Falcon Sandbox

Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence and delivers actionable indicators of compromise (IOCs), enabling your security team to better understand sophisticated malware attacks and strengthen their defenses.

Integration with LogicHub

Connecting with Falcon Sandbox

To connect to Falcon Sandbox following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • Falcon Host Sandbox URL: URL of Falcon Host Sandbox.
  • API Key: API key for Falcon Host Sandbox.

Actions with Falcon Sandbox

Analyze and Wait

Analyze and wait submits a file and waits for the analysis to be completed.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Filename Column name: Column name from the parent table to lookup filename values.
  • Correlation ID Column name (Optional): Column name from the parent table with the correlation IDs.
  • Environment ID: The environment relevant to the files being analyzed.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Analysis details.

Analyze

Analyze submits a file and immediately returns the job description, which can later be used to retrieve the report.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Filename Column name: Column name from the parent table to lookup filename values.
  • Environment ID: The environment relevant to the files being analyzed.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Analysis details.

Submit URL and Wait

Submit an URL and wait for the analysis to be completed.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • URL Column name: Column name from the parent table with the URLs to analyze.
  • Correlation ID Column name (Optional): Column name from the parent table with the correlation IDs.
  • Environment ID: The environment relevant to the files being analyzed.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Analysis details.

Submit URL

Submits an URL and returns the corresponding job description.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • URL Column name: Column name from the parent table with the URLs to analyze.
  • Environment ID: The environment relevant to the files being analyzed.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: URL details.

Get Report

Takes a job ID and fetches its report. Works with either File or URL jobs.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Job ID Column name: Takes a job ID and fetches its report. Works with either File or URL jobs.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Job details.

URL Quick Scan

Quickly check if there are any historical reports for a URL, return report IDs (if there are any), and a sha256 hash for the lookup.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • URL Column name: Column name from parent table to lookup URL values.
  • Scan Type: The Falcon Host Sandbox scan type (example: "lookup_ha" or "all").

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Scan details.

Get Report with sha256 hashes

Returns a list of reports, given a list of hashes as an input.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Hash (sha256) Column name: Column name from the parent table to lookup hash values.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Report details.

Did this page help you?