Detonate File From URL - ANYRUN

Detonates one or more remote files using the ANYRUN sandbox integration. Returns relevant reports to the War Room and file reputations to the context data. This type of analysis works only for direct download links.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

  • ANYRUN

Scripts

This playbook does not use any scripts.

Commands

  • anyrun-run-analysis
  • anyrun-get-report

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
URLThe URL of the web file to detonate.NoneURLOptional
IntervalThe duration for executing the pooling (in minutes).1-Optional
TimeoutThe duration after which to stop pooling and to resume the playbook (in minutes).15-Optional

Playbook Outputs


PathDescriptionType
ANYRUN.Task.AnalysisDateThe date and time the analysis was executed.String
ANYRUN.Task.Behavior.CategoryThe category of a process behavior.String
ANYRUN.Task.Behavior.ActionThe actions performed by a process.String
ANYRUN.Task.Behavior.ThreatLevelThe threat score associated with a process behavior.Number
ANYRUN.Task.Behavior.ProcessUUIDThe unique ID of the process whose behaviors are being profiled.String
ANYRUN.Task.Connection.ReputationThe connection reputation.String
ANYRUN.Task.Connection.ProcessUUIDThe ID of the process that created the connection.String
ANYRUN.Task.Connection.ASNThe connection autonomous system network.String
ANYRUN.Task.Connection.CountryThe connection country.String
ANYRUN.Task.Connection.ProtocolThe connection protocol.String
ANYRUN.Task.Connection.PortThe connection port number.Number
ANYRUN.Task.Connection.IPThe connection IP address number.String
ANYRUN.Task.DnsRequest.ReputationThe reputation of the DNS request.String
ANYRUN.Task.DnsRequest.IPThe IP addresses associated with a DNS request.Unknown
ANYRUN.Task.DnsRequest.DomainTHe domain resolution of a DNS request.String
ANYRUN.Task.Threat.ProcessUUIDThe unique process ID from where the threat originated.String
ANYRUN.Task.Threat.MsgThe threat message.String
ANYRUN.Task.Threat.ClassThe class of the threat.String
ANYRUN.Task.Threat.SrcPortThe port on which the threat originated.Number
ANYRUN.Task.Threat.DstPortThe destination port of the threat.Number
ANYRUN.Task.Threat.SrcIPTHe source IP address where the threat originated.String
ANYRUN.Task.Threat.DstIPThe destination IP address of the threat.String
ANYRUN.Task.HttpRequest.ReputationThe reputation of the HTTP request.String
ANYRUN.Task.HttpRequest.CountryTHe HTTP request country.String
ANYRUN.Task.HttpRequest.ProcessUUIDThe ID of the process making the HTTP request.String
ANYRUN.Task.HttpRequest.BodyThe HTTP request body parameters and details.Unknown
ANYRUN.Task.HttpRequest.HttpCodeThe HTTP request response code.Number
ANYRUN.Task.HttpRequest.StatusThe status of the HTTP request.String
ANYRUN.Task.HttpRequest.ProxyDetectedWhether the HTTP request was made through a proxy.Boolean
ANYRUN.Task.HttpRequest.PortThe HTTP request port.Number
ANYRUN.Task.HttpRequest.IPThe HTTP request IP address.String
ANYRUN.Task.HttpRequest.URLThe HTTP request URL.String
ANYRUN.Task.HttpRequest.HostThe HTTP request host.String
ANYRUN.Task.HttpRequest.MethodThe HTTP request method type.String
ANYRUN.Task.FileInfoThe details of the submitted file.String
ANYRUN.Task.OSThe OS of the sandbox in which the file was analyzed.String
ANYRUN.Task.IDThe unique ID of the task.String
ANYRUN.Task.MIMEThe MIME of the file submitted for analysis.String
ANYRUN.Task.MD5The MD5 hash of the file submitted for analysis.String
ANYRUN.Task.SHA1The SHA1 hash of the file submitted for analysis.String
ANYRUN.Task.SHA256The SHA256 hash of the file submitted for analysis.String
ANYRUN.Task.SSDeepSSDeep hash of the file submitted for analysis.String
ANYRUN.Task.VerdictThe ANY.RUN verdict for the maliciousness of the submitted file or URL.String
ANYRUN.Task.Process.FileNameThe file name of the process.String
ANYRUN.Task.Process.PIDThe process identification number.Number
ANYRUN.Task.Process.PPIDThe parent process identification number.Number
ANYRUN.Task.Process.ProcessUUIDThe unique process ID (used by ANY.RUN).String
ANYRUN.Task.Process.CMDThe process command.String
ANYRUN.Task.Process.PathThe path of the executed command.String
ANYRUN.Task.Process.UserThe user who executed the command.String
ANYRUN.Task.Process.IntegrityLevelThe process integrity level.String
ANYRUN.Task.Process.ExitCodeThe process exit code.Number
ANYRUN.Task.Process.MainProcessWhether the process is the main process.Boolean
ANYRUN.Task.Process.Version.CompanyThe company responsible for the program executed.String
ANYRUN.Task.Process.Version.DescriptionThe description of the type of program.String
ANYRUN.Task.Process.Version.VersionThe version of the program executed.String
DBotScore.IndicatorThe indicator that was tested.String
DBotScore.ScoreThe actual score.Number
DBotScore.TypeThe type of indicator.String
DBotScore.VendorThe vendor used to calculate the score.String
File.ExtensionThe extension of the file submitted for analysis.String
File.NameThe name of the file submitted for analysis.String
File.MD5The MD5 hash of the file submitted for analysis.String
File.SHA1The SHA1 hash of the file submitted for analysis.String
File.SHA256The SHA256 hash of the file submitted for analysis.String
File.SSDeepThe SSDeep hash of the file submitted for analysis.String
File.Malicious.VendorThe vendor that made the decision that decided the file is malicious.String
File.Malicious.DescriptionThe reason that the vendor made the decision that decided the file is malicious.String
ANYRUN.Task.StatusThe task analysis status.String

Playbook Image


Detonate_File_From_URL_ANYRUN