PolySwarm Sandbox
App Vendor: PolySwarm Sandbox
App Category: Forensics & Malware Analysis
Connector Version: 1.2.0
API Version: v3
About App
PolySwarm is a more effective way to detect, analyze, and respond to the latest threats, the ones more likely to go undetected by existing solutions. PolySwarm is powered by a network of threat detection engines. It combines wide coverage from commercial engines, with the ability to detect threats earlier from specialized solutions.
The PolySwarm Sandbox app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Create Report | This action creates a report for an artifact. |
Get Hash Details | This action searches hash details. |
Get Sandbox List | This action gets sandbox providers to obtain the sandbox name and sandbox virtual machine (VM). |
List Sandbox Tasks | This action lists all the sandbox tasks. |
Lookup Sandbox | This action gets a sandbox task by its ID. |
Scan File | This action scans a file. |
Scan URL | This action scans a URL. |
Search Hash by IOC | The action searches for associated hashes to an IP, URL, imphash, or MITRE tactics, techniques, and procedures (TTP). |
Search IOC by Hash | This action searches IOCs by hash value. |
Submit File | This action submits a file for sandboxing. |
Submit URL | This action submits a URL for sandboxing. |
Configuration Parameters
The following configuration parameters are required for the PolySwarm Sandbox app to communicate with the PolySwarm Sandbox enterprise application. The parameters can be configured by creating instances in the application.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL to connect with PolySwarm. | Text | Required | |
API Token | Enter the API token to authenticate with PolySwarm. | Password | Required | |
Community Name | Enter the community name. Example: private | Text | Optional | Allowed values:
Default value: default |
Action: Create Report
This action creates a report for an artifact.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sandbox Type | Enter the type of the sandbox. Example: scan | Text | Required | Allowed values: scan, sandbox, sandbox_zip |
Sandbox Format | Enter the format of the report. | Text | Required | Allowed values: pdf, html, zip |
Instance ID | Enter the instance ID to generate a scanning report. Example: 52ae1b85-cc31-4088-a8e1-2d1bcf4ccb57 | Text | Optional | |
Sandbox Task ID | Enter the sandbox task ID to generate a sandboxing report or sandbox zip report. Example: 97903321852386706 | Text | Optional | You can retrieve this using the action List Sandbox Tasks. |
Timeout | Enter the timeout value (in seconds) to wait for the report to generate. | Integer | Optional | Default value: 60 |
Example Request
[
{
"instance_id": "52ae1b85-cc31-4088-a8e1-2d1bcf4ccb57",
"sandbox_type": "sandbox",
"sandbox_format": "html",
"sandbox_task_id": "28436767119613676",
"timeout_seconds": "60"
}
] Action: Get Hash Details
This action searches hash details.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash Value | Enter a valid hash. Example: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f | Text | Required |
Action: Get Sandbox List
This action gets all the sandbox providers to obtain the sandbox name and sandbox virtual machine (VM).
Action Input Parameters
No input parameters are required for this action.
Action: List Sandbox Tasks
This action lists all the sandbox tasks.
Action Input Parameters
No input parameters are required for this action.
Action: Lookup Sandbox
This action gets a sandbox task by its ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Task ID | Enter the task ID. Example: 53445563653708569 | Text | Required |
Action: Scan File
This action scans a file. You can pass either the file path or the pre-signed URL for scanning the file.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sandbox File Name | Enter the name of the sandbox file. | Text | Required | |
File Path | Enter the file path where the file is stored. | Text | Optional | |
Presigned URL | Enter the pre-signed URL to download the file to the environment and upload it to PolySwarm for scanning. | Text | Optional | |
Community Name | Enter the community name. Example: private | Text | Optional | Allowed values:
Default value: default |
Action: Scan URL
This action scans a URL.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
URL | Enter the URL to be scanned. Example: https://polyswarm.io | Text | Required | |
Community Name | Enter the community name. Example: private | Text | Optional | Allowed values:
Default value: default |
Action: Search Hash by IOC
The action searches for associated hashes to an IP, URL, imphash, or MITRE tactics, techniques, and procedures (TTP).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP value | Enter the IP. Example: 1.1.1.1 | Text | Optional | |
Domain Value | Enter the domain. Example: exampledomain.com | Text | Optional | |
Mitre TTP | Enter the MITRE TTP ID. Example: t1060 | Text | Optional | |
Imphash | Enter the imphash value. | Text | Optional | |
Community Name | Enter the community name. Example: private | Text | Optional | Allowed values:
Default value: default |
Action: Search IOC by Hash
This action searches IOCs by hash value.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Hash type | Enter the hash type. Example: SHA-256 | Text | Required | |
Hash value | Enter the hash value. Example: 275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f | Text | Required | |
Hide Known Good | Enter false to disable. | Boolean | Optional | Allowed values: true, false Default value: true |
Community Name | Enter the community name. Example: private | Text | Optional | Allowed values:
Default value: default |
Action: Submit File
This action submits a file for sandboxing.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Sandbox File Name | Enter the name of the sandbox file. | Text | Required | |
Sandbox Name | Enter the sandbox name. Example: triage | Text | Required | |
Community Name | Enter the community name. Example: private | Text | Optional | Allowed values:
Default value: default |
Sandbox VM | Enter the sandbox virtual machine (VM). Example: win10-build-15063 | Text | Required | |
File Path | Enter the file path where the file is stored. | Text | Optional | |
Presigned URL | Enter the pre-signed URL to download the file and then submit it for sandboxing. | Text | Optional | |
Network Enabled | Enter true to control the network access for a sandbox execution. | Boolean | Optional | Allowed values: true, false |
Action: Submit URL
This action submits a URL for sandboxing.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Sandbox Name | Enter the name of the sandbox to submit the URL. Example: triage | Text | Required | You can retrieve sandbox name using the action Get Sandbox List. |
Sandbox VM | Enter the sandbox virtual machine (VM). Example: win10-build-15063 | Text | Required | You can retrieve sandbox VM using the action Get Sandbox List. |
URL | Enter the URL to submit for sandboxing. | Text | Required | |
Community Name | Enter the community name. | Text | Optional | Allowed values:
Default value: default |
Example Request
[
{
"url": "https://www.example.com/data",
"sandbox_vm": "win-10-build-19041",
"sandbox_name": "cape",
"community_name": "default"
}
]