ANY.RUN

Integration version: 4.0

Product permission

Integration is working on API Key authentication. You can generate a new API Key on the ANY.RUN page.

Configure ANY.RUN integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Api Key Password N/A Yes Api Key to use with integration.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Analyze File

Description

Create ANY.RUN file analysis task.

Parameters

Parameter name Type Default value Is mandatory Description
File Path String N/A No Specify full path to file to analyze.
Wait for the report? Checkbox Checked No Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed.
Threshold Integer 0 Yes If Wait for the report checkbox is checked, mark entity as suspicious if the report risk value for the entity is above the specified threshold.
Try to create submission for x times Integer 30 Yes How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds.
OS Version DDL

7

Possible values:

  • 7
  • 8.1
  • 10
No OS version to run analysis on.
Operation System Bitness DDL

32

Possible values:

  • 32
  • 64
No Bitness of Operation System
OS Environment Type DDL

complete

Possible values:

  • complete
  • office
  • clean
No Environment type to run analysis on.
Network Connection Status DDL On

Possible values:

    On
  • Off
No Network connection state for analysis.
FakeNet Feature Status DDL

false

Possible values:

  • true
  • false
No FakeNet feature state for analysis.
Use TOR DDL

false

Possible values:

  • true
  • false
No Use TOR or not while running analysis.
opt_network_mitm DDL

false

Possible values:

  • true
  • false
No HTTPS MITM proxy option.
opt_network_geo DDL

Fastest

Possible values:

  • Fastest
  • AU
  • BR
  • DE
  • CH
  • FR
  • KR
  • US
  • RU
  • GB
  • IT
No Geolocation option.
opt_network_heavyevasion DDL

false

Possible values:

  • true
  • false
No Heavy evasion option.
opt_privacy_type DDL

By Link

Possible values:

  • By Link
  • Public
  • Owner
No Privacy settings for analysis.
opt_timeout String 60 No Timeout period for analysis in range from 10 to 600 seconds.
obj_ext_startfolder DDL

temp

Possible values:

  • temp
  • desktop
  • home
  • downloads
  • appdata
  • windows
  • root
No Start location for analysis.

Use cases

Analyze File that is a part of alert been reviewed to see if its malicious.

Run on

This action doesn't run on entities.

Action results

Entity enrichment

Mark entity as suspicious if the number of negative engines is equal or above the given threshold. if data.get("report", {}).get("risk_score", {}).get("result") > threshold

Enrichment Field name Logic - When to apply
domain_blacklist Returns if it exists in JSON result
html_forms Returns if it exists in JSON result
server_details Returns if it exists in JSON result
response_headers Returns if it exists in JSON result
redirection Returns if it exists in JSON result
file_type Returns if it exists in JSON result
risk_score Returns if it exists in JSON result
security_checks Returns if it exists in JSON result
geo_location Returns if it exists in JSON result
url_parts Returns if it exists in JSON result
site_category Returns if it exists in JSON result
web_page Returns if it exists in JSON result
dns_records Returns if it exists in JSON result
Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result

Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
    }
}

Option 2. If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
...
Case wall
Result type Description Type
Output message*

Action should not fail and not stop playbook execution:

if successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path).

If fail to create analysis task for the provided file: "Failed to create ANY.RUN analysis task for file: {0}".format(file_path).

If wait for report checkbox is set, and we finish the action because python process timeout is close: print "Action reached timeout waiting for report for file: {0}".format(file_path).

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Analyze File URL

Description

Create ANY.RUN file analysis task.

Parameters

Parameter name Type Default value Is mandatory Description
URL to File String N/A No Specify URL to file to download and analyze.
Hide Source URL? Checkbox Unchecked No Specify whether to hide source URL for the downloaded file.
Wait for the report? Checkbox Checked No Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed.
Threshold Integer 0 Yes If Wait for the report checkbox is checked, mark entity as suspicious if the report risk value for the entity is above the specified threshold.
Try to create submission for x times Int 30 Yes How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds.
OS Version DDL 7 No OS version to run analysis on.
Operation System Bitness DDL 32 No Bitness of Operation System
OS Environment Type DDL complete No Environment type to run analysis on.
Network Connection Status DDL On No Network connection state for analysis.
FakeNet Feature Status DDL False No FakeNet feature state for analysis.

Use TOR

DDL False No Use TOR or not while running analysis.

opt_network_mitm

DDL False No HTTPS MITM proxy option.
opt_network_geo DDL Fastest No Geolocation option.
opt_network_heavyevasion DDL False No Heavy evasion option.

opt_privacy_type

DDL By Link No Privacy settings for analysis.

opt_timeout

String 60 No Timeout period for analysis in range from 10 to 600 seconds.

obj_ext_startfolder

DDL temp No Start location for analysis.

Use cases

Analyze File that is a part of alert been reviewed to see if its malicious.

Run on

This action doesn't work on entities.

Action results

Entity enrichment

Mark entity as suspicious if the number of negative engines is equal or above the given threshold. is_suspicious: if data.get("score") > threshold

Enrichment field name Logic - When to apply
domain Returns if it exists in JSON result
should_block Returns if it exists in JSON result
score Returns if it exists in JSON result
disposable Returns if it exists in JSON result
has_mx_records Returns if it exists in JSON result
has_spf_records Returns if it exists in JSON result
Insights

N/A

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result

Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
    }
}

Option 2: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
...
Case wall
Result type Description Type
Output message*

Action should not fail and not stop playbook execution:

If successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path).

If fail to create analysis task for the provided file: Failed to create ANY.RUN analysis task for file: {0}".format(file_path).

If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for file: {0}".format(file_path).

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Analyze URL

Description

Create ANY.RUN analysis task for the provided URL.

Parameters

Parameter name Type Default value Is mandatory Description
URL For Analysis String N/A No Specify URL t o analyze.
Wait for the report? Checkbox Checked No Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed.
Try to create submission for x times Integer 30 Yes How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds
OS Version DDL 7 No OS version to run analysis on.
Operation System Bitness DDL 32 No Bitness of Operation System
OS Environment Type DDL complete No Environment type to run analysis on.
Network Connection Status DDL On No Network connection state for analysis.
FakeNet Feature Status DDL False No FakeNet feature state for analysis.
Use TOR DDL False No Use TOR or not while running analysis.

opt_network_mitm

DDL

False No HTTPS MITM proxy option.
opt_network_geo DDL Fastest No Geolocation option.
opt_network_heavyevasion DDL False No Heavy evasion option.
opt_privacy_type DDL By Link No Privacy settings for analysis.
opt_timeout String 60 No Timeout period for analysis in range from 10 to 600 seconds.
obj_ext_startfolder DDL temp No Start location for analysis.

Use cases

Analyze URL that is a part of alert been reviewed to see if its malicious.

Run on

This action runs on the URL entity.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result

Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
    }
}

Option 2: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
...
Case wall
Result type Description Type
Output message*

Action should not fail and not stop playbook execution:

If successfully created analysis task for at least one of the provided entities: "Created analysis tasks for the following entities: {0}".format([entity.Identifier]).

If fail to create analysis task for all of the provided entities: "No ANY.RUN analysis tasks were created."

If fail to create analysis tasks for some entities: "Failed to create analysis tasks for the following entities: {0}".format([entity.identifier])

If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for the following entities: {0}".format([entity.identifier])

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Get Report

Description

Get ANY.RUN report from previous analysis based on the provided Google Security Operations SOAR File, FileHash or URL entity.

Parameters

Parameter name Type Default value Is mandatory Description
Threshold Integer 0 Yes Mark entity as suspicious if the score value for the entity is above the specified threshold.
Search in last x scans Integer 25 Yes Search for report for provide filehash in the last x analysis executed in ANY.RUN.
Create Insight? Checkbox Unchecked No Specify whether to create insight based on the report data.
Fetch latest report? Checkbox Checked No Specify whether to return latest analysis report or all found reports for the provided entity.

Use cases

Lookup in ANY.RUN hash we encounter in the alert analysis in the playbook.

Run on

This action runs on the following entities:

  • Filename
  • Filehash
  • URL

Action results

Entity enrichment

Action should set this to True if risk value for entity is above the threshold provided as action input parameter.

Insights
Insight logic Type Title Entity Verdict Threat level Score
Create if respective checkbox was checked. Entity Any/Run Report Entity identifier for which insight is created Value from api response Value from api response Value from api response
Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
                "timeout": 60,
                "additionalTime": 0,
                "fakeNet": false,
                "heavyEvasion": false,
                "mitm": false,
                "tor": {
                    "used": false,
                    "geo": "fastest"
                },
                "presentation": false,
                "video": true,
                "hideSource": false,
                "network": true,
                "privacy": "bylink",
                "privateSample": false,
                "automatization": {
                    "uac": false
                }
            },
            "scores": {
                "verdict": {
                    "score": 100,
                    "threatLevel": 2,
                    "threatLevelText": "Malicious activity"
                },
                "specs": {
                    "injects": false,
                    "autostart": false,
                    "cpuOverrun": false,
                    "crashedApps": false,
                    "crashedTask": false,
                    "debugOutput": false,
                    "executableDropped": false,
                    "exploitable": false,
                    "lowAccess": false,
                    "memOverrun": false,
                    "multiprocessing": true,
                    ...
Case wall
Result type Description Type
Output message*

Action should not fail and not stop playbook execution:

if successful and got a report for at least one of the provided entities: "Found ANY.RUN reports for the following entities: {0}".format([entity.Identifier]).

If fail to find reports for all of the provided entities: "No ANY.RUN reports were found."

If fail to find reports for some entities: "Failed to find ANY.RUN reports for the following entities: {0}".format([entity.identifier])

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General
Table

Name: Latest ANY.RUN Report

Columns: Parameter, Value:

  • Verdict
  • "Threat Level"
  • "Score"
  • Report URL
  • Report IOC
  • Report MISP
  • Report HTML
  • Report Graph
General

Ping

Description

Test connectivity to ANY.RUN service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Use cases

The action is used to test connectivity at the integration configuration page on the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.

Parameters

N/A

Run on

The action doesn't run on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
Case wall
Result type Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: Successfully connected to the ANY.RUN service with the provided connection parameters!"

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Search Report History

Description

Search ANY.RUN scans history.

Parameters

Parameter name Type Default value Is mandatory Description
Submission Name String N/A No Specific submission name to search for.
Search in last x scans Integer 100 Yes Search for report in the last x analysis executed in ANY.RUN.
Skip first x scans Integer 0 No Skip first x scans returned by ANY.RUN API.
Get team history? Checkbox Unchecked No Specify whether to get team history or not.

Use cases

Search past submissions to see what was scanned previously in ANY.RUN sandbox.

Run on

The action doesn't work on entities.

Action results

Script result
Script result name Value options Example
is_success True or False is_success:False
JSON result
{
  "error": false,
  "data": {
      "tasks": [
          {
              "verdict": "No threats detected",
              "name": "http://users.tpg.com.au/locthuy/employment/qs/unix/Hardening%20your%20AIX%20Security.pdf",
              "related": "https://app.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051",
              "pcap": "https://content.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051/download/pcap",
              "file": "https://content.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051/download/files/56dcd380-3f8f-4764-b1fc-9c5cdf414cb5",
              "json": "https://api.any.run/report/cb602e92-94ed-493e-985a-1339f3da6051/summary/json",
              "misp": "https://api.any.run/report/cb602e92-94ed-493e-985a-1339f3da6051/summary/misp",
              "tags": [],
              "date": "2020-10-12T08:05:57.587Z",
              "hashes": {
                  "ssdeep": "768:iSDksqjqvXbB/6rtilCec397sUiZc9Yky:TDegY539gUiCXy",
                  "head_hash": "3c90557306fa01f30693541b28db5785",
                  "sha256": "8ebc1257f9155134bb00315bdd2380990cdc413ba298d0cf473579ccfe03d6e5",
                  "sha1": "c125ba414416668b84ac737ec6db1b7f94bf32af",
                  "md5": "5e19377a19ef7657707872377bea14b7"
              }
          },
...
Case wall
Result type Description Type
Output message*

Action should not fail and not stop playbook execution:

If successful and found reports: "Found ANY.RUN reports for the provided search parameters".

If fail to find reports: "No ANY.RUN reports were found."

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General
Table

Table Name: Search Results

Table Columns:

  • Submission name (name)
  • Verdict
  • >Report URL (related)
  • Scan Date
  • md5
  • sha1
  • sha256
General