Group-IB THF Polygon
Polygon Pack.#
This Integration is part of theTHF Polygon is a Malware Detonation & Research platform designed for deep dynamic analysis and enhanced indicators extraction. THF Polygon analyzes submitted files and urls and extracts deep IOCs that appear when malicious code is triggered and executed. Polygon could be used either for application-level tasks (like smtp-based mail filtering) and analytical purposes (files/urls analysis for verdict, report and indicators). This integration was integrated and tested with version 3.1 of Group-IB THF Polygon
#
Configure Group-IB THF Polygon in CortexParameter | Description | Required |
---|---|---|
server | Server URL (e.g., https://huntbox.group-ib.com ) | True |
api_key | API Key | True |
report_language | Default reports language | True |
insecure | Trust any certificate (insecure) | False |
proxy | Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
polygon-upload-fileUpload file for analysis
#
Base Commandpolygon-upload-file
#
InputArgument Name | Description | Required |
---|---|---|
file_id | File ID in Demisto | Required |
password | Password for analyzed archive | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Polygon.Analysis.ID | string | Analysis ID in THF |
Polygon.Analysis.EntryID | string | File id in Demisto |
Polygon.Analysis.FileName | string | Original file name |
Polygon.Analysis.Status | string | The analysis status |
#
Command Example!polygon-upload-file file_id=4@br password="123456"
#
Context Example#
Human Readable OutputFile uploaded successfully. Analysis ID: F2136015
#
polygon-upload-urlUpload URL for analysis.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandpolygon-upload-url
#
InputArgument Name | Description | Required |
---|---|---|
url | URL for analysis | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Polygon.Analysis.ID | string | Analysis ID in THF. |
Polygon.Analysis.URL | string | URL analyzed. |
Polygon.Analysis.Status | string | Polygon analysis status. |
#
Command Example!polygon-upload-url url=http://reqw.xyz/pik.zip
#
Context Example#
Human Readable OutputUrl uploaded successfully. Analysis ID: U2152031
#
polygon-analysis-infoGet THF Polygon analysis info
#
Base Commandpolygon-analysis-info
#
InputArgument Name | Description | Required |
---|---|---|
tds_analysis_id | Analysis ID in THF. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | string | The full file name (including file extension). |
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Type | string | File type. |
File.Malicious.Vendor | string | The vendor that reported the file as malicious. |
File.Malicious.Description | string | A description explaining why the file was determined to be malicious. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
IP.Address | String | IP address. |
Domain.Name | String | The Domain name. |
Domain.DNS | String | A list of IP objects resolved by DNS. |
URL.Data | String | The URL. |
URL.Malicious.Vendor | string | The vendor that reported the url as malicious. |
URL.Malicious.Description | string | A description explaining why the url was determined to be malicious. |
RegistryKey.Path | String | The path to the registry key. |
RegistryKey.Value | String | The value at the given RegistryKey. |
Process.Name | String | Process name. |
Process.PID | String | Process PID. |
Process.CommandLine | String | Process Command Line. |
Process.Path | String | Process path. |
Process.StartTime | date | Process start time. |
Process.EndTime | date | Process end time. |
Polygon.Analysis.ID | string | THF File ID. |
Polygon.Analysis.Name | string | File Name. |
Polygon.Analysis.Size | number | File Size. |
Polygon.Analysis.Started | date | Analysis start timestamp. |
Polygon.Analysis.Analyzed | date | Analysis finish timestamp. |
Polygon.Analysis.MD5 | string | Analyzed file MD5 hash. |
Polygon.Analysis.SHA1 | string | Analyzed file SHA1 hash. |
Polygon.Analysis.SHA256 | string | Analyzed file SHA256. |
Polygon.Analysis.Result | boolean | Analysis verdict. |
Polygon.Analysis.Status | string | Analysis status. |
Polygon.Analysis.Verdict | string | Analysis verdict. |
Polygon.Analysis.Probability | string | Verdict probability. |
Polygon.Analysis.Families | string | Malware families. |
Polygon.Analysis.Score | number | Polygon score |
Polygon.Analysis.Internet-connection | string | Internet availability. |
Polygon.Analysis.Type | string | File type. |
Polygon.Analysis.DumpExists | boolean | Network activity dump exists. |
Polygon.Analysis.File | unknown | The information about files in analysis. |
Polygon.Analysis.URL | unknown | The information about URL indicators. |
Polygon.Analysis.IP | unknown | The information about IP indicators. |
Polygon.Analysis.Domain | unknown | The information about Domain indicators. |
Polygon.Analysis.RegistryKey | unknown | The information about registry keys which were modified during the analysis. |
Polygon.Analysis.Process | unknown | The information about processes started during the analysis. |
#
Command Example!polygon-analysis-info tds_analysis_id=F2118597
#
Context Example#
Human Readable Output#
Analysis F2118597
Analyzed DumpExists ID Internet-connection MD5 Name Probability Result SHA1 SHA256 Score Size Started Status Type Verdict 2020-05-07 10:29:42 true F2118597 Available ba9fe2cb8ee2421ea24a55306ce9d923 link.pdf 64.80% true 44b3f79dfd7c5861501a19a3bac89f544c7ff815 0d1b77c84c68c50932e28c3462a1962916abbbebb456ce654751ab401aa37697 24.6 36375 2020-05-07 10:27:30 Finished PDF document, version 1.7 Malicious
#
polygon-export-reportExport an archive with THF Polygon report to War Room
#
Base Commandpolygon-export-report
#
InputArgument Name | Description | Required |
---|---|---|
tds_analysis_id | Analysis ID in THF | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | string | The report file name. |
File.EntryID | string | Report file ID in Demisto. |
File.Size | number | The report size. |
File.Type | string | The report file type. |
File.Info | string | The report file info. |
#
Command Example!polygon-export-report tds_analysis_id=F2118597
#
Context Example#
Human Readable Output#
polygon-export-pcapNetwork activity dump export
#
Base Commandpolygon-export-pcap
#
InputArgument Name | Description | Required |
---|---|---|
tds_analysis_id | Analysis ID in THF | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | string | The dump file name. |
File.EntryID | string | The dump file ID in Demisto. |
File.Size | number | The dump file size. |
File.Type | string | The dump file type. |
File.Info | unknown | The dump file info. |
#
Command Example!polygon-export-pcap tds_analysis_id=F2118597
#
Context Example#
Human Readable Output#
polygon-export-videoScreen activity video export
#
Base Commandpolygon-export-video
#
InputArgument Name | Description | Required |
---|---|---|
tds_analysis_id | Analysis ID in THF | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Name | string | The video file name |
File.EntryID | string | The video file ID in Demisto |
File.Size | number | The video file size |
File.Type | string | The video file type |
File.Info | string | The video file info |
#
Command Example!polygon-export-video tds_analysis_id=F2118597
#
Context Example#
Human Readable Output#
fileCheck file reputation
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | File hash (MD5, SHA1, SHA256) | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | string | The MD5 hash of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Malicious.Vendor | string | The vendor that reported the file as malicious. |
File.Malicious.Description | string | A description explaining why the file was determined to be malicious. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
Polygon.Analysis.Score | number | Malware score in Polygon. |
Polygon.Analysis.MD5 | string | The MD5 hash of the file. |
Polygon.Analysis.SHA1 | string | The SHA1 hash of the file. |
Polygon.Analysis.SHA256 | string | The SHA256 hash of the file. |
Polygon.Analysis.Found | bool | File was found in cloud or not. |
Polygon.Analysis.Verdict | bool | Polygon verdict for file. |
Polygon.Analysis.Malware-families | string | Malware families. |
#
Command Example!file file=eb57446af5846faa28a726a8b7d43ce5a7fcbd55
#
Context Example#
Human Readable Output#
Results
Found Malware-families SHA1 Score Verdict true eb57446af5846faa28a726a8b7d43ce5a7fcbd55 24.0 true