Skip to main content

ANY.RUN TI Lookup

This Integration is part of the ANY.RUN Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.

Use Cases#

Perform deep searches, look up threats online, and enrich your security solutions.

Generate API token#

  • Follow ANY.RUN Sandbox
  • [1] Profile > [2] API and Limits > [3] Generate > [4] Copy

ANY.RUN Generate API KEY

Configure ANY.RUN Lookup in Cortex#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for ANY.RUN.
  3. Click Add instance to create and configure a new integration instance.
  4. Insert ANY.RUN API-KEY into the Password parameter
  5. Click Test to validate the URLs, token, and connection.
ParameterDescriptionRequired
PasswordANY.RUN API-KEY without prefixTrue
Server's FQDNGo to Settings & Info → Settings → Integrations → API Keys. Click Copy API URL. Your FQDN is saved in the clipboard. Inline it without http/https protocolTrue
XSOAR API-KEY IDIn the API Keys table, locate the ID field. Note your corresponding ID numberTrue
XSOAR API-KEYXSOAR API-KEYTrue

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

anyrun-get-intelligence#


Perform threat intelligence using specified IOC

Base Command#

anyrun-get-intelligence

Input#

Argument NameDescriptionRequired
lookup_depthSpecify the number of days from the current date for which you want to lookup.Optional
queryRaw query with necessary filters. Supports condition concatenation with AND, OR, NOT and Parentheses ().Optional
threat_nameThe name of a particular threat: malware family, threat type, etc., as identified by the sandbox. Example: "Phishing".Optional
threat_levelA verdict on the threat level of the sample. Possible values are: suspicious, malicious, info.Optional
task_typeThe type of the sample submitted to the sandbox. Possible values are: File, URL.Optional
submission_countryThe country from which the threat sample was submitted. Example: "es".Optional
osThe specific version of Windows used in the environment. Possible values are: Windows 7, Windows 8, Windows 11.Optional
os_software_setThe software package of applications installed on the OS. Possible values are: clean, office, complete.Optional
os_bit_versionThe bitness of the operating system. Possible values are: 32, 64.Optional
registry_keyThe specific key within the registry hive where the modification occurred. Please note: when entering registry keys, use a double backslash () to escape the single backslash. Example: "Windows\CurrentVersion\RunOnce.Optional
registry_nameThe name of the Windows Registry key field. Example: "browseinplace".Optional
registry_valueThe value of the Windows Registry key. Example: "Internet Explorer\iexplore.exe.Optional
module_image_pathThe full path to the module’s image file, the location on the disk where the module’s executable is stored. Example: "SysWOW64\cryptbase.dll.Optional
rule_threat_levelThe threat level assigned to a particular event. Possible values are: suspicious, malicious, info.Optional
rule_nameThe name of the detection rule. Example: "Executable content was dropped or overwritten".Optional
mitreTechniques used by the malware according to the MITRE ATT&CK classification. Example: "T1071".Optional
image_pathFull path to process image. Example: "System32\conhost.exe".Optional
command_lineFull command line that initiated the process. Example: "PDQConnectAgent\pdq-connect-agent.exe –service".Optional
injected_flagIndication of whether a process has been injected. Possible values are: true, false.Optional
destination_ipThe IP address of the network connection that was established or attempted.Optional
destination_portThe network port through which the connection was established. Example: "49760".Optional
destination_ip_asnDetected ASN. Example: "akamai-as".Optional
destination_ip_geoTwo-letter country or region code of the detected IP geolocation. Example: "ae".Optional
domain_nameThe domain name that was recorded during the threat execution in a sandbox. Example: "tventyvd20sb.top".Optional
ja3Types of TLS fingerprints that can indicate certain threats.Optional
ja3sTypes of TLS fingerprints that can indicate certain threats.Optional
jarmTypes of TLS fingerprints that can indicate certain threats.Optional
file_pathThe full path to the file on the system.Optional
file_event_pathThe path of a file associated with a file event.Optional
file_extensionThe extension that indicates the file type.Optional
sha256Hash values relating to a file.Optional
sha1Hash values relating to a file.Optional
md5Hash values relating to a file.Optional
suricata_classThe category assigned to the threat by Suricata based on its characteristics. Example: "a network trojan was detected".Optional
suricata_messageThe description of the threat according to Suricata. Example: "ET INFO 404/Snake/Matiex Keylogger Style External IP Check".Optional
suricata_threat_levelThe verdict on the threat according to Suricata based on its potential impact. Possible values are: suspicious, malicious, info.Optional
suricata_idThe unique identifier of the Suricata rule: Example: "2044767".Optional
sync_object_nameThe name or identifier of the synchronization object used. Example: "rmc".Optional
sync_object_typeThe type of synchronization object used. Example: "mutex".Optional
sync_object_operationThe operation performed on the synchronization object. Example: "create".Optional
urlThe URL called by the process.Optional
http_request_content_typeThe content type of the HTTP request sent to the server. Example: "application/json".Optional
http_response_content_typeThe content type of the HTTP response received from the server. Example: "text/html".Optional
http_request_file_typeThe file type of the file being uploaded in the HTTP request. Example: "binary".Optional
http_response_file_typeThe file type of the file being downloaded in the HTTP response. Example: "binary".Optional

Context Output#

PathTypeDescription
ANYRUN.Lookup.destinationPortUnknownDestination ports numbers.
ANYRUN.Lookup.destinationIPgeoUnknownDestination IP Geo (countries).
ANYRUN.Lookup.destinationIpAsn.asnStringDestination IP ASN (autonomous system number).
ANYRUN.Lookup.destinationIpAsn.dateDateDestination IP ASN Date.
ANYRUN.Lookup.relatedTasksStringLinks to related tasks in ANY.RUN sandbox.
ANYRUN.Lookup.threatNameStringThreat names.
ANYRUN.Lookup.relatedIncidents.taskStringLink to the task in ANY.RUN sandbox.
ANYRUN.Lookup.relatedIncidents.timeDateCreation time.
ANYRUN.Lookup.relatedIncidents.MITREUnknownArray of MITRE matrix techniques IDs ans sub-techniques IDs.
ANYRUN.Lookup.relatedIncidents.event.destinationPortStringDestination ports numbers.
ANYRUN.Lookup.relatedIncidents.event.destinationIPStringDestination IP address.
ANYRUN.Lookup.relatedIncidents.process.commandLineStringCommand line string.
ANYRUN.Lookup.relatedIncidents.process.imagePathStringImage path string.
ANYRUN.Lookup.relatedIncidents.process.threatNameStringThreat names.
ANYRUN.Lookup.relatedIncidents.process.MITREUnknownArray of MITRE matrix techniques IDs ans sub-techniques IDs.
ANYRUN.Lookup.relatedIncidents.process.pidNumberProcess ID.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.known_threatBooleanIndicates if it is a known threat.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.network_loaderBooleanIndicates if network download was detected.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.networkBooleanIndicates if network activity was enabled.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.uac_requestBooleanIndicates if User Access Control (UAC) request was detected.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.injectsBooleanIndicates if threat uses injections.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.service_luncherBooleanIndicates if new service registration was detected.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.executable_droppedBooleanIndicates if threat uses dropped executables.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.multiprocessingBooleanIndicates if threat uses multiprocessing.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.crashed_appsBooleanIndicates if application crashed.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.debug_outputBooleanIndicates if application has debug output message.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.stealingBooleanIndicates if process steals info from infected machine.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.exploitableBooleanIndicates if any known exploit was detected.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.static_detectionsBooleanIndicates if any malicious pattern was detected by static analysis engine.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.susp_structBooleanIs susp struct
ANYRUN.Lookup.relatedIncidents.process.scores.specs.autostartBooleanIndicates if application was added to autostart.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.low_accessBooleanIndicates if threat uses low level access.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.torBooleanIndicates if TOR was used.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.spamBooleanIndicates if spam was detected.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.malware_configBooleanIndicates if malware config was extracted from submitted file.
ANYRUN.Lookup.relatedIncidents.process.scores.specs.process_dumpBooleanIndicates if the process memory dump can be extracted.
ANYRUN.Lookup.relatedIncidents.process.eventsCounters.raw.registryNumberNumber or registry events.
ANYRUN.Lookup.relatedIncidents.process.eventsCounters.raw.filesNumberNumber or files.
ANYRUN.Lookup.relatedIncidents.process.eventsCounters.raw.modulesNumberNumber or modules.
ANYRUN.Lookup.relatedIncidents.process.eventsCounters.raw.objectsNumberNumber or objects.
ANYRUN.Lookup.relatedIncidents.process.threatLevelNumberThreat level.
ANYRUN.Lookup.relatedIncidents.event.destinationIpAsnStringDestination IP ASN (autonomous system number).
ANYRUN.Lookup.relatedIncidents.event.titleStringTitle of event type.
ANYRUN.Lookup.relatedIncidents.event.urlStringURL.
ANYRUN.Lookup.relatedIncidents.event.domainNameStringDomain name
ANYRUN.Lookup.relatedIncidents.event.ruleThreatLevelStringRule threat level.
ANYRUN.Lookup.destinationIP.destinationIPStringDestination IP address.
ANYRUN.Lookup.destinationIP.dateDateCreation date.
ANYRUN.Lookup.destinationIP.threatLevelNumberThreat level.
ANYRUN.Lookup.destinationIP.threatNameUnknownThreat names.
ANYRUN.Lookup.destinationIP.isMalconfBooleanIndicates if the IOC was extracted from malware configuration.
ANYRUN.Lookup.relatedFiles.taskStringLink to the task in ANY.RUN sandbox.
ANYRUN.Lookup.relatedFiles.fileLinkStringLink to the HTTP response files.
ANYRUN.Lookup.relatedFiles.timeDateCreation date.
ANYRUN.Lookup.relatedFiles.process.commandLineStringCommand line string.
ANYRUN.Lookup.relatedFiles.process.imagePathStringImage path string.
ANYRUN.Lookup.relatedFiles.process.MITREStringArray of MITRE matrix techniques IDs ans sub-techniques IDs.
ANYRUN.Lookup.relatedFiles.process.pidNumberProcess ID.
ANYRUN.Lookup.relatedFiles.process.scores.specs.known_threatBooleanIndicates if it is a known threat.
ANYRUN.Lookup.relatedFiles.process.scores.specs.network_loaderBooleanIndicates if network download was detected.
ANYRUN.Lookup.relatedFiles.process.scores.specs.networkBooleanIndicates if network activity was enabled.
ANYRUN.Lookup.relatedFiles.process.scores.specs.uac_requestBooleanIndicates if User Access Control (UAC) request was detected.
ANYRUN.Lookup.relatedFiles.process.scores.specs.injectsBooleanIndicates if threat uses injections.
ANYRUN.Lookup.relatedFiles.process.scores.specs.service_luncherBooleanIndicates if new service registration was detected.
ANYRUN.Lookup.relatedFiles.process.scores.specs.executable_droppedBooleanIndicates if threat uses dropped executables.
ANYRUN.Lookup.relatedFiles.process.scores.specs.multiprocessingBooleanIndicates if threat uses multiprocessing.
ANYRUN.Lookup.relatedFiles.process.scores.specs.crashed_appsBooleanIndicates if application crashed.
ANYRUN.Lookup.relatedFiles.process.scores.specs.debug_outputBooleanIndicates if application has debug output message.
ANYRUN.Lookup.relatedFiles.process.scores.specs.stealingBooleanIndicates if process steals info from infected machine.
ANYRUN.Lookup.relatedFiles.process.scores.specs.exploitableBooleanIndicates if any known exploit was detected.
ANYRUN.Lookup.relatedFiles.process.scores.specs.static_detectionsBooleanIndicates if any malicious pattern was detected by static analysis engine.
ANYRUN.Lookup.relatedFiles.process.scores.specs.susp_structBooleanIs susp struct.
ANYRUN.Lookup.relatedFiles.process.scores.specs.autostartBooleanIndicates if application was added to autostart.
ANYRUN.Lookup.relatedFiles.process.scores.specs.low_accessBooleanIndicates if threat uses low level access.
ANYRUN.Lookup.relatedFiles.process.scores.specs.torBooleanIndicates if TOR was used.
ANYRUN.Lookup.relatedFiles.process.scores.specs.spamBooleanIndicates if spam was detected.
ANYRUN.Lookup.relatedFiles.process.scores.specs.malware_configBooleanIndicates if malware config was extracted from submitted file.
ANYRUN.Lookup.relatedFiles.process.eventsCounters.raw.registryNumberNumber or registry events.
ANYRUN.Lookup.relatedFiles.process.eventsCounters.raw.filesNumberNumber or files.
ANYRUN.Lookup.relatedFiles.process.eventsCounters.raw.modulesNumberNumber or modules.
ANYRUN.Lookup.relatedFiles.process.eventsCounters.raw.objectsNumberNumber or objects.
ANYRUN.Lookup.relatedFiles.process.threatLevelNumberThreat level.
ANYRUN.Lookup.relatedFiles.hashes.md5StringMD5 hash string.
ANYRUN.Lookup.relatedFiles.hashes.sha1StringSHA1 hash string.
ANYRUN.Lookup.relatedFiles.hashes.sha256StringSHA256 hash string.
ANYRUN.Lookup.relatedFiles.hashes.ssdeepStringSsdeep hash string.
ANYRUN.Lookup.relatedFiles.process.threatNameStringThreat name.
ANYRUN.Lookup.relatedFiles.process.scores.specs.process_dumpBooleanIndicates if the process memory dump can be extracted.
ANYRUN.Lookup.relatedDNS.domainNameStringDomain name.
ANYRUN.Lookup.relatedDNS.threatNameUnknownThreat name.
ANYRUN.Lookup.relatedDNS.threatLevelNumberThreat level.
ANYRUN.Lookup.relatedDNS.dateDateCreation date.
ANYRUN.Lookup.relatedDNS.isMalconfBooleanIndicates if the IOC was extracted from malware configuration.
ANYRUN.Lookup.relatedURLs.urlStringURL.
ANYRUN.Lookup.relatedURLs.dateDateCreation date.
ANYRUN.Lookup.relatedURLs.threatLevelNumberThreat level.
ANYRUN.Lookup.relatedURLs.threatNameUnknownThreat names.
ANYRUN.Lookup.relatedURLs.isMalconfBooleanIndicates if the IOC was extracted from malware configuration.
ANYRUN.Lookup.sourceTasks.uuidStringTask UUID.
ANYRUN.Lookup.sourceTasks.relatedStringLink to the task in ANY.RUN sandbox.
ANYRUN.Lookup.sourceTasks.dateDateTask creation time.
ANYRUN.Lookup.sourceTasks.threatLevelNumberThreat level.
ANYRUN.Lookup.sourceTasks.tagsUnknownTags.
ANYRUN.Lookup.sourceTasks.mainObject.typeStringType.
ANYRUN.Lookup.sourceTasks.mainObject.nameStringName.
ANYRUN.Lookup.sourceTasks.mainObject.hashes.md5StringMD5 hash string.
ANYRUN.Lookup.sourceTasks.mainObject.hashes.sha1StringSHA1 hash string.
ANYRUN.Lookup.sourceTasks.mainObject.hashes.sha256StringSHA256 hash string.
ANYRUN.Lookup.sourceTasks.mainObject.hashes.ssdeepStringSsdeep hash string.
ANYRUN.Lookup.relatedSynchronizationObjects.syncObjectTimeDateTime.
ANYRUN.Lookup.relatedSynchronizationObjects.syncObjectTypeStringType.
ANYRUN.Lookup.relatedSynchronizationObjects.syncObjectOperationStringOperation.
ANYRUN.Lookup.relatedSynchronizationObjects.syncObjectNameStringName.
ANYRUN.Lookup.relatedSynchronizationObjects.taskStringTask link.
ANYRUN.Lookup.relatedSynchronizationObjects.process.commandLineStringCommand line string.
ANYRUN.Lookup.relatedSynchronizationObjects.process.imagePathStringImage path string.
ANYRUN.Lookup.relatedSynchronizationObjects.process.MITREUnknownArray of MITRE matrix techniques IDs ans sub-techniques IDs.
ANYRUN.Lookup.relatedSynchronizationObjects.process.pidNumberProcess ID.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.known_threatBooleanIndicates if it is a known threat.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.network_loaderBooleanIndicates if network download was detected.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.networkBooleanIndicates if network activity was enabled.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.uac_requestBooleanIndicates if User Access Control (UAC) request was detected.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.injectsBooleanIndicates if threat uses injections.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.service_luncherBooleanIndicates if new service registration was detected.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.executable_droppedBooleanIndicates if threat uses dropped executables.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.multiprocessingBooleanIndicates if threat uses multiprocessing.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.crashed_appsBooleanIndicates if application crashed.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.debug_outputBooleanIndicates if application has debug output message.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.stealingBooleanIndicates if process steals info from infected machine.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.exploitableBooleanIndicates if any known exploit was detected.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.static_detectionsBooleanIndicates if any malicious pattern was detected by static analysis engine
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.susp_structBooleanIs susp struct.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.autostartBooleanIndicates if application was added to autostart
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.low_accessBooleanIndicates if threat uses low level access.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.torBooleanIndicates if TOR was used.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.spamBooleanIndicates if spam was detected.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.malware_configBooleanIndicates if malware config was extracted from submitted file.
ANYRUN.Lookup.relatedSynchronizationObjects.process.eventsCounters.raw.registryNumberNumber or registry events.
ANYRUN.Lookup.relatedSynchronizationObjects.process.eventsCounters.raw.filesNumberNumber or files.
ANYRUN.Lookup.relatedSynchronizationObjects.process.eventsCounters.raw.modulesNumberNumber or modules.
ANYRUN.Lookup.relatedSynchronizationObjects.process.eventsCounters.raw.objectsNumberNumber or objects.
ANYRUN.Lookup.relatedSynchronizationObjects.process.threatLevelNumberThreat level.
ANYRUN.Lookup.relatedSynchronizationObjects.process.threatNameStringThreat name.
ANYRUN.Lookup.relatedSynchronizationObjects.process.scores.specs.process_dumpBooleanIndicates if the process memory dump can be extracted.
ANYRUN.Lookup.relatedNetworkThreats.suricataClassStringSuricata class.
ANYRUN.Lookup.relatedNetworkThreats.imagePathStringImage path.
ANYRUN.Lookup.relatedNetworkThreats.suricataIDStringSID.
ANYRUN.Lookup.relatedNetworkThreats.suricataMessageStringSuricata message.
ANYRUN.Lookup.relatedNetworkThreats.tagsUnknownTags.
ANYRUN.Lookup.relatedNetworkThreats.MITREUnknownArray of MITRE matrix techniques IDs ans sub-techniques IDs.
ANYRUN.Lookup.relatedNetworkThreats.suricataThreatLevelStringSuricata threat level.
ANYRUN.Lookup.relatedNetworkThreats.taskStringTask link.
ANYRUN.Lookup.summary.threatLevelNumberThreat level.
ANYRUN.Lookup.summary.lastSeenDateLast Seen Date
ANYRUN.Lookup.summary.detectedTypeStringDetected type.
ANYRUN.Lookup.summary.isTrialBooleanIs trial request.
ANYRUN.Lookup.summary.tagsStringTags.
ANYRUN.Lookup.summary.details.typeStringIOC type.
ANYRUN.Lookup.summary.details.threatLevelNumberThreat level.
ANYRUN.Lookup.summary.details.lastSeenDateLast Seen Date
ANYRUN.Lookup.summary.details.countNumberCount of iocs/objects by threat level