Skip to main content

Crowdstrike Falcon Sandbox - File Analysis with Cache - Workflow Template

Submit a file to Falcon Sandbox for malware analysis.

Updated over a week ago

This Torq workflow template, "Crowdstrike Falcon Sandbox - File Analysis with Cache," automates the process of malware analysis by submitting files to Crowdstrike's Falcon Sandbox. It is designed to enhance threat intelligence and support threat hunting by analyzing files provided via URL. If a file hash is not supplied, the workflow calculates a SHA256 hash. It checks for cached analysis results to avoid redundant processing, ensuring efficient use of resources. If no cached data is available, the file is analyzed, and the results, including malware family and Mitre TTPs, are cached for future reference.

Use Cases

Threat Hunting , Threat Intelligence Enrichment

Workflow Breakdown

  1. Receives an URL of a file and an optional hash of the file.

  2. If no Hash is provided, then SHA256 is calculated from the file.

  3. Lookup global variables to see if the hash reputation has been saved in the past 24 hours.

  4. If analysis data is found on local cache, the saved data is returned to the parent workflow.

  5. When file is not found on cache and there are not previous analysis, then the file is submitted to analysis.

  6. A summary of the analysis data is created and saved with the original api data.

Vendors

Utils, CrowdStrike, Torq

Workflow Output

Output information contains Mitre TTPs Summary, related hashes, file properties, malware family and observable's type and subtype as used in Torq Cases.

Tips

  • Set "Provide Raw Data Analysis" to true or false to add or remove original vendor information to the output.

Did this answer your question?