optional

Example Request

[
    {
        "url": "https://sampleurl.com"
    }
]

Action: Submit File for Sandbox Analysis

This action submits a file for analysis.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
File Path	Enter the file path. Example: "/tmp/71b5abd5-a5f0-464c-800c-8e05f68188dd/asdf.txt"	Text	Required
Environment ID	Enter the environment ID. Example: 110	Integer	Optional	Default value: 110 Allowed values: 300: Linux (Ubuntu 16.04, 64 bit) 200: Android static analysis 160: Windows 10 64 bit 110: Windows 7 64 bit 100: Windows 7 32 bit
Extra Payload	Enter the extra payload.	Key Value	Optional	Allowed keys: no_share_third_party (bool, true) allow_community_access (bool, false) no_hash_lookup (bool, false) action_script (str, optional) default default_maxantievasion default_randomfiles default_randomtheme default_openie hybrid_analysis (bool, true) experimental_anti_evasion (bool, false) script_logging (bool, false) input_sample_tampering (bool, false) tor_enabled_analysis (bool, false) offline_analysis (bool, false) email (str, optional) comment (str, optional) custom_date_time (yyyy-mm-dd hh:mm, optional) custom_cmd_line (str, optional) custom_run_time (int, seconds, optional) submit_name (str, optional) priority (int, default:0, max:100) document_password (str, optional) environment_variable (str, optional)

Parameter

Description

Field Type

Required/Optional

Comments

File Path

Enter the file path.

Example:

"/tmp/71b5abd5-a5f0-464c-800c-8e05f68188dd/asdf.txt"

Text

Required

Environment ID

Enter the environment ID.

Example:

110

Integer

Optional

Default value:

110

Allowed values:

300: Linux (Ubuntu 16.04, 64 bit)
200: Android static analysis
160: Windows 10 64 bit
110: Windows 7 64 bit
100: Windows 7 32 bit

Extra Payload

Enter the extra payload.

Key Value

Optional

Allowed keys:

no_share_third_party (bool, true)
allow_community_access (bool, false)
no_hash_lookup (bool, false)
action_script (str, optional)
default
default_maxantievasion
default_randomfiles
default_randomtheme
default_openie
hybrid_analysis (bool, true)
experimental_anti_evasion (bool, false)
script_logging (bool, false)
input_sample_tampering (bool, false)
tor_enabled_analysis (bool, false)
offline_analysis (bool, false)
email (str, optional)
comment (str, optional)
custom_date_time (yyyy-mm-dd hh:mm, optional)
custom_cmd_line (str, optional)
custom_run_time (int, seconds, optional)
submit_name (str, optional)
priority (int, default:0, max:100)
document_password (str, optional)
environment_variable (str, optional)

Example Request

[
    {
        "file_path": "/tmp/71b5abd5-a5f0-464c-800c-8e05f68188dd/asdf.txt",
        "environment_id": "110"
    }
]

Action: Submit URL for Sandbox Analysis

This action submits a URL for analysis.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
URL	Enter the URL Example: "https://google.com"	Text	Required
Environment ID	Enter the environment ID. Example: 110	Integer	Optional	Default value: 110 Allowed values: 300: Linux (Ubuntu 16.04, 64 bit) 200: Android static analysis 160: Windows 10 64 bit 110: Windows 7 64 bit 100: Windows 7 32 bit
Extra Payload	Enter the extra payload.	Key Value	Optional	Allowed keys: no_share_third_party (bool, true) allow_community_access (bool, false) no_hash_lookup (bool, false) action_script (str, optional) default default_maxantievasion default_randomfiles default_randomtheme default_openie hybrid_analysis (bool, true) experimental_anti_evasion (bool, false) script_logging (bool, false) input_sample_tampering (bool, false) tor_enabled_analysis (bool, false) offline_analysis (bool, false) email (str, optional) comment (str, optional) custom_date_time (yyyy-mm-dd hh:mm, optional) custom_cmd_line (str, optional) custom_run_time (int, seconds, optional) submit_name (str, optional) priority (int, default:0, max:100) document_password (str, optional) environment_variable (str, optional)

Parameter

Description

Field Type

Required/Optional

Comments

URL

Enter the URL

Example:

"https://google.com"

Text

Required

Environment ID

Enter the environment ID.

Example:

110

Integer

Optional

Default value:

110

Allowed values:

300: Linux (Ubuntu 16.04, 64 bit)
200: Android static analysis
160: Windows 10 64 bit
110: Windows 7 64 bit
100: Windows 7 32 bit

Extra Payload

Enter the extra payload.

Key Value

Optional

Allowed keys:

no_share_third_party (bool, true)
allow_community_access (bool, false)
no_hash_lookup (bool, false)
action_script (str, optional)
default
default_maxantievasion
default_randomfiles
default_randomtheme
default_openie
hybrid_analysis (bool, true)
experimental_anti_evasion (bool, false)
script_logging (bool, false)
input_sample_tampering (bool, false)
tor_enabled_analysis (bool, false)
offline_analysis (bool, false)
email (str, optional)
comment (str, optional)
custom_date_time (yyyy-mm-dd hh:mm, optional)
custom_cmd_line (str, optional)
custom_run_time (int, seconds, optional)
submit_name (str, optional)
priority (int, default:0, max:100)
document_password (str, optional)
environment_variable (str, optional)

Example Request

[
    {
        "url": "https://google.com"        
    }
]

Action: Submit URL to Determine Hash

This action submits a URL to determine the SHA-256 hash.

Action Input Parameters

Parameter	Description	Field Type	Required/Optional	Comments
URL	Enter the URL. Example: "https://google.com"	Text	Required
Extra Params	Enter the extra parameters. Example: {'timestamp':'1657883421'}	Key Value	Optional

Parameter

Description

Field Type

Required/Optional

Comments

URL

Enter the URL.

Example:

"https://google.com"

Text

Required

Extra Params

Enter the extra parameters.

Example: {'timestamp':'1657883421'}

Key Value

Optional

Example Request

[
    {
        "url": "https://google.com"
    }
]

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.

Cyware Orchestrate

CrowdStrike Falcon Sandbox 2.0.0

About App

Configuration Parameters

Action: Get Available Scanners

Action: Get Environments

Action: Get Feeds

Action: Get Quick Scan Details

Action: Get Report Details

Action: Get Report Status

Action: Get Report Summary

Action: Global Query Search

Action: Lookup Hash History

Action: Quick Scan File

Action: Quick URL Scan

Action: Submit File for Sandbox Analysis

Action: Submit URL for Sandbox Analysis

Action: Submit URL to Determine Hash

Search results