automation of sandbox analysis #672

NSH531 · 2022-05-26T13:43:48Z

NSH531
May 26, 2022

How to write code that will automate sending indicators to sandbox? I should also get a report on the indicators

netanel

May 27, 2022

Thank you for the question!
This is a complex ask, that could be solved several different ways. (Everyone approaches boiling the ocean a little bit differently.)

In an effort to try and answer this as succinctly as possible, I'm going to scope this down a bit and make a couple of assumptions based upon my understanding of your question.

Note: We don't submit an indicator to the sandbox. We upload a file to the sandbox, analyze it, and then submit the hash that is returned from the upload as an indicator.

Assumptions

An indicator in this particular scenario is a file that has been returned from Falcon X (ML or Quick Scan) as malicious that we then use to create a custom IOC.
…

View full answer

jshcodes · 2022-05-27T01:54:19Z

jshcodes
May 27, 2022
Maintainer

Hi @NSH531 -

Thank you for the question!
This is a complex ask, that could be solved several different ways. (Everyone approaches boiling the ocean a little bit differently.)

In an effort to try and answer this as succinctly as possible, I'm going to scope this down a bit and make a couple of assumptions based upon my understanding of your question.

Note: We don't submit an indicator to the sandbox. We upload a file to the sandbox, analyze it, and then submit the hash that is returned from the upload as an indicator.

Assumptions

An indicator in this particular scenario is a file that has been returned from Falcon X (ML or Quick Scan) as malicious that we then use to create a custom IOC.
We will be using the SHA256 hash to identify this indicator.
The "report" in this scenario will be a query result detailing newly added indicators generated by this process.

High level solution overview

Identify malicious files within the target environment using either Falcon X Quick Scan or Falcon X ML Scan.
- Check out our samples for Falcon X ML Scan and Quick Scan to get started.
- We also have a really cool example for scanning S3 buckets using Falcon X Quick Scan.
- Falcon X Sandbox documentation: https://www.falconpy.io/Service-Collections/Falconx-Sandbox.html
- Quick Scan documentation: https://www.falconpy.io/Service-Collections/Quick-Scan.html
Confirm this indicator does not exist already, if not, create an IOC based upon the SHA256 hash of any malicious files identified.
- Review this example of creating an IOC for a quick start.
- This would be a good place to leverage IOC tags.
- IOC documentation: https://www.falconpy.io/Service-Collections/IOC.html
Your report could then be generated on a daily / automated basis by leveraging the indicator_search_v1 operation and searching for the indicator tags applied previously.

Hope this helps get you started, happy coding! :-)

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

automation of sandbox analysis #672

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

automation of sandbox analysis #672

Uh oh!

Uh oh!

NSH531 May 26, 2022

Assumptions

Replies: 1 comment

Uh oh!

Uh oh!

jshcodes May 27, 2022 Maintainer

Assumptions

High level solution overview

NSH531
May 26, 2022

jshcodes
May 27, 2022
Maintainer