CrowdStrike Falcon Sandbox - Detonate file

Detonates one or more files using the CrowdStrike Falcon Sandbox integration. This playbook returns relevant reports to the War Room and file reputations to the context data.

The detonation supports the following file types - PE32, EXE, DLL, JAR, JS, PDF, DOC, DOCX, RTF, XLS, PPT, PPTX, XML, ZIP, VBN, SEP, XZ, GZ, BZ2, TAR, MHTML, SWF, LNK, URL, MSI, JTD, JTT, JTDC, JTTC, HWP, HWT, HWPX, BAT, HTA, PS1, VBS, WSF, JSE, VBE, CHM.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • VxStream

Scripts

  • Set

Commands

  • crowdstrike-submit-sample
  • crowdstrike-scan

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file object of the file to detonate.NoneFileOptional
EnvironmentIDThe environment ID to submit the file to. To get all of the IDs run the crowdstrike -get -environments command.100-Optional
IntervalHow often the polling command should run (in minutes).5-Optional
TimeoutHow much time to wait before a timeout occurs (in minutes).30-Optional

Playbook Outputs


PathDescriptionType
File.SHA256The SHA256 hash of the file.string
File.MaliciousThe file's malicious description.unknown
File.TypeThe file type. For example, "PE".string
File.SizeThe file size.number
File.MD5The MD5 hash of the file.string
File.NameThe filename.string
File.SHA1The SHA1 hash of the file.string
FileThe file object.unknown
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
DBotScoreThe DBotScore object.unknown
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.TypeThe type of the indicator.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number

Playbook Image


Detonate_File_CrowdStrike_Falcon_Sandbox