CrowdstrikeFalcon
README
CrowdStrike Falcon Analyzers
This documentation covers the setup and usage of CrowdStrike Falcon analyzers for retrieving device information, vulnerabilities and alerts linked to a given hostname observable, as well as performing file analysis using the CrowdStrike Falcon Sandbox.
Pre-requisites
To use these analyzers, you must have the following configured in your CrowdStrike Falcon tenant:
- CrowdStrike Falcon Setup:
- Log in to your CrowdStrike Falcon tenant.
- Navigate to Support and resources > Resources and tools > API clients and keys.
- Create an API Client with the required permissions:
- Hosts: Read (for
getDeviceDetails
and getDeviceVulnerabilities
).
- Vulnerabilities: Read (for
getDeviceVulnerabilities
).
- Alerts: Read (for
getDeviceAlerts
).
- Sandbox (Falcon Intelligence): Read, Write (for
Falcon Sandbox
).
Analyzers Overview
1. getDeviceDetails Analyzer
- Description: Retrieves and displays detailed device information based on a given hostname observable.
- Permissions Required:
Hosts: Read
Available Configuration

Short Report
Displays basic details such as:
- Vendor
- OS version
- Agent status
- Last user logged in

Long Report
Provides detailed information about the device.

2. getDeviceVulnerabilities Analyzer
- Description: Retrieves and displays vulnerabilities linked to a hostname observable.
- Permissions Required:
Hosts: Read
, Vulnerabilities: Read
Available Configuration

Short Report
Displays the number of vulnerabilities linked to the hostname.

Long Report
Provides a detailed list of vulnerabilities with contextual information.

3. getDeviceAlerts Analyzer
- Description: Retrieves and displays alerts linked to a hostname observable for the past X days.
- Permissions Required:
Alerts: Read
Available Configuration

Short Report
Displays the number of alerts linked to the hostname.

Long Report
Provides a detailed list of alerts with contextual information.

4. Falcon Sandbox Analyzer
- Description: Sends a file observable to the CrowdStrike Falcon Sandbox for analysis. Once the analysis is complete, the results are displayed in a report.
- Permissions Required:
Sandbox (Falcon Intelligence): Read, Write
Available Configuration
-
List of analyzers:

-
Configuration interface:

Short Report
Displays whether the analyzed file is considered:
- Safe (green)
- Suspicious (orange)
- Malicious (red)

Long Report
Provides a detailed analysis of the file.

Resources
For more information on the relevant CrowdStrike Falcon APIs, refer to the following resources:
- CrowdStrike Falcon Hosts API
- CrowdStrike Falcon Vulnerabilities API
- CrowdStrike Falcon Alerts API
- CrowdStrike Falcon Sample Uploads API
- CrowdStrike Falcon Sandbox API
CrowdstrikeFalcon_Sandbox_MacOS
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_Sandbox_Win7
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_getDeviceDetails
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Get device information from Crowdstrike Falcon
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_Sandbox_Win10
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_GetDeviceVulnerabilities
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Get device vulnerabilities from hostname
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
vuln_fields |
Specific field values to keep in resulting payload for vulnerabilities |
Default value if not configured |
['vulnerability_id', 'status', 'created_timestamp', 'updated_timestamp', 'apps.product_name_version', 'confidence', 'cve', 'host_info.asset_criticality', 'host_info.internet_exposure', 'remediation.entities.action'] |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_Sandbox_Win7_64
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_Sandbox_Android
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_Sandbox_Linux
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_getDeviceAlerts
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- hostname
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Get Device alerts from Crowdstrike Falcon
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
alert_fields |
Fields to return for each invidividual alerts |
Default value if not configured |
['timestamp', 'description', 'status', 'user_name', 'severity', 'severity_name', 'scenario', 'filename', 'filepath', 'confidence', 'cmdline'] |
Type of the configuration item |
string |
The configuration item can contain multiple values |
True |
Is required |
True |
days_before |
Only query alerts from the past X days. |
Default value if not configured |
30 |
Type of the configuration item |
number |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive


CrowdstrikeFalcon_Sandbox_Win11
Author: Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 1.0
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.crowdstrike.com
Description
Send a file to CrowdstrikeFalcon Sandbox
Configuration
client_id |
Crowdstrike client ID key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
client_secret |
Crowdstrike client secret key |
Default value if not configured |
__ |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
base_url |
Crowdstrike base URL. Also supports US-1, US-2, EU-1, US-GOV-1 values |
Default value if not configured |
https://api.crowdstrike.com |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
network_settings |
Specifies the sandbox network_settings used for analysis : default, tor, simulated, offline |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
action_script |
Runtime script for sandbox analysis : default, default_randomtheme, default_maxantievasion, default_openie, default_randomfiles |
Default value if not configured |
default |
Type of the configuration item |
string |
The configuration item can contain multiple values |
False |
Is required |
True |
Templates samples for TheHive

