PolySwarm
Connector Category: Enrichment Tool
About Integration
With PolySwarm, you can enrich MD5, SHA1, and SHA256 hashes with contextual threat intelligence and use PolyScore to focus on the most relevant threat signals. PolyScore ranks engine opinions based on past performance, strengths, confidence levels, and other contextual indicators from millions of daily assertions.
Use Cases
View enrichment details for MD5, SHA1, and SHA256 hashes from PolySwarm.
Check PolyScore values to gauge threat confidence and reduce false positives during investigations quickly.
Examine contextual indicators linked to a hash to support investigation decisions.
Supported Threat Data Objects for Enrichment Using PolySwarm
You can enrich Indicator (MD5, SHA1, and SHA256 hash) threat data objects using the PolySwarm integration in Intel Exchange.
Configure PolySwarm as an Enrichment Tool
Configure the PolySwarm tool in Intel Exchange to enrich hashes.
Before you Start
Ensure that your user group has Create, Update, and View permissions for enrichment tools and their associated policies in Intel Exchange.
You must have the API key of your PolySwarm account.
Steps
To configure PolySwarm as an enrichment tool in Intel Exchange, follow these steps:
Sign in to Intel Exchange and go to Administration > Enrichment Management > Enrichment Tools.
Search and select the PolySwarm enrichment tool.
Click Add Account and enter the following details:
Account Name: Enter a unique account name to identify the instance. For example, PolySwarm Prod.
API Key: Enter the API key of your PolySwarm account to authenticate communication between the Intel Exchange and PolySwarm servers.
Click Save.
After you save the account, you can use PolySwarm to enrich MD5, SHA1, and SHA256 hash threat data objects.
Enable PolySwarm Enrichment Type
After successfully adding an account, you can view and enable the PolySwarm feed enrichment type.
Configure Enrichment Quota
You can also configure a quota to define a limit to the number of enrichment requests Intel Exchange makes to PolySwarm. After the quota expires, you cannot make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.
The following table shows the number of API calls and quota units consumed by the PolySwarm enrichment tool for each enrichment:
Enrichment Tool | Feed Enrichment Type | Number of API Calls | Quota Consumed |
|---|---|---|---|
PolySwarm | Hash | 1 | 1 |
You can configure an enrichment policy to automatically enrich threat data objects using the PolySwarm enrichment tool. For more information, see Enrichment Policy.
Enrich Threat Data Object
You can use PolySwarm to enrich MD5, SHA1, and SHA256 hash indicators with verdicts, PolyScore values, and contextual threat intelligence to support faster and more accurate investigations.
To enrich a threat data object using PolySwarm, follow these steps:
Go to Main Menu > Collection > Threat Data and filter threat data objects by Indicator object type.
Select the object you want to enrich.
Note
PolySwarm supports enrichment only for MD5, SHA1, and SHA256 hash indicator types.
In the Enrichment tab, select PolySwarm under Enrichment Details, then click Enrich.
You can view the enrichment details in Enrichment Payload. You can also click Re-Enrich to enrich the threat data object again.
Enrich Object in Threat Investigation Canvas
Enhance threat data in the Threat Investigation Canvas by interacting directly with nodes. This allows you to gain deeper insights into observable or threat objects and visualize enriched data for more informed analysis.
Before you Start
Ensure that you have Create, View, and Update Threat Investigations permissions.
Steps
To enrich a threat data object using the threat investigation canvas, follow these steps:
Go to Main Menu > Analysis > Threat Investigations.
Enter a unique title for the canvas. For example, Hash Analysis.
Click the Add Node icon on the left. You can view the Indicator, Domain Objects, and Observables.
Select an object type required for your investigation or drag it to the canvas. For PolySwarm, you can select MD5, SHA1, or SHA256 from the Indicator object type. For example, SHA256.
Enter the value of the object. For example, 44d88612fea8a8f36de82e1278abb02f.
To enrich the object, right-click the node, expand Enrich, select PolySwarm, and click Enrich.
After a successful enrichment, double-click the node and go to the Enrichments tab to view the enrichment details.