Skip to main content

PolySwarm

Real-time threat intelligence from a crowd-sourced network of security experts and antivirus companies.

Configure PolySwarmV2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for PolySwarmV2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    PolySwarm API KeyTrue
    The base URL to connect toTrue
    PolySwarm v2 Communitythe segment of PolySwarm's marketplace to query on.True
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

polyswarm-get-report#


Returns a report using the UUID.

Base Command#

polyswarm-get-report

Input#

Argument NameDescriptionRequired
scan_uuidUUID string.Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.
Command Example#

!polyswarm-get-report scan_uuid="25e755c8957163376b3437ce808843c1c2598e0fb3c5f31dc958576cd5cde63e"
!polyswarm-get-report scan_uuid="25e755c8957163376b3437ce808843c1c2598e0fb3c5f31dc958576cd5cde63e, 2410907a92b16dbd23a88d6bbd5037eae20eea809279f370293b587e1996eafe"

Human Readable Output#

file#


Queries PolySwarm for file reputation information.

Base Command#

file

Input#

Argument NameDescriptionRequired
hashThe value of the file hash for which to retrieve the reputation information. The hash type can be: "SHA256", "SHA1", or "MD5".Optional
fileThe type of the file hash for which to retrieve the reputation information. The hash type can be: "SHA256", "SHA1", or "MD5".Optional

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.

Command Example#

!file hash="2410907a92b16dbd23a88d6bbd5037eae20eea809279f370293b587e1996eafe"
!file hash="2410907a92b16dbd23a88d6bbd5037eae20eea809279f370293b587e1996eafe, 1d4c0b32aea68056755daf70689699200ffa09688495ccd65a0907cade18bd2a"

Human Readable Output#

ip#


Queries PolySwarm for IP reputation information.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP address for which to retrieve the reputation information.Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
IP.AddressStringThe IP address.
IP.Malicious.VendorStringFor malicious files, the vendor that made the decision.
IP.MalwareFamilyStringThe malware family associated with the IP.
IP.TagsStringTags that are associated with the IP.

Command Example#

!ip ip="8.8.8.8"

url#


Queries PolySwarm for URL reputation information.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlThe URL for which to retrieve the reputation information.Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
URL.DataStringThe URL address.
URL.Malicious.VendorStringFor malicious files, the vendor that made the decision.
URL.MalwareFamilyStringThe malware family associated with the url.
URL.TagsStringTags that are associated with the url.

Command Example#

!url url="https://polyswarm.io"

Context Example#

Human Readable Output#

domain#


Queries PolySwarm to retrieve domain reputation information.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain for which to retrieve the reputation information.Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
Domain.NameStringThe domain name, for example: "google.com".
Domain.Malicious.VendorStringFor malicious files, the vendor that made the decision.
Domain.MalwareFamilyStringThe malware family associated with the domain.
Domain.TagsStringTags that are associated with the domain.

Command Example#

!domain domain="polyswarm.io"

Context Example#

Human Readable Output#

url-scan#


Uploads a URL to PolySwarm and retrieves the analysis results.

Base Command#

url-scan

Input#

Argument NameDescriptionRequired
urlThe URL to scan.Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.

Command Example#

!url-scan url="https://polyswarm.io"
!url-scan url="https://polyswarm.io, https://polyswarm.network"

Human Readable Output#

file-rescan#


Rescans the uploaded artifact by hash.

Base Command#

file-rescan

Input#

Argument NameDescriptionRequired
hashThe type of the file hash to rescan. The hash type can be: "SHA256", "SHA1", or "MD5".Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.

Command Example#

!file-rescan hash="2410907a92b16dbd23a88d6bbd5037eae20eea809279f370293b587e1996eafe"
!file-rescan hash="2410907a92b16dbd23a88d6bbd5037eae20eea809279f370293b587e1996eafe, 25e755c8957163376b3437ce808843c1c2598e0fb3c5f31dc958576cd5cde63e"

Human Readable Output#

get-file#


Downloads a file hash from PolySwarm.

Base Command#

get-file

Input#

Argument NameDescriptionRequired
hashThe file hash type to download. The hash type can be: "SHA256", "SHA1", or "MD5".Required

Context Output#

PathTypeDescription
File.SizeNumberThe file size.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe sample name.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe War Room entry ID of the file.
File.InfoStringBasic information of the file.
File.TypeStringFile type. For example, "PE".
File MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.
PolySwarm.FileIDStringThe file ID.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.TypeStringThe indicator type.
DBotScore.IndicatorStringThe indicator that was tested.
File.Tags.TagGroups.TagGroupNameStringThe tag's group name.
File.Tags.AliasesStringAliases of the tags.
File.Tags.PublicTagNameStringThe public name of the tag. This is usually used as the ID of the tag.
File.Tags.TagNameStringThe simple name of the tag.

Command Example#

!get-file hash="2410907a92b16dbd23a88d6bbd5037eae20eea809279f370293b587e1996eafe

Human Readable Output#

file-scan#


Uploads a file to PolySwarm and retrieves the analysis results.

Base Command#

file-scan

Input#

Argument NameDescriptionRequired
entryIDThe War Room entry ID of the file.Required

Context Output#

PathTypeDescription
PolySwarm.TotalNumberThe total number of scans.
PolySwarm.PermalinkStringPolySwarm permalink results.
PolySwarm.PositivesNumberThe total number of positives found.
PolySwarm.Scan_UUIDStringThe PolySwarm scan UUID.
PolySwarm.ArtifactStringThe artifact queried.

Command Example#

!file-scan entryID="995@0c42ee2d-57ff-4ccf-88ef-8d51c7936595"

Human Readable Output#