ANY.RUN

Integration version: 3.0

Product permission

Integration is working on API Key authentication. You can generate a new API Key on the ANY.RUN page.

Configure ANY.RUN integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name	Type	Default value	Is mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
Api Key	Password	N/A	Yes	Api Key to use with integration.
Run Remotely	Checkbox	Unchecked	No	Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Analyze File

Description

Create ANY.RUN file analysis task.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
File Path	String	N/A	No	Specify full path to file to analyze.
Wait for the report?	Checkbox	Checked	No	Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed.
Threshold	Integer	0	Yes	If Wait for the report checkbox is checked, mark entity as suspicious if the report risk value for the entity is above the specified threshold.
Try to create submission for x times	Integer	30	Yes	How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds.
OS Version	DDL	7 Possible values: 7 8.1 10	No	OS version to run analysis on.
Operation System Bitness	DDL	32 Possible values: 32 64	No	Bitness of Operation System
OS Environment Type	DDL	complete Possible values: complete office clean	No	Environment type to run analysis on.
Network Connection Status	DDL	On Possible values: On Off	No	Network connection state for analysis.
FakeNet Feature Status	DDL	false Possible values: true false	No	FakeNet feature state for analysis.
Use TOR	DDL	false Possible values: true false	No	Use TOR or not while running analysis.
opt_network_mitm	DDL	false Possible values: true false	No	HTTPS MITM proxy option.
opt_network_geo	DDL	Fastest Possible values: Fastest AU BR DE CH FR KR US RU GB IT	No	Geolocation option.
opt_network_heavyevasion	DDL	false Possible values: true false	No	Heavy evasion option.
opt_privacy_type	DDL	By Link Possible values: By Link Public Owner	No	Privacy settings for analysis.
opt_timeout	String	60	No	Timeout period for analysis in range from 10 to 600 seconds.
obj_ext_startfolder	DDL	temp Possible values: temp desktop home downloads appdata windows root	No	Start location for analysis.

Use cases

Analyze File that is a part of alert been reviewed to see if its malicious.

Run on

This action doesn't run on entities.

Action results

Entity enrichment

Mark entity as suspicious if the number of negative engines is equal or above the given threshold. if data.get("report", {}).get("risk_score", {}).get("result") > threshold

Enrichment Field name	Logic - When to apply
domain_blacklist	Returns if it exists in JSON result
html_forms	Returns if it exists in JSON result
server_details	Returns if it exists in JSON result
response_headers	Returns if it exists in JSON result
redirection	Returns if it exists in JSON result
file_type	Returns if it exists in JSON result
risk_score	Returns if it exists in JSON result
security_checks	Returns if it exists in JSON result
geo_location	Returns if it exists in JSON result
url_parts	Returns if it exists in JSON result
site_category	Returns if it exists in JSON result
web_page	Returns if it exists in JSON result
dns_records	Returns if it exists in JSON result

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
    }
}

Option 2. If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
...

Case wall

Result type	Description	Type
Output message*	Action should not fail and not stop playbook execution: if successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path). If fail to create analysis task for the provided file: "Failed to create ANY.RUN analysis task for file: {0}".format(file_path). If wait for report checkbox is set, and we finish the action because python process timeout is close: print "Action reached timeout waiting for report for file: {0}".format(file_path). Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)	General

Result type

Description

Type

Output message*

Action should not fail and not stop playbook execution:

if successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path).

If fail to create analysis task for the provided file: "Failed to create ANY.RUN analysis task for file: {0}".format(file_path).

If wait for report checkbox is set, and we finish the action because python process timeout is close: print "Action reached timeout waiting for report for file: {0}".format(file_path).

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Analyze File URL

Description

Create ANY.RUN file analysis task.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
URL to File	String	N/A	No	Specify URL to file to download and analyze.
Hide Source URL?	Checkbox	Unchecked	No	Specify whether to hide source URL for the downloaded file.
Wait for the report?	Checkbox	Checked	No	Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed.
Threshold	Integer	0	Yes	If Wait for the report checkbox is checked, mark entity as suspicious if the report risk value for the entity is above the specified threshold.
Try to create submission for x times	Int	30	Yes	How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds.
OS Version	DDL	7	No	OS version to run analysis on.
Operation System Bitness	DDL	32	No	Bitness of Operation System
OS Environment Type	DDL	complete	No	Environment type to run analysis on.
Network Connection Status	DDL	On	No	Network connection state for analysis.
FakeNet Feature Status	DDL	False	No	FakeNet feature state for analysis.
Use TOR	DDL	False	No	Use TOR or not while running analysis.
opt_network_mitm	DDL	False	No	HTTPS MITM proxy option.
opt_network_geo	DDL	Fastest	No	Geolocation option.
opt_network_heavyevasion	DDL	False	No	Heavy evasion option.
opt_privacy_type	DDL	By Link	No	Privacy settings for analysis.
opt_timeout	String	60	No	Timeout period for analysis in range from 10 to 600 seconds.
obj_ext_startfolder	DDL	temp	No	Start location for analysis.

Use cases

Analyze File that is a part of alert been reviewed to see if its malicious.

Run on

This action doesn't work on entities.

Action results

Entity enrichment

Mark entity as suspicious if the number of negative engines is equal or above the given threshold. is_suspicious: if data.get("score") > threshold

Enrichment field name	Logic - When to apply
domain	Returns if it exists in JSON result
should_block	Returns if it exists in JSON result
score	Returns if it exists in JSON result
disposable	Returns if it exists in JSON result
has_mx_records	Returns if it exists in JSON result
has_spf_records	Returns if it exists in JSON result

Insights

N/A

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
    }
}

Option 2: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
...

Case wall

Result type	Description	Type
Output message*	Action should not fail and not stop playbook execution: If successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path). If fail to create analysis task for the provided file: Failed to create ANY.RUN analysis task for file: {0}".format(file_path). If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for file: {0}".format(file_path). Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)	General

Result type

Description

Type

Output message*

Action should not fail and not stop playbook execution:

If successfully created analysis task for the provided file: "Successfully created analysis task for file: {0}".format(file_path).

If fail to create analysis task for the provided file: Failed to create ANY.RUN analysis task for file: {0}".format(file_path).

If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for file: {0}".format(file_path).

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Analyze URL

Description

Create ANY.RUN analysis task for the provided URL.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
URL For Analysis	String	N/A	No	Specify URL t o analyze.
Wait for the report?	Checkbox	Checked	No	Specify whether action should wait for the report creation. Report also can be obtained later with Get report action once scan is completed.
Try to create submission for x times	Integer	30	Yes	How many attempts action should make to check if the API concurrency limit is not exceeded and try to create a new submission. Check is made every 2 seconds
OS Version	DDL	7	No	OS version to run analysis on.
Operation System Bitness	DDL	32	No	Bitness of Operation System
OS Environment Type	DDL	complete	No	Environment type to run analysis on.
Network Connection Status	DDL	On	No	Network connection state for analysis.
FakeNet Feature Status	DDL	False	No	FakeNet feature state for analysis.
Use TOR	DDL	False	No	Use TOR or not while running analysis.
opt_network_mitm	DDL	False	No	HTTPS MITM proxy option.
opt_network_geo	DDL	Fastest	No	Geolocation option.
opt_network_heavyevasion	DDL	False	No	Heavy evasion option.
opt_privacy_type	DDL	By Link	No	Privacy settings for analysis.
opt_timeout	String	60	No	Timeout period for analysis in range from 10 to 600 seconds.
obj_ext_startfolder	DDL	temp	No	Start location for analysis.

Use cases

Analyze URL that is a part of alert been reviewed to see if its malicious.

Run on

This action runs on the URL entity.

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

Option 1: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "taskid": "7bbf1460-bf81-4a2b-95c4-4e99cb507331"
    }
}

Option 2: If wait for report checkbox is not set, we return the info about the created analysis task (response to request 1)

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
...

Case wall

Result type	Description	Type
Output message*	Action should not fail and not stop playbook execution: If successfully created analysis task for at least one of the provided entities: "Created analysis tasks for the following entities: {0}".format([entity.Identifier]). If fail to create analysis task for all of the provided entities: "No ANY.RUN analysis tasks were created." If fail to create analysis tasks for some entities: "Failed to create analysis tasks for the following entities: {0}".format([entity.identifier]) If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for the following entities: {0}".format([entity.identifier]) Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)	General

Result type

Description

Type

Output message*

Action should not fail and not stop playbook execution:

If successfully created analysis task for at least one of the provided entities: "Created analysis tasks for the following entities: {0}".format([entity.Identifier]).

If fail to create analysis task for all of the provided entities: "No ANY.RUN analysis tasks were created."

If fail to create analysis tasks for some entities: "Failed to create analysis tasks for the following entities: {0}".format([entity.identifier])

If wait for report checkbox is set, and we finish the action because python process timeout is close: "Action reached timeout waiting for report for the following entities: {0}".format([entity.identifier])

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Get Report

Description

Get ANY.RUN report from previous analysis based on the provided Google Security Operations SOAR File, FileHash or URL entity.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Threshold	Integer	0	Yes	Mark entity as suspicious if the score value for the entity is above the specified threshold.
Search in last x scans	Integer	25	Yes	Search for report for provide filehash in the last x analysis executed in ANY.RUN.
Create Insight?	Checkbox	Unchecked	No	Specify whether to create insight based on the report data.
Fetch latest report?	Checkbox	Checked	No	Specify whether to return latest analysis report or all found reports for the provided entity.

Use cases

Lookup in ANY.RUN hash we encounter in the alert analysis in the playbook.

Run on

This action runs on the following entities:

Filename
Filehash
URL

Action results

Entity enrichment

Action should set this to True if risk value for entity is above the threshold provided as action input parameter.

Insights

Insight logic	Type	Title	Entity	Verdict	Threat level	Score
Create if respective checkbox was checked.	Entity	Any/Run Report	Entity identifier for which insight is created	Value from api response	Value from api response	Value from api response

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

{
    "error": false,
    "data": {
        "analysis": {
            "uuid": "bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "permanentUrl": "https://app.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd",
            "reports": {
                "IOC": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/ioc/json",
                "MISP": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/misp",
                "HTML": "https://api.any.run/report/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/summary/html",
                "graph": "https://content.any.run/tasks/bb8d768a-4e81-4d50-bd89-8e1cac194ffd/graph"
            },
            "sandbox": {
                "name": "ANY.RUN - Interactive Sandbox",
                "plan": {
                    "name": "Tester"
                }
            },
            "duration": 60,
            "creation": 1602483368256,
            "creationText": "2020-10-12T06:16:08.256Z",
            "tags": [],
            "options": {
                "timeout": 60,
                "additionalTime": 0,
                "fakeNet": false,
                "heavyEvasion": false,
                "mitm": false,
                "tor": {
                    "used": false,
                    "geo": "fastest"
                },
                "presentation": false,
                "video": true,
                "hideSource": false,
                "network": true,
                "privacy": "bylink",
                "privateSample": false,
                "automatization": {
                    "uac": false
                }
            },
            "scores": {
                "verdict": {
                    "score": 100,
                    "threatLevel": 2,
                    "threatLevelText": "Malicious activity"
                },
                "specs": {
                    "injects": false,
                    "autostart": false,
                    "cpuOverrun": false,
                    "crashedApps": false,
                    "crashedTask": false,
                    "debugOutput": false,
                    "executableDropped": false,
                    "exploitable": false,
                    "lowAccess": false,
                    "memOverrun": false,
                    "multiprocessing": true,
                    ...

Case wall

Result type	Description	Type
Output message*	Action should not fail and not stop playbook execution: if successful and got a report for at least one of the provided entities: "Found ANY.RUN reports for the following entities: {0}".format([entity.Identifier]). If fail to find reports for all of the provided entities: "No ANY.RUN reports were found." If fail to find reports for some entities: "Failed to find ANY.RUN reports for the following entities: {0}".format([entity.identifier]) Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)	General
Table	Name: Latest ANY.RUN Report Columns: Parameter, Value: Verdict "Threat Level" "Score" Report URL Report IOC Report MISP Report HTML Report Graph	General

Result type

Description

Type

Output message*

Action should not fail and not stop playbook execution:

if successful and got a report for at least one of the provided entities: "Found ANY.RUN reports for the following entities: {0}".format([entity.Identifier]).

If fail to find reports for all of the provided entities: "No ANY.RUN reports were found."

If fail to find reports for some entities: "Failed to find ANY.RUN reports for the following entities: {0}".format([entity.identifier])

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Table

Name: Latest ANY.RUN Report

Columns: Parameter, Value:

Verdict
"Threat Level"
"Score"
Report URL
Report IOC
Report MISP
Report HTML
Report Graph

General

Ping

Description

Test connectivity to ANY.RUN service with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Use cases

The action is used to test connectivity at the integration configuration page on the Google Security Operations Marketplace tab, and it can be executed as a manual action, not used in playbooks.

Parameters

N/A

Run on

The action doesn't run on entities.

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: Successfully connected to the ANY.RUN service with the provided connection parameters!" The action should fail and stop a playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: Successfully connected to the ANY.RUN service with the provided connection parameters!"

The action should fail and stop a playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Search Report History

Description

Search ANY.RUN scans history.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Submission Name	String	N/A	No	Specific submission name to search for.
Search in last x scans	Integer	100	Yes	Search for report in the last x analysis executed in ANY.RUN.
Skip first x scans	Integer	0	No	Skip first x scans returned by ANY.RUN API.
Get team history?	Checkbox	Unchecked	No	Specify whether to get team history or not.

Use cases

Search past submissions to see what was scanned previously in ANY.RUN sandbox.

Run on

The action doesn't work on entities.

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

{
  "error": false,
  "data": {
      "tasks": [
          {
              "verdict": "No threats detected",
              "name": "http://users.tpg.com.au/locthuy/employment/qs/unix/Hardening%20your%20AIX%20Security.pdf",
              "related": "https://app.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051",
              "pcap": "https://content.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051/download/pcap",
              "file": "https://content.any.run/tasks/cb602e92-94ed-493e-985a-1339f3da6051/download/files/56dcd380-3f8f-4764-b1fc-9c5cdf414cb5",
              "json": "https://api.any.run/report/cb602e92-94ed-493e-985a-1339f3da6051/summary/json",
              "misp": "https://api.any.run/report/cb602e92-94ed-493e-985a-1339f3da6051/summary/misp",
              "tags": [],
              "date": "2020-10-12T08:05:57.587Z",
              "hashes": {
                  "ssdeep": "768:iSDksqjqvXbB/6rtilCec397sUiZc9Yky:TDegY539gUiCXy",
                  "head_hash": "3c90557306fa01f30693541b28db5785",
                  "sha256": "8ebc1257f9155134bb00315bdd2380990cdc413ba298d0cf473579ccfe03d6e5",
                  "sha1": "c125ba414416668b84ac737ec6db1b7f94bf32af",
                  "md5": "5e19377a19ef7657707872377bea14b7"
              }
          },
...

Case wall

Result type	Description	Type
Output message*	Action should not fail and not stop playbook execution: If successful and found reports: "Found ANY.RUN reports for the provided search parameters". If fail to find reports: "No ANY.RUN reports were found." Action should fail and stop playbook execution: If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)	General
Table	Table Name: Search Results Table Columns: Submission name (name) Verdict >Report URL (related) Scan Date md5 sha1 sha256	General

Result type

Description

Type

Output message*

Action should not fail and not stop playbook execution:

If successful and found reports: "Found ANY.RUN reports for the provided search parameters".

If fail to find reports: "No ANY.RUN reports were found."

Action should fail and stop playbook execution:

If a critical error, like wrong credentials or lost connectivity is reported: "Failed to connect to the ANY.RUN service! Error is {0}".format(exception.stacktrace)

General

Table

Table Name: Search Results

Table Columns:

Submission name (name)
Verdict
>Report URL (related)
Scan Date
md5
sha1
sha256

General