CrowdStrikeadvanced

How to Use Falcon X for Automated Threat Intelligence

Master CrowdStrike Falcon X for automated malware analysis, threat intelligence reports, and IOC enrichment. Learn sandbox analysis and threat investigation workflows.

15 min readUpdated January 2026

Want us to handle this for you?

Get expert help →

Falcon X is CrowdStrike’s automated threat intelligence platform that enables security teams to analyze, investigate, and respond to threats faster. It integrates malware sandboxing, threat intelligence reports, and IOC enrichment into the Falcon Console, helping organizations proactively defend against emerging threats.

This guide explains how to use Falcon X to analyze threats and gather intelligence on malicious activity.

Step 1: Log Into the Falcon Console

  1. Open a browser and go to: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (Varies by tenant).
  2. Sign in using your admin credentials.
  3. In the left-hand menu, navigate to Falcon X.

Step 2: Submit a File for Malware Analysis

  1. Go to Threat Intelligence > Falcon X Sandbox.
  2. Click Submit New File.
  3. Upload a file for analysis (e.g., suspicious executable, document, or script).
  4. Choose the analysis mode:
  5. Standard – Runs a quick automated check.
  6. Extended – Provides in-depth sandboxing results.
  7. Click Submit and wait for the sandbox results. 📌 Note: Falcon X will detonate the file in a safe environment, analyze its behavior, and generate a threat intelligence report.

Step 3: Review Falcon X Sandbox Analysis

  1. Once the analysis is complete, open the Falcon X Report.
  2. Review:
  3. File behavior (e.g., process execution, network activity).
  4. MITRE ATT&CK Tactics & Techniques used by the malware.
  5. Command and Control (C2) communication indicators.
  6. Associated IOCs (file hashes, domains, IP addresses).
  7. If the file is malicious, move to contain the threat.

Step 4: Investigate Threat Intelligence Reports

  1. Navigate to Falcon X > Intelligence Reports.
  2. Search for known threat actors, malware families, or tactics.
  3. Use the intelligence to:
  4. Understand attacker motives and techniques.
  5. Identify if the attack is part of a larger campaign.
  6. Proactively block related threats using CrowdStrike’s IOCs.

Step 5: Export IOCs and Automate Response

  1. Navigate to Threat Intelligence > IOCs.
  2. Export malicious indicators and apply them to:
  3. Firewall rules (block known bad IPs).
  4. Endpoint security policies (prevent execution of similar files).
  5. SIEM integration (correlate threats across logs).
  6. Configure automated playbooks in Falcon X to streamline future responses.

Frequently Asked Questions

Find answers to common questions

If Falcon X provides inconclusive results during Standard analysis, it’s advisable to switch to Extended analysis mode. This mode allows the malware to execute for a longer duration and simulates user interactions, which can help reveal hidden behaviors. Additionally, consider reviewing the analysis logs for any specific indicators of execution failure or network connectivity issues. If the file is suspected to be particularly evasive, leverage Falcon OverWatch for human-assisted investigation. Always document your findings and refine your submission process to include any necessary details about the file's origin or expected behavior to improve future analyses.

To optimize Falcon X IOC integration with your SIEM, start by exporting IOCs in formats compatible with your platform, such as STIX/TAXII or JSON. Implement automated feeds for real-time updates, ensuring your SIEM is configured to prioritize high-confidence IOCs for immediate threat responses. Establish a classification system based on threat severity to differentiate between blocking rules and monitoring alerts. Regularly review and adjust your detection rules to align with new IOCs and emerging threats identified by Falcon X. Creating a feedback loop between SIEM detections and Falcon X can enhance threat intelligence accuracy and response times.

When analyzing a password-protected file in Falcon X, ensure you provide the correct password during submission for proper execution. This is crucial for files such as encrypted Office documents or PDFs that may contain malicious code. If you encounter issues with the file not executing as expected, verify that the password is correct and that the file format is supported. Additionally, consider using Extended analysis mode to allow for more thorough interactions, which is particularly beneficial for triggering malware that requires user actions. Document the analysis process and results for future reference and improvement.

Need Expert CrowdStrike Management?

Whether you're migrating EDR platforms or need managed detection, our team handles seamless transitions and 24/7 monitoring.

Learn About 24/7 Detection & ResponseExplore EDR Migration & Hardening

Related Articles

CrowdStrike Falcon RBAC Guide: User Roles, Permissions & Least Privilege Access

Complete guide to CrowdStrike Falcon RBAC and user permissions. Configure least privilege access, create SOC analyst roles, manage admin permissions, and troubleshoot access issues.

Read More →

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Configure CrowdStrike exclusions for Exchange Server. Protect database files, logs, and processes to ensure mail flow.

Read More →

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

Step-by-step guide to deploy CrowdStrike Falcon sensors using Group Policy. Silent installation, startup scripts, troubleshooting tips for AD environments.

Read More →

Related Tools

Free tools to help you implement what you learned

EDR Needs Assessment

Evaluate your endpoint detection and response requirements

Try it free →

MITRE ATT&CK Explorer

Map threats to the MITRE ATT&CK framework

Try it free →

Incident Response Playbook

Generate customized IR playbooks for your organization

Try it free →
Back to CrowdStrike