ANY.RUN
ANY.RUN is a cloud-based sandbox with interactive access.
Use Cases
- Submit a file, remote file, or URL to ANY.RUN for analysis.
- Retrieve report details for a given analysis task ID.
- View history of analysis tasks.
Configure ANYRUN on Demisto
- Navigate to Settings > Integrations > Servers & Services .
- Search for ANYRUN.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL
- Username
- Trust any certificate (not secure)
- Use system proxy
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.
1. Get analysis history
Gets the analysis history.
Base Command
anyrun-get-history
Input
Argument Name | Description | Required |
---|---|---|
team | If true, gets team history. If empty, gets your submitted analyses history. | Optional |
skip | The number of analyses to skip. | Optional |
limit | Limits the history retrieved/searched to the specified number of executed analyses. The range is 1-100. | Optional |
filter | File name, hash, or task ID by which to filter the task history. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ANYRUN.Task.Name | String | Task name. |
ANYRUN.Task.Verdict | String | ANY.RUN verdict for the submitted file’s status. |
ANYRUN.Task.Related | String | ANY.RUN link to a related file. |
ANYRUN.Task.File | String | ANY.RUN link to download the submitted file. |
ANYRUN.Task.Date | Date | The date that the file was submitted for analysis. |
ANYRUN.Task.Hash.MD5 | String | MD5 hash of the submitted file. |
ANYRUN.Task.Hash.SHA1 | String | SHA1 hash of the submitted file. |
ANYRUN.Task.Hash.SHA256 | String | SHA256 hash of the submitted file. |
ANYRUN.Task.Hash.HeadHash | String | Head hash of the submitted file. |
ANYRUN.Task.Hash.SSDeep | String | SSDeep hash of the submitted file. |
Command Example
anyrun-get-history skip=0 team=false filter=scribbles2.txt.zip
Context Example
{ "ANYRUN.Task": [ { "Hash": { "HeadHash": "e61fcc6a06420106fa6642ef833b9c38", "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "MD5": "e61fcc6a06420106fa6642ef833b9c38" }, "Name": "scribbles2.txt.zip", "Related": "[https://app.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9](https://app.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9)", "Verdict": "No threats detected", "File": "https://content.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9/download/files/afca4a63-9fe0-461c-8e73-c8fd784cf90e", "Date": "2019-04-24T07:13:06.087Z", "ID": "892455a2-8c96-45fb-9f2a-18ca4ef184f9" }, { "Hash": { "HeadHash": "e61fcc6a06420106fa6642ef833b9c38", "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "MD5": "e61fcc6a06420106fa6642ef833b9c38" }, "Name": "scribbles2.txt.zip", "Related": "[https://app.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef](https://app.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef)", "Verdict": "No threats detected", "File": "https://content.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef/download/files/227a7bd4-5baa-477b-b319-58d7619b79ef", "Date": "2019-04-24T07:02:38.747Z", "ID": "fe7c63ef-2b7f-4e70-b50c-996ae34b28ef" }, { "Hash": { "HeadHash": "e61fcc6a06420106fa6642ef833b9c38", "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "MD5": "e61fcc6a06420106fa6642ef833b9c38" }, "Name": "scribbles2.txt.zip", "Related": "[https://app.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d](https://app.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d)", "Verdict": "No threats detected", "File": "https://content.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d/download/files/0c5c1527-b50b-483e-84e1-7b4b8f82d26b", "Date": "2019-04-23T13:46:47.372Z", "ID": "81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d" }, { "Hash": { "HeadHash": "e61fcc6a06420106fa6642ef833b9c38", "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "MD5": "e61fcc6a06420106fa6642ef833b9c38" }, "Name": "scribbles2.txt.zip", "Related": "[https://app.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329](https://app.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329)", "Verdict": "No threats detected", "File": "https://content.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329/download/files/69dcf7f0-69c2-432e-8d30-3e2f630e0aae", "Date": "2019-04-23T08:11:17.460Z", "ID": "07d4d230-9638-4f04-a226-c7b18a81c329" }, { "Hash": { "HeadHash": "e61fcc6a06420106fa6642ef833b9c38", "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "MD5": "e61fcc6a06420106fa6642ef833b9c38" }, "Name": "scribbles2.txt.zip", "Related": "[https://app.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d](https://app.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d)", "Verdict": "No threats detected", "File": "https://content.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d/download/files/a006642b-956b-4a9d-a72c-0affdd2dd6c8", "Date": "2019-04-22T12:16:13.302Z", "ID": "411fe6a6-ca36-4322-8f1d-f5ec67c6346d" } ] }
Human Readable Output
Task History - Filtered By “scribbles2.txt.zip”
Name | ID | File | Hash | Verdict | Related | Date |
---|---|---|---|---|---|---|
scribbles2.txt.zip | 892455a2-8c96-45fb-9f2a-18ca4ef184f9 | https://content.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9/download/files/afca4a63-9fe0-461c-8e73-c8fd784cf90e |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/892455a2-8c96-45fb-9f2a-18ca4ef184f9 | 2019-04-24T07:13:06.087Z |
scribbles2.txt.zip | fe7c63ef-2b7f-4e70-b50c-996ae34b28ef | https://content.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef/download/files/227a7bd4-5baa-477b-b319-58d7619b79ef |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/fe7c63ef-2b7f-4e70-b50c-996ae34b28ef | 2019-04-24T07:02:38.747Z |
scribbles2.txt.zip | 81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d | https://content.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d/download/files/0c5c1527-b50b-483e-84e1-7b4b8f82d26b |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/81bb80cd-3bcf-41b3-aac5-c3e35a39ba0d | 2019-04-23T13:46:47.372Z |
scribbles2.txt.zip | 07d4d230-9638-4f04-a226-c7b18a81c329 | https://content.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329/download/files/69dcf7f0-69c2-432e-8d30-3e2f630e0aae |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/07d4d230-9638-4f04-a226-c7b18a81c329 | 2019-04-23T08:11:17.460Z |
scribbles2.txt.zip | 411fe6a6-ca36-4322-8f1d-f5ec67c6346d | https://content.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d/download/files/a006642b-956b-4a9d-a72c-0affdd2dd6c8 |
MD5: e61fcc6a06420106fa6642ef833b9c38
SHA1: 475d7efc7983357e51ea780e350b0efe6a5ba2e2 SHA256: 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 HeadHash: e61fcc6a06420106fa6642ef833b9c38 SSDeep: 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
No threats detected | https://app.any.run/tasks/411fe6a6-ca36-4322-8f1d-f5ec67c6346d | 2019-04-22T12:16:13.302Z |
2. Get a task report for a submission
Gets the report of a task created for a submitted file or URL.
Base Command
anyrun-get-report
Input
Argument Name | Description | Required |
---|---|---|
task |
Unique task ID. A task ID is returned when submitting a file or URL for analysis using the
anyrun-run-analysis
command. Task IDs can also be located in the
ID
field of the output of executing the
anyrun-get-history
command.
|
Required |
Context Output
Path | Type | Description |
---|---|---|
ANYRUN.Task.AnalysisDate | String | Date and time the analysis was executed. |
ANYRUN.Task.Behavior.Category | String | Category of a process behavior. |
ANYRUN.Task.Behavior.Action | String | Actions performed by a process. |
ANYRUN.Task.Behavior.ThreatLevel | Number | Threat score associated with a process behavior. |
ANYRUN.Task.Behavior.ProcessUUID | String | Unique ID of the process whose behaviors are being profiled. |
ANYRUN.Task.Connection.Reputation | String | Connection reputation. |
ANYRUN.Task.Connection.ProcessUUID | String | ID of the process that created the connection. |
ANYRUN.Task.Connection.ASN | String | Connection autonomous system network. |
ANYRUN.Task.Connection.Country | String | Connection country. |
ANYRUN.Task.Connection.Protocol | String | Connection protocol. |
ANYRUN.Task.Connection.Port | Number | Connection port number. |
ANYRUN.Task.Connection.IP | String | Connection IP number. |
ANYRUN.Task.DnsRequest.Reputation | String | Reputation of the DNS request. |
ANYRUN.Task.DnsRequest.IP | Unknown | IP addresses associated with a DNS request. |
ANYRUN.Task.DnsRequest.Domain | String | Domain resolution of a DNS request. |
ANYRUN.Task.Threat.ProcessUUID | String | Unique process ID from where the threat originated. |
ANYRUN.Task.Threat.Msg | String | Threat message. |
ANYRUN.Task.Threat.Class | String | Class of the threat. |
ANYRUN.Task.Threat.SrcPort | Number | Port on which the threat originated. |
ANYRUN.Task.Threat.DstPort | Number | Destination port of the threat. |
ANYRUN.Task.Threat.SrcIP | String | Source IP address where the threat originated. |
ANYRUN.Task.Threat.DstIP | String | Destination IP address of the threat. |
ANYRUN.Task.HttpRequest.Reputation | String | Reputation of the HTTP request. |
ANYRUN.Task.HttpRequest.Country | String | HTTP request country. |
ANYRUN.Task.HttpRequest.ProcessUUID | String | ID of the process making the HTTP request. |
ANYRUN.Task.HttpRequest.Body | Unknown | HTTP request body parameters and details. |
ANYRUN.Task.HttpRequest.HttpCode | Number | HTTP request response code. |
ANYRUN.Task.HttpRequest.Status | String | Status of the HTTP request. |
ANYRUN.Task.HttpRequest.ProxyDetected | Boolean | Whether the HTTP request was made through a proxy. |
ANYRUN.Task.HttpRequest.Port | Number | HTTP request port. |
ANYRUN.Task.HttpRequest.IP | String | HTTP request IP address. |
ANYRUN.Task.HttpRequest.URL | String | HTTP request URL. |
ANYRUN.Task.HttpRequest.Host | String | HTTP request host. |
ANYRUN.Task.HttpRequest.Method | String | HTTP request method type. |
ANYRUN.Task.FileInfo | String | Details of the submitted file. |
ANYRUN.Task.OS | String | OS of the sandbox in which the file was analyzed. |
ANYRUN.Task.ID | String | The unique ID of the task. |
ANYRUN.Task.MIME | String | The MIME of the file submitted for analysis. |
ANYRUN.Task.MD5 | String | The MD5 hash of the file submitted for analysis. |
ANYRUN.Task.SHA1 | String | The SHA1 hash of the file submitted for analysis. |
ANYRUN.Task.SHA256 | String | The SHA256 hash of the file submitted for analysis. |
ANYRUN.Task.SSDeep | String | SSDeep hash of the file submitted for analysis. |
ANYRUN.Task.Verdict | String | ANY.RUN verdict for the maliciousness of the submitted file or URL. |
ANYRUN.Task.Process.FileName | String | File name of the process. |
ANYRUN.Task.Process.PID | Number | Process identification number. |
ANYRUN.Task.Process.PPID | Number | Parent process identification number. |
ANYRUN.Task.Process.ProcessUUID | String | Unique process ID (used by ANY.RUN). |
ANYRUN.Task.Process.CMD | String | Process command. |
ANYRUN.Task.Process.Path | String | Path of the executed command. |
ANYRUN.Task.Process.User | String | User who executed the command. |
ANYRUN.Task.Process.IntegrityLevel | String | The process integrity level. |
ANYRUN.Task.Process.ExitCode | Number | Process exit code. |
ANYRUN.Task.Process.MainProcess | Boolean | Whether the process is the main process. |
ANYRUN.Task.Process.Version.Company | String | Company responsible for the program executed. |
ANYRUN.Task.Process.Version.Description | String | Description of the type of program. |
ANYRUN.Task.Process.Version.Version | String | Version of the program executed. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Score | Number | The actual score. |
DBotScore.Type | String | Type of indicator. |
DBotScore.Vendor | String | Vendor used to calculate the score. |
File.Extension | String | Extension of the file submitted for analysis. |
File.Name | String | The name of the file submitted for analysis. |
File.MD5 | String | MD5 hash of the file submitted for analysis. |
File.SHA1 | String | SHA1 hash of the file submitted for analysis. |
File.SHA256 | String | SHA256 hash of the file submitted for analysis. |
File.SSDeep | String | SSDeep hash of the file submitted for analysis. |
File.Malicious.Vendor | String | For malicious files, the vendor that made the decision. |
File.Malicious.Description | String | For malicious files, the reason that the vendor made the decision. |
URL.Data | String | URL data. |
URL.Malicious.Vendor | String | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | String | For malicious URLs, the reason that the vendor made the decision. |
ANYRUN.Task.Status | String | Task analysis status. |
Command Example
anyrun-get-report task=fe7c63ef-2b7f-4e70-b50c-996ae34b28ef
Context Example
{ "ANYRUN.Task": { "HttpRequest": [], "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "Status": "done", "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "Threat": [], "Process": [ { "CMD": "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"C:\\Users\\admin\\AppData\\Local\\Temp\\scribbles2.txt.zip\"", "IntegrityLevel": "MEDIUM", "PID": 916, "MainProcess": true, "FileName": "WinRAR.exe", "Version": { "Company": "Alexander Roshal", "Version": "5.60.0", "Description": "WinRAR archiver" }, "ProcessUUID": "8834c75a-ceba-4ae3-83e6-87b8b460ff82", "User": "admin", "Path": "C:\\Program Files\\WinRAR\\WinRAR.exe", "PPID": 2044, "ExitCode": null } ], "ID": "fe7c63ef-2b7f-4e70-b50c-996ae34b28ef", "Connection": [], "MIME": "application/zip", "Behavior": [], "Verdict": "No threats detected", "FileInfo": "Zip archive data, at least v2.0 to extract", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "OS": "Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)", "DnsRequest": [], "AnalysisDate": "2019-04-24T07:02:38.747Z", "MD5": "e61fcc6a06420106fa6642ef833b9c38" }, "DBotScore": { "Vendor": "ANYRUN", "Indicator": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "Score": 1, "Type": "hash" }, "File": { "SHA1": "475d7efc7983357e51ea780e350b0efe6a5ba2e2", "Name": "scribbles2.txt.zip", "Extension": "zip", "SSDeep": "24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9", "SHA256": "1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1", "MD5": "e61fcc6a06420106fa6642ef833b9c38" } }
Human Readable Output
Report for Task fe7c63ef-2b7f-4e70-b50c-996ae34b28ef
OS | AnalysisDate | Verdict | MIME | FileInfo | Process | Status | MD5 | SHA1 | SHA256 | SSDeep |
---|---|---|---|---|---|---|---|---|---|---|
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) | 2019-04-24T07:02:38.747Z | No threats detected | application/zip | Zip archive data, at least v2.0 to extract | FileName: WinRAR.exe, PID: 916, PPID: 2044, ProcessUUID: 8834c75a-ceba-4ae3-83e6-87b8b460ff82, CMD: \C:\Program Files\WinRAR\WinRAR.exe\ \C:\Users\admin\AppData\Local\Temp\scribbles2.txt.zip, Path: C:\Program Files\WinRAR\WinRAR.exe, User: admin, IntegrityLevel: MEDIUM, ExitCode: null, MainProcess: true, Version: {Company: Alexander Roshal, Description: WinRAR archiver, Version: 5.60.0 | done | e61fcc6a06420106fa6642ef833b9c38 | 475d7efc7983357e51ea780e350b0efe6a5ba2e2 | 1832caedd2f87b3c2d5c7dcc5c5f844a1479d3a7868570241656b1516607dbb1 | 24:9YQxEcNJQGgrtSuJDWDRzvu4H2ANvg0JvWH2Rb:9xNJKrtSuxOT9 |
3. Submit a file or URL for analysis
Submits a file or URL for analysis.
Base Command
anyrun-run-analysis
Input
Argument Name | Description | Required |
---|---|---|
obj_type | Type of new task. | Optional |
file | EntryID of the file to analyze. | Optional |
obj_url | URL, used only if ‘obj_type’ command argument is ‘url’ or ‘download’. Permitted size is 5-512 characters long. | Optional |
env_bitness | Bitness of OS. | Optional |
env_version | Version of Windows OS. | Optional |
env_type | Environment preset type. | Optional |
opt_network_connect | Network connection state. | Optional |
opt_kernel_heavyevasion | Heavy evasion option. | Optional |
opt_privacy_type | Privacy settings for generated task. | Optional |
Context Output
Path | Type | Description |
---|---|---|
ANYRUN.Task.ID | String | ID of the task created to analyze the submission. |
Command Example
anyrun-run-analysis obj_type=file file=693@66884384-c643-4343-8cf7-26f59e62a88e env_bitness=64
Context Example
{ "ANYRUN.Task": { "ID": "e04b401f-9396-4183-ad00-b6ed34c023e3" } }
Human Readable Output
Submission Successful
Task |
---|
e04b401f-9396-4183-ad00-b6ed34c023e3 |