CrowdStrikeadvanced

How to Use Falcon X for Automated Threat Intelligence

Master CrowdStrike Falcon X for automated malware analysis, threat intelligence reports, and IOC enrichment. Learn sandbox analysis and threat investigation workflows.

15 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Falcon X is CrowdStrike’s automated threat intelligence platform that enables security teams to analyze, investigate, and respond to threats faster. It integrates malware sandboxing, threat intelligence reports, and IOC enrichment into the Falcon Console, helping organizations proactively defend against emerging threats.

This guide explains how to use Falcon X to analyze threats and gather intelligence on malicious activity.

Step 1: Log Into the Falcon Console

    - Open a browser and go to: [https://falcon.crowdstrike.com](https://falcon.crowdstrike.com/) or [https://falcon.us-2.crowdstrike.com/](https://falcon.us-2.crowdstrike.com/) (Varies by tenant). - Sign in using your **admin credentials**. - In the **left-hand menu**, navigate to **Falcon X**.
---

Step 2: Submit a File for Malware Analysis

    - Go to **Threat Intelligence** > **Falcon X Sandbox**. - Click **Submit New File**. - Upload a file for analysis (e.g., suspicious executable, document, or script). - Choose the **analysis mode**:

    • Standard – Runs a quick automated check.

    • Extended – Provides in-depth sandboxing results.

    • Click Submit and wait for the sandbox results.

📌 Note: Falcon X will detonate the file in a safe environment, analyze its behavior, and generate a threat intelligence report.

Step 3: Review Falcon X Sandbox Analysis

    - Once the analysis is complete, open the **Falcon X Report**. - Review:

    • File behavior (e.g., process execution, network activity).

    • MITRE ATT&CK Tactics & Techniques used by the malware.

    • Command and Control (C2) communication indicators.

    • Associated IOCs (file hashes, domains, IP addresses).

    • If the file is malicious, move to contain the threat.

Step 4: Investigate Threat Intelligence Reports

    - Navigate to **Falcon X > Intelligence Reports**. - Search for known **threat actors, malware families, or tactics**. - Use the intelligence to:
    • Understand attacker motives and techniques.
    • Identify if the attack is part of a larger campaign.
    • Proactively block related threats using CrowdStrike’s IOCs.
---

Step 5: Export IOCs and Automate Response

    - Navigate to **Threat Intelligence > IOCs**. - Export malicious indicators and apply them to:

    • Firewall rules (block known bad IPs).

    • Endpoint security policies (prevent execution of similar files).

    • SIEM integration (correlate threats across logs).

    • Configure automated playbooks in Falcon X to streamline future responses.

Frequently Asked Questions

Find answers to common questions

If Falcon X provides inconclusive results during Standard analysis, it’s advisable to switch to Extended analysis mode. This mode allows the malware to execute for a longer duration and simulates user interactions, which can help reveal hidden behaviors. Additionally, consider reviewing the analysis logs for any specific indicators of execution failure or network connectivity issues. If the file is suspected to be particularly evasive, leverage Falcon OverWatch for human-assisted investigation. Always document your findings and refine your submission process to include any necessary details about the file's origin or expected behavior to improve future analyses.

Need Expert CrowdStrike Management?

Our team manages CrowdStrike deployments for businesses like yours. Get 24/7 threat detection and response with expert oversight.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →
Back to CrowdStrike