How to Use Falcon X for Automated Threat Intelligence

7 February 11, 2025

Falcon X is CrowdStrike’s automated threat intelligence platform that enables security teams to analyze, investigate, and respond to threats faster. It integrates malware sandboxing, threat intelligence reports, and IOC enrichment into the Falcon Console, helping organizations proactively defend against emerging threats.

This guide explains how to use Falcon X to analyze threats and gather intelligence on malicious activity.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to https://falcon.crowdstrike.com.
  2. Sign in using your admin credentials.
  3. In the left-hand menu, navigate to Falcon X.

Step 2: Submit a File for Malware Analysis

  1. Go to Threat Intelligence > Falcon X Sandbox.
  2. Click Submit New File.
  3. Upload a file for analysis (e.g., suspicious executable, document, or script).
  4. Choose the analysis mode:
    • Standard – Runs a quick automated check.
    • Extended – Provides in-depth sandboxing results.
  5. Click Submit and wait for the sandbox results.

📌 Note: Falcon X will detonate the file in a safe environment, analyze its behavior, and generate a threat intelligence report.

Step 3: Review Falcon X Sandbox Analysis

  1. Once the analysis is complete, open the Falcon X Report.
  2. Review:
    • File behavior (e.g., process execution, network activity).
    • MITRE ATT&CK Tactics & Techniques used by the malware.
    • Command and Control (C2) communication indicators.
    • Associated IOCs (file hashes, domains, IP addresses).
  3. If the file is malicious, move to contain the threat.

Step 4: Investigate Threat Intelligence Reports

  1. Navigate to Falcon X > Intelligence Reports.
  2. Search for known threat actors, malware families, or tactics.
  3. Use the intelligence to:
    • Understand attacker motives and techniques.
    • Identify if the attack is part of a larger campaign.
    • Proactively block related threats using CrowdStrike’s IOCs.

Step 5: Export IOCs and Automate Response

  1. Navigate to Threat Intelligence > IOCs.
  2. Export malicious indicators and apply them to:
    • Firewall rules (block known bad IPs).
    • Endpoint security policies (prevent execution of similar files).
    • SIEM integration (correlate threats across logs).
  3. Configure automated playbooks in Falcon X to streamline future responses.

Best Practices for Falcon X

Submit all suspicious files for sandbox analysis before executing them.
Leverage threat intelligence reports to understand advanced attacker techniques.
Regularly export IOCs and apply them across firewalls, SIEMs, and EDR policies.
Use automated playbooks to streamline malware analysis and response workflows.