Analyze suspicious files and URLs in isolated environments to understand malware behavior, identify threats, and generate detailed forensic reports.
Cmdlets Get-FalconReport Search for Falcon Intelligence Sandbox reports.
Permissions : Sandbox (Falcon Intelligence): ReadReport identifier (format: <sha256>_<environment_id>)
Falcon Query Language expression to limit results
Property and direction to sort results
Maximum number of results per request (1-5000)
Position to begin retrieving results
Retrieve detailed information
Repeat requests until all available results are retrieved
Display total result count instead of results
# Get all sandbox reports from the last 7 days Get-FalconReport - Filter "created_timestamp:>'now-7d'" - Detailed # Get a specific report Get-FalconReport - Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855_160' # Get report summaries Get-FalconReport - Filter "verdict:'malicious'" - Summary
Get-FalconSubmission Search for Falcon Intelligence Sandbox submissions.
Permissions : Sandbox (Falcon Intelligence): ReadSubmission identifier (format: <sha256>_<environment_id>)
Falcon Query Language expression to limit results
Property and direction to sort results
Maximum number of results per request (1-5000)
Position to begin retrieving results
Retrieve detailed information
Repeat requests until all available results are retrieved
Display total result count instead of results
# Get all submissions from the last 24 hours Get-FalconSubmission - Filter "created_timestamp:>'now-24h'" - Detailed # Get a specific submission Get-FalconSubmission - Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855_160' # Get count of pending submissions Get-FalconSubmission - Filter "state:'running'" - Total
Get-FalconSubmissionQuota Retrieve monthly Falcon Intelligence Sandbox submission quota.
Permissions : Sandbox (Falcon Intelligence): Read# Check your monthly sandbox submission quota Get-FalconSubmissionQuota
New-FalconSubmission Submit a sample to the Falcon Intelligence Sandbox.
Permissions : Sandbox (Falcon Intelligence): WriteSHA256 values are retrieved from files uploaded using Send-FalconSample. Files must be uploaded before they can be submitted to the sandbox.
Analysis environment. Valid values:
androidmacOS_10.15ubuntu16_x64, ubuntu20_x64win7_x64, win7_x86win10_x64, win11_x64 Runtime script for sandbox analysis. Valid values:
defaultdefault_maxantievasiondefault_randomfilesdefault_randomthemedefault_openie Browser to use with URL submission
Whether sandbox detonation is interactive
Command line script passed to the submitted file at runtime
A custom date to use in the analysis environment (format: YYYY-MM-DD)
A custom time to use in the analysis environment (format: HH:MM)
Auto-filled for Adobe or Office files that prompt for a password
Network settings to use in the analysis environment. Valid values: default, offline, simulated, tor
Tags to categorize the submission
# Submit a file for analysis on Windows 10 Send-FalconSample - Path './suspicious.exe' New-FalconSubmission - Sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' - EnvironmentId win10_x64 - SubmitName 'suspicious.exe' # Submit a URL for analysis New-FalconSubmission - Url 'https://suspicious-site.com' - EnvironmentId win10_x64 - Browser 'chrome' - NetworkSetting 'default' # Submit with custom command line and tags New-FalconSubmission - Sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' - EnvironmentId win10_x64 - CommandLine '/install /silent' - UserTag 'campaign-2024' , 'ransomware' - SendEmail $true # Submit Office document with password New-FalconSubmission - Sha256 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2' - EnvironmentId win10_x64 - DocumentPassword 'infected' # Auto-detect environment with TOR routing New-FalconSubmission - Sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' - AutoDetect $true - EnableTor $true - NetworkSetting 'tor' # Submit with custom system date/time New-FalconSubmission - Sha256 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' - EnvironmentId win11_x64 - SystemDate '2024-01-15' - SystemTime '14:30'
Receive-FalconArtifact Download an artifact from a Falcon Intelligence Sandbox report.
Permissions : Sandbox (Falcon Intelligence): ReadArtifact identifier values can be retrieved for specific Falcon Intelligence Sandbox reports using Get-FalconReport.
Artifact identifier (64-character hex)
Overwrite an existing file when present
# Download a sandbox artifact Receive-FalconArtifact - Id 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2' - Path './artifact.bin'
Receive-FalconMemoryDump Download a memory dump or extracted strings from a Falcon Intelligence Sandbox report.
Permissions : Sandbox (Falcon Intelligence): ReadDestination path (must end with .gzip)
Binary content dump identifier (64-character hex)
Extracted string identifier (64-character hex)
Hex dump identifier (64-character hex)
Overwrite an existing file when present
# Download binary memory dump Receive-FalconMemoryDump - BinaryId 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2' - Path './memory.bin.gzip' # Download extracted strings Receive-FalconMemoryDump - ExtractId 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2' - Path './strings.txt.gzip' # Download hex dump Receive-FalconMemoryDump - HexId 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2' - Path './hexdump.gzip'
Remove-FalconReport Remove a Falcon Intelligence Sandbox report.
Permissions : Sandbox (Falcon Intelligence): Write# Delete a sandbox report Remove-FalconReport - Id 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855_160'
Sandbox Analysis Workflow
Check Quota
Use Get-FalconSubmissionQuota to verify available monthly submissions.
Upload Sample
Use Send-FalconSample to upload the file and obtain its SHA256 hash.
Submit for Analysis
Use New-FalconSubmission with the SHA256 hash and desired analysis environment.
Monitor Submission
Use Get-FalconSubmission to check the status of your submission.
Retrieve Report
Once complete, use Get-FalconReport to access the detailed analysis results.
Download Artifacts
Use Receive-FalconArtifact or Receive-FalconMemoryDump to download forensic evidence.
Analysis Environments
win11_x64 : Windows 11 64-bit (ID: 140)win10_x64 : Windows 10 64-bit (ID: 160)win7_x64 : Windows 7 64-bit (ID: 110)win7_x86 : Windows 7 32-bit (ID: 100) Use for analyzing Windows executables, Office documents, and Windows-specific malware.
macOS_10.15 : macOS Catalina (ID: 400) Use for analyzing macOS applications, DMG files, and macOS-specific threats.
ubuntu20_x64 : Ubuntu 20.04 64-bit (ID: 310)ubuntu16_x64 : Ubuntu 16.04 64-bit (ID: 300) Use for analyzing Linux binaries, shell scripts, and Linux-specific malware.
android : Android environment (ID: 200) Use for analyzing Android APK files and mobile malware. Advanced Submission Options
Action Scripts Control sandbox behavior:
default: Standard executiondefault_maxantievasion: Maximum anti-evasion techniquesdefault_randomfiles: Randomized file environmentdefault_randomtheme: Randomized visual themedefault_openie: Use Internet Explorer
Network Settings Control network access:
default: Full internet accessoffline: No network connectivitysimulated: Simulated network responsestor: Route traffic through TOR URL vs File Submissions URL Submission
File Submission
# Submit a suspicious URL for analysis New-FalconSubmission ` - Url 'https://suspicious-phishing-site.com' ` - EnvironmentId win10_x64 ` - Browser 'chrome' ` - NetworkSetting 'default' ` - UserTag 'phishing' , 'investigation-2024' ` - SendEmail $true
Analyzing Results Complete Analysis Workflow
# 1. Check quota $Quota = Get-FalconSubmissionQuota Write-Host "Remaining submissions: $( $Quota .monthly.remaining ) " # 2. Upload sample $Upload = Send-FalconSample - Path './suspicious.exe' # 3. Submit for analysis $Submission = New-FalconSubmission ` - Sha256 $Upload .sha256 ` - EnvironmentId win10_x64 ` - SubmitName 'suspicious.exe' ` - UserTag 'investigation-2024' # 4. Wait for completion do { Start-Sleep - Seconds 30 $Status = Get-FalconSubmission - Id $Submission .id } while ( $Status .state -eq 'running' ) # 5. Get detailed report $Report = Get-FalconReport - Id $Submission .id - Detailed # 6. Display verdict Write-Host "Verdict: $( $Report .verdict ) " Write-Host "Threat Level: $( $Report .threat_score ) " # 7. Download artifacts if malicious if ( $Report .verdict -eq 'malicious' ) { foreach ( $Artifact in $Report .artifacts ) { Receive-FalconArtifact - Id $Artifact .id - Path "./artifacts/ $( $Artifact .name ) " } }
Best Practices Do not submit files or URLs containing sensitive or confidential information. Sandbox environments are isolated but samples may be shared with CrowdStrike for analysis.
Use tags to organize submissions by investigation, campaign, or threat type. This makes it easier to search and correlate results later.
Enable email notifications for long-running analyses so you’re notified when results are ready.
Sample Uploads Upload samples to CrowdStrike
MalQuery Hunt for similar malware samples
IOC Management Create IOCs from analysis results
Falcon Intelligence Access threat intelligence reports
