The PolySwarm Action Bundle for ThreatQ enables analysts to interact with PolySwarm by performing scans on files/URLs, enriching indicators, submitting YARA rules, and more.

The bundle provides the following actions:

• PolySwarm - Lookup - performs a lookup on a hash or URL to find context from PolySwarm.
• PolySwarm - Rescan - performs a Rescan for a particular hash.
• PolySwarm - Metadata Search - searches for scans using the metadata search.
• PolySwarm - Live Hunt - starts a live hunt in PolySwarm using a YARA Signature.
• PolySwarm - Historical Hunt - starts a historical hunt in PolySwarm using a YARA Signature.
• PolySwarm - Add Rule - creates a Ruleset to PolySwarm using YARA Signature.
• PolySwarm - Scan - scans a file or URL using PolySwarm.

The action is compatible with the following system object types:

• Indicators
• MD5
• SHA-1
• SHA-256
• URL
• FQDN
• IP Address
• IPv6 Address
• Files
• Signatures
• YARA

The action returns the following enriched system objects:

• Indicators
• MD5
• SHA-1
• SHA-256
• URL
• FQDN
• IP Address
• IPv6 Address
• Files
• Signatures
• YARA

Note:  This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.