CrowdStrikeadvanced

How to Use Falcon X for Automated Threat Intelligence

Leverage CrowdStrike Falcon X for malware analysis and threat intelligence

15 min readUpdated January 2025

Falcon X is CrowdStrike’s automated threat intelligence platform that enables security teams to analyze, investigate, and respond to threats faster. It integrates malware sandboxing, threat intelligence reports, and IOC enrichment into the Falcon Console, helping organizations proactively defend against emerging threats.

This guide explains how to use Falcon X to analyze threats and gather intelligence on malicious activity.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in using your admin credentials.
  3. In the left-hand menu, navigate to Falcon X.

Step 2: Submit a File for Malware Analysis

  1. Go to Threat Intelligence > Falcon X Sandbox.
  2. Click Submit New File.
  3. Upload a file for analysis (e.g., suspicious executable, document, or script).
  4. Choose the analysis mode:
    • Standard – Runs a quick automated check.
    • Extended – Provides in-depth sandboxing results.
  5. Click Submit and wait for the sandbox results.

📌 Note: Falcon X will detonate the file in a safe environment, analyze its behavior, and generate a threat intelligence report.

Step 3: Review Falcon X Sandbox Analysis

  1. Once the analysis is complete, open the Falcon X Report.
  2. Review:
    • File behavior (e.g., process execution, network activity).
    • MITRE ATT&CK Tactics & Techniques used by the malware.
    • Command and Control (C2) communication indicators.
    • Associated IOCs (file hashes, domains, IP addresses).
  3. If the file is malicious, move to contain the threat.

Step 4: Investigate Threat Intelligence Reports

  1. Navigate to Falcon X > Intelligence Reports.
  2. Search for known threat actors, malware families, or tactics.
  3. Use the intelligence to:
    • Understand attacker motives and techniques.
    • Identify if the attack is part of a larger campaign.
    • Proactively block related threats using CrowdStrike’s IOCs.

Step 5: Export IOCs and Automate Response

  1. Navigate to Threat Intelligence > IOCs.
  2. Export malicious indicators and apply them to:
    • Firewall rules (block known bad IPs).
    • Endpoint security policies (prevent execution of similar files).
    • SIEM integration (correlate threats across logs).
  3. Configure automated playbooks in Falcon X to streamline future responses.

Frequently Asked Questions

Find answers to common questions

If Falcon X provides inconclusive results during Standard analysis, it’s advisable to switch to Extended analysis mode. This mode allows the malware to execute for a longer duration and simulates user interactions, which can help reveal hidden behaviors. Additionally, consider reviewing the analysis logs for any specific indicators of execution failure or network connectivity issues. If the file is suspected to be particularly evasive, leverage Falcon OverWatch for human-assisted investigation. Always document your findings and refine your submission process to include any necessary details about the file's origin or expected behavior to improve future analyses.

Need Professional Help?

Our team of experts can help you implement and configure these solutions for your organization.

Contact Our TeamView Our Services

Related Articles

Creating and Managing User Roles in CrowdStrike Falcon

Set up custom user roles and permissions in CrowdStrike Falcon

Read More →

How to Configure CrowdStrike Exclusions for Exchange Server

Essential exclusions for Microsoft Exchange Server environments

Read More →

Deploying the CrowdStrike Falcon Sensor Using Group Policy (GPO)

Enterprise deployment guide for rolling out CrowdStrike using Active Directory GPO

Read More →
Back to CrowdStrike