[ 1 Connect Falcon Sandbox with Devo SOAR ] [ 2 Actions for Falcon Sandbox ] [ 2.1 Analyze and Wait ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Analyze ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Submit URL and Wait ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Submit URL ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Get Report ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 URL Quick Scan ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 Get Report with sha256 hashes ] [ 2.7.1 Input Field ] [ 2.7.2 Output ]

Falcon Sandbox performs deep analysis of evasive and unknown threats, enriches the results with threat intelligence and delivers actionable indicators of compromise (IOCs), enabling your security team to better understand sophisticated malware attacks and strengthen their defenses.

Connect Falcon Sandbox with Devo SOAR

Navigate to Automations > Integrations.
Search for Falcon Sandbox.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Falcon Host Sandbox URL: URL of Falcon Host Sandbox.
API Key: API key for Falcon Host Sandbox.
After you've entered all the details, click Connect.

Actions for Falcon Sandbox

Analyze and Wait

Analyze and wait submits a file and waits for the analysis to be completed.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Filename Column name	Column name from the parent table to lookup filename values.	Required
Correlation ID Column name	Column name from the parent table with the correlation IDs.	Optional
Environment ID	The environment relevant to the files being analyzed.	Required

Output

JSON containing the following items:

has_error: True/False
error: message/null
result: Analysis details.

Analyze

Analyze submits a file and immediately returns the job description, which can later be used to retrieve the report.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Filename Column name	Column name from the parent table to lookup filename values.	Required
Environment ID	The environment relevant to the files being analyzed.	Required

Output

JSON containing the following items:

has_error: True/False
error: message/null
result: Analysis details.

Submit URL and Wait

Submit an URL and wait for the analysis to be completed.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
URL Column name	Column name from the parent table with the URLs to analyze.	Required
Correlation ID Column name	Column name from the parent table with the correlation IDs.	Optional
Environment ID	The environment relevant to the files being analyzed.	Required

Output

JSON containing the following items:

has_error: True/False
error: message/null
result: Analysis details.

Submit URL

Submits an URL and returns the corresponding job description.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
URL Column name	Column name from the parent table with the URLs to analyze.	Required
Environment ID	The environment relevant to the files being analyzed.	Required

Output

JSON containing the following items:

has_error: True/False
error: message/null
result: URL details.

Get Report

Takes a job ID and fetches its report. Works with either File or URL jobs.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Job ID Column name	Takes a job ID and fetches its report. Works with either File or URL jobs.	Required

Output

JSON containing the following items:

has_error: True/False
error: message/null
result: Job details.

URL Quick Scan

Quickly check if there are any historical reports for a URL, return report IDs (if there are any), and a sha256 hash for the lookup.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
URL Column name	Column name from parent table to lookup URL values.	Required
Scan Type	The Falcon Host Sandbox scan type (example: "lookup_ha" or "all").	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: Scan details.

Get Report with sha256 hashes

Returns a list of reports, given a list of hashes as an input.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Hash (sha256) Column name	Column name from the parent table to lookup hash values.	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
result: Report details.