Detonate File - Group-IB TDS Polygon

Detonates one or more files using the Polygon integration. This playbook returns relevant reports to the War Room and file reputations to the context data.

The detonation supports the following file types: 7z, ace, ar, arj, bat, bz2, cab, chm, cmd, com, cpgz, cpl, csv, dat, doc, docm, docx, dot, dotm, dotx, eml, exe, gz, gzip, hta, htm, html, iqy, iso, jar, js, jse, lnk, lz, lzma, lzo, lzh, mcl, mht, msg, msi, msp, odp, ods, odt, ots, ott, pdf, pif, potm, potx, pps, ppsm, ppsx, ppt, pptm, pptx, ps1, pub, py, pyc, r, rar, reg, rtf, scr, settingcontent-ms, stc, svg, sxc, sxw, tar, taz, .tb2, .tbz, .tbz2, tgz, tlz, txz, tzo, txt, url, uue, vbe, vbs, wsf, xar, xls, xlsb, xlsm, xlsx, xml, xz, z, zip.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

  • Set

Commands

  • polygon-upload-file
  • polygon-analysis-info
  • polygon-export-report
  • polygon-export-pcap
  • polygon-export-video

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file object of the file to detonate. The file is taken from the context.NoneFileOptional
IntervalThe duration for executing the pooling (in minutes).1-Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).60-Optional
PasswordThe password for the uploaded file.--Optional

Playbook Outputs


PathDescriptionType
File.NamestringThe full file name (including file extension).
File.MD5stringThe MD5 hash of the file
File.SHA1stringThe SHA1 hash of the file
File.SHA256stringThe SHA256 hash of the file
File.TypestringFile type
File.Malicious.VendorstringThe vendor that reported the file as malicious
File.Malicious.DescriptionstringA description explaining why the file was determined to be malicious
DBotScore.IndicatorstringThe indicator that was tested
DBotScore.TypestringThe indicator type
DBotScore.VendorstringThe vendor used to calculate the score
DBotScore.ScorenumberThe actual score
IP.AddressStringIP address
Domain.NameStringThe Domain name
Domain.DNSStringA list of IP objects resolved by DNS.
URL.DataStringThe URL
URL.Malicious.VendorstringThe vendor that reported the url as malicious
URL.Malicious.DescriptionstringA description explaining why the url was determined to be malicious
RegistryKey.PathStringThe path to the registry key
RegistryKey.ValueStringThe value at the given RegistryKey.
Process.NameStringProcess name
Process.PIDStringProcess PID
Process.CommandLineStringProcess Command Line
Process.PathStringProcess path
Process.StartTimedateProcess start time
Process.EndTimedateProcess end time
Polygon.Analysis.IDstringTDS File ID
Polygon.Analysis.NamestringFile Name
Polygon.Analysis.SizenumberFile Size
Polygon.Analysis.StarteddateAnalysis start timestamp
Polygon.Analysis.AnalyzeddateAnalysis finish timestamp
Polygon.Analysis.MD5stringAnalyzed file MD5 hash
Polygon.Analysis.SHA1stringAnalyzed file SHA1 hash
Polygon.Analysis.SHA256stringAnalyzed file SHA256
Polygon.Analysis.ResultbooleanAnalysis verdict
Polygon.Analysis.StatusstringAnalysis status
Polygon.Analysis.VerdictstringAnalysis verdict
Polygon.Analysis.ProbabilitystringVerdict probability
Polygon.Analysis.FamiliesstringMalware families
Polygon.Analysis.ScorenumberPolygon score
Polygon.Analysis.Internet-connectionstringInternet availability
Polygon.Analysis.TypestringFile type
Polygon.Analysis.DumpExistsbooleanNetwork activity dump exists
Polygon.Analysis.FileunknownThe information about files in analysis
Polygon.Analysis.URLunknownThe information about URL indicators
Polygon.Analysis.IPunknownThe information about IP indicators
Polygon.Analysis.DomainunknownThe information about Domain indicators
Polygon.Analysis.RegistryKeyunknownThe information about registry keys which were modified during the analysis
Polygon.Analysis.ProcessunknownThe information about processes started during the analysis

Playbook Image

Polygon Detonate File