ANY.RUN
Integration version: 4.0
Product permission
Integration is working on API Key authentication. You can generate a new API Key on the ANY.RUN page.
Configure ANY.RUN integration in Google Security Operations SOAR
For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Key | Password | N/A | Yes | Api Key to use with integration. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Analyze File
Description
Create ANY.RUN file analysis task.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| File Path | String | N/A | No | Specify full path to file to analyze. |
| Wait for the report? | Checkbox | Checked | No | Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed. |
| Threshold | Integer | 0 | Yes | If Wait for the report checkbox is checked, mark entity as suspicious if the report risk value for the entity is above the specified threshold. |
| Try to create submission for x times | Integer | 30 | Yes | How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds. |
| OS Version | DDL | 7 Possible values:
|
No | OS version to run analysis on. |
| Operation System Bitness | DDL | 32 Possible values:
|
No | Bitness of Operation System |
| OS Environment Type | DDL | complete Possible values:
|
No | Environment type to run analysis on. |
| Network Connection Status | DDL | On
Possible values:
|
No | Network connection state for analysis. |
| FakeNet Feature Status | DDL | false Possible values:
|
No | FakeNet feature state for analysis. |
| Use TOR | DDL | false Possible values:
|
No | Use TOR or not while running analysis. |
| opt_network_mitm | DDL | false Possible values:
|
No | HTTPS MITM proxy option. |
| opt_network_geo | DDL | Fastest Possible values:
|
No | Geolocation option. |
| opt_network_heavyevasion | DDL | false Possible values:
|
No | Heavy evasion option. |
| opt_privacy_type | DDL | By Link Possible values:
|
No | Privacy settings for analysis. |
| opt_timeout | String | 60 | No | Timeout period for analysis in range from 10 to 600 seconds. |
| obj_ext_startfolder | DDL | temp Possible values:
|
No | Start location for analysis. |
Use cases
Analyze File that is a part of alert been reviewed to see if its malicious.
Run on
This action doesn't run on entities.
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold. if data.get("report", {}).get("risk_score", {}).get("result") > threshold
| Enrichment Field name | Logic - When to apply |
|---|---|
| domain_blacklist | Returns if it exists in JSON result |
| html_forms | Returns if it exists in JSON result |
| server_details | Returns if it exists in JSON result |
| response_headers | Returns if it exists in JSON result |
| redirection | Returns if it exists in JSON result |
| file_type | Returns if it exists in JSON result |
| risk_score | Returns if it exists in JSON result |
| security_checks | Returns if it exists in JSON result |
| geo_location | Returns if it exists in JSON result |
| url_parts | Returns if it exists in JSON result |
| site_category | Returns if it exists in JSON result |
| web_page | Returns if it exists in JSON result |
| dns_records | Returns if it exists in JSON result |
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)
{
"error": false,
"data": {
"taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
}
}
Option 2. If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)
{
"error": false,
"data": {
"analysis": {
"uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"reports": {
"IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
"MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
"HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
"graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
},
"sandbox": {
"name": "ANY.RUN - Interactive Sandbox",
"plan": {
"name": "Tester"
}
},
"duration": 60,
"creation": 1602483368256,
"creationText": "2020-10-12T06:16:08.256Z",
"tags": [],
"options": {
...
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: if successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path). If fail to create analysis task for the provided file: "Failed to create ANY.RUN analysis task for file: {0}".format(file_path). If wait for report checkbox is set, and we finish the action because python process timeout is close: print "Action reached timeout waiting for report for file: {0}".format(file_path). Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace) |
General |
Analyze File URL
Description
Create ANY.RUN file analysis task.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| URL to File | String | N/A | No | Specify URL to file to download and analyze. |
| Hide Source URL? | Checkbox | Unchecked | No | Specify whether to hide source URL for the downloaded file. |
| Wait for the report? | Checkbox | Checked | No | Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed. |
| Threshold | Integer | 0 | Yes | If Wait for the report checkbox is checked, mark entity as suspicious if the report risk value for the entity is above the specified threshold. |
| Try to create submission for x times | Int | 30 | Yes | How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds. |
| OS Version | DDL | 7 | No | OS version to run analysis on. |
| Operation System Bitness | DDL | 32 | No | Bitness of Operation System |
| OS Environment Type | DDL | complete | No | Environment type to run analysis on. |
| Network Connection Status | DDL | On | No | Network connection state for analysis. |
| FakeNet Feature Status | DDL | False | No | FakeNet feature state for analysis. |
Use TOR |
DDL | False | No | Use TOR or not while running analysis. |
opt_network_mitm |
DDL | False | No | HTTPS MITM proxy option. |
| opt_network_geo | DDL | Fastest | No | Geolocation option. |
| opt_network_heavyevasion | DDL | False | No | Heavy evasion option. |
opt_privacy_type |
DDL | By Link | No | Privacy settings for analysis. |
opt_timeout |
String | 60 | No | Timeout period for analysis in range from 10 to 600 seconds. |
obj_ext_startfolder |
DDL | temp | No | Start location for analysis. |
Use cases
Analyze File that is a part of alert been reviewed to see if its malicious.
Run on
This action doesn't work on entities.
Action results
Entity enrichment
Mark entity as suspicious if the number of negative engines is equal or above the given threshold. is_suspicious: if data.get("score") > threshold
| Enrichment field name | Logic - When to apply |
|---|---|
| domain | Returns if it exists in JSON result |
| should_block | Returns if it exists in JSON result |
| score | Returns if it exists in JSON result |
| disposable | Returns if it exists in JSON result |
| has_mx_records | Returns if it exists in JSON result |
| has_spf_records | Returns if it exists in JSON result |
Insights
N/A
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)
{
"error": false,
"data": {
"taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
}
}
Option 2: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)
{
"error": false,
"data": {
"analysis": {
"uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"reports": {
"IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
"MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
"HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
"graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
},
"sandbox": {
"name": "ANY.RUN - Interactive Sandbox",
"plan": {
"name": "Tester"
}
},
"duration": 60,
"creation": 1602483368256,
"creationText": "2020-10-12T06:16:08.256Z",
"tags": [],
"options": {
...
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path). If fail to create analysis task for the provided file: Failed to create ANY.RUN analysis task for file: {0}".format(file_path). If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for file: {0}".format(file_path). Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace) |
General |
Analyze URL
Description
Create ANY.RUN analysis task for the provided URL.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| URL For Analysis | String | N/A | No | Specify URL t o analyze. |
| Wait for the report? | Checkbox | Checked | No | Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed. |
| Try to create submission for x times | Integer | 30 | Yes | How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds |
| OS Version | DDL | 7 | No | OS version to run analysis on. |
| Operation System Bitness | DDL | 32 | No | Bitness of Operation System |
| OS Environment Type | DDL | complete | No | Environment type to run analysis on. |
| Network Connection Status | DDL | On | No | Network connection state for analysis. |
| FakeNet Feature Status | DDL | False | No | FakeNet feature state for analysis. |
| Use TOR | DDL | False | No | Use TOR or not while running analysis. |
opt_network_mitm |
DDL |
False | No | HTTPS MITM proxy option. |
| opt_network_geo | DDL | Fastest | No | Geolocation option. |
| opt_network_heavyevasion | DDL | False | No | Heavy evasion option. |
| opt_privacy_type | DDL | By Link | No | Privacy settings for analysis. |
| opt_timeout | String | 60 | No | Timeout period for analysis in range from 10 to 600 seconds. |
| obj_ext_startfolder | DDL | temp | No | Start location for analysis. |
Use cases
Analyze URL that is a part of alert been reviewed to see if its malicious.
Run on
This action runs on the URL entity.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)
{
"error": false,
"data": {
"taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
}
}
Option 2: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)
{
"error": false,
"data": {
"analysis": {
"uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"reports": {
"IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
"MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
"HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
"graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
},
"sandbox": {
"name": "ANY.RUN - Interactive Sandbox",
"plan": {
"name": "Tester"
}
},
"duration": 60,
"creation": 1602483368256,
"creationText": "2020-10-12T06:16:08.256Z",
"tags": [],
"options": {
...
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successfully created analysis task for at least one of the provided entities: "Created analysis tasks for the following entities: {0}".format([entity.Identifier]). If fail to create analysis task for all of the provided entities: "No ANY.RUN analysis tasks were created." If fail to create analysis tasks for some entities: "Failed to create analysis tasks for the following entities: {0}".format([entity.identifier]) If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for the following entities: {0}".format([entity.identifier]) Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace) |
General |
Get Report
Description
Get ANY.RUN report from previous analysis based on the provided Google Security Operations SOAR File, FileHash or URL entity.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Threshold | Integer | 0 | Yes | Mark entity as suspicious if the score value for the entity is above the specified threshold. |
| Search in last x scans | Integer | 25 | Yes | Search for report for provide filehash in the last x analysis executed in ANY.RUN. |
| Create Insight? | Checkbox | Unchecked | No | Specify whether to create insight based on the report data. |
| Fetch latest report? | Checkbox | Checked | No | Specify whether to return latest analysis report or all found reports for the provided entity. |
Use cases
Lookup in ANY.RUN hash we encounter in the alert analysis in the playbook.
Run on
This action runs on the following entities:
- Filename
- Filehash
- URL
Action results
Entity enrichment
Action should set this to True if risk value for entity is above the threshold provided as action input parameter.
Insights
| Insight logic | Type | Title | Entity | Verdict | Threat level | Score |
|---|---|---|---|---|---|---|
| Create if respective checkbox was checked. | Entity | Any/Run Report | Entity identifier for which insight is created | Value from api response | Value from api response | Value from api response |
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
{
"error": false,
"data": {
"analysis": {
"uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
"reports": {
"IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
"MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
"HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
"graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
},
"sandbox": {
"name": "ANY.RUN - Interactive Sandbox",
"plan": {
"name": "Tester"
}
},
"duration": 60,
"creation": 1602483368256,
"creationText": "2020-10-12T06:16:08.256Z",
"tags": [],
"options": {
"timeout": 60,
"additionalTime": 0,
"fakeNet": false,
"heavyEvasion": false,
"mitm": false,
"tor": {
"used": false,
"geo": "fastest"
},
"presentation": false,
"video": true,
"hideSource": false,
"network": true,
"privacy": "bylink",
"privateSample": false,
"automatization": {
"uac": false
}
},
"scores": {
"verdict": {
"score": 100,
"threatLevel": 2,
"threatLevelText": "Malicious activity"
},
"specs": {
"injects": false,
"autostart": false,
"cpuOverrun": false,
"crashedApps": false,
"crashedTask": false,
"debugOutput": false,
"executableDropped": false,
"exploitable": false,
"lowAccess": false,
"memOverrun": false,
"multiprocessing": true,
...
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: if successful and got a report for at least one of the provided entities: "Found ANY.RUN reports for the following entities: {0}".format([entity.Identifier]). If fail to find reports for all of the provided entities: "No ANY.RUN reports were found." If fail to find reports for some entities: "Failed to find ANY.RUN reports for the following entities: {0}".format([entity.identifier]) Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace) |
General |
| Table | Name: Latest ANY.RUN Report Columns: Parameter, Value:
|
General |
Ping
Description
Test connectivity to ANY.RUN service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Use cases
The action is used to test connectivity at the integration configuration page on the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.
Parameters
N/A
Run on
The action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: Successfully connected to the ANY.RUN service with the provided connection parameters!" The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace) |
General |
Search Report History
Description
Search ANY.RUN scans history.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Submission Name | String | N/A | No | Specific submission name to search for. |
| Search in last x scans | Integer | 100 | Yes | Search for report in the last x analysis executed in ANY.RUN. |
| Skip first x scans | Integer | 0 | No | Skip first x scans returned by ANY.RUN API. |
| Get team history? | Checkbox | Unchecked | No | Specify whether to get team history or not. |
Use cases
Search past submissions to see what was scanned previously in ANY.RUN sandbox.
Run on
The action doesn't work on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True or False | is_success:False |
JSON result
{
"error": false,
"data": {
"tasks": [
{
"verdict": "No threats detected",
"name": "http://users.tpg.com.au/locthuy/employment/qs/unix/Hardening%20your%20AIX%20Security.pdf",
"related": "https://app.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051",
"pcap": "https://content.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051/download/pcap",
"file": "https://content.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051/download/files/56dcd380-3f8f-4764-b1fc-9c5cdf414cb5",
"json": "https://api.any.run/report/cb602e92-94ed-493e-985a-1339f3da6051/summary/json",
"misp": "https://api.any.run/report/cb602e92-94ed-493e-985a-1339f3da6051/summary/misp",
"tags": [],
"date": "2020-10-12T08:05:57.587Z",
"hashes": {
"ssdeep": "768:iSDksqjqvXbB/6rtilCec397sUiZc9Yky:TDegY539gUiCXy",
"head_hash": "3c90557306fa01f30693541b28db5785",
"sha256": "8ebc1257f9155134bb00315bdd2380990cdc413ba298d0cf473579ccfe03d6e5",
"sha1": "c125ba414416668b84ac737ec6db1b7f94bf32af",
"md5": "5e19377a19ef7657707872377bea14b7"
}
},
...
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | Action should not fail and not stop playbook execution: If successful and found reports: "Found ANY.RUN reports for the provided search parameters". If fail to find reports: "No ANY.RUN reports were found." Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace) |
General |
| Table | Table Name: Search Results Table Columns:
|
General |