The Crowdstrike Falcon Sandbox - File Analysis with Cache workflow empowers organizations to streamline their threat hunting and intelligence enrichment processes. On receiving a file's URL, this Torq template efficiently determines its security posture by optionally calculating its SHA256 hash, referencing a global cache to retrieve any prior hash reputation within a 24-hour window, and submitting the file to Falcon Sandbox for detailed malware analysis if the hash is not already known. A summary of this comprehensive analysis, including MITRE ATT&CK techniques, related hashes, and malware family, is then generated and stored—together with rich observable details—facilitating intelligent threat response actions.
Use Cases
Threat Hunting , Threat Intelligence Enrichment
Workflow Breakdown
Receives an URL of a file and an optional hash of the file.
If no Hash is provided, then SHA256 is calculated from the file.
Lookup global variables to see if the hash reputation has been saved in the past 24 hours.
If analysis data is found on local cache, the saved data is returned to the parent workflow.
When file is not found on cache and there are not previous analysis, then the file is submitted to analysis.
A summary of the analysis data is created and saved with the original api data.
Vendors
Utils, CrowdStrike, Torq
Workflow Output
Output information contains Mitre TTPs Summary, related hashes, file properties, malware family and observable's type and subtype as used in Torq Cases.
Tips
Set "Provide Raw Data Analysis" to true or false to add or remove original vendor information to the output.