Submit EML Files to CrowdStrike Falcon Sandbox
Once the CrowdStrike Falcon Sandbox integration is configured, analysts can submit attachments and URLs from any flagged message to CrowdStrike Falcon Sandbox for detonation, directly from the message detail view (MDV).
Submitting a sample
To submit a sample from a specific message:
- Open the message in the MDV.
- In the right action panel, click Send EML to CrowdStrike Sandbox.
- A Sandbox Analysis section appears in the MDV with the submission in progress.
You won’t be able to resubmit a message that's already been analyzed, “Submit” is greyed out.
Sandbox status indicators in the MDV
The Sandbox Analysis row in the MDV moves through these states:
- Analyzing — submitted and in progress; Falcon is detonating the sample.
- Malicious / Beinign / Suspicious — Falcon returned a verdict. Click the row to expand the full result. See Understanding CrowdStrike Sandbox results in Sublime.
- Error — submission or analysis failed. Click the row to expand the error detail. See Troubleshoot the CrowdStrike Sandbox Integration.
Viewing results
When a submission completes, the Sandbox Analysis row shows the verdict, threat score, detonation environment, and timestamps. Click View full report ↗ to open the detonation report directly in CrowdStrike Falcon.
Deduplication
If Sublime submits a sample whose hash Falcon has already analyzed, Falcon returns the existing result instead of re-running detonation. When a canonical id has been submitted/finished, Sublime just return the results we have saved for it (Sublime doesn’t call falcon again). This saves quota and shortens time-to-verdict. The Submitted and Completed timestamps in the MDV reflect the original Falcon analysis time when a cached result is returned.
Updated 1 day ago