Skip to main content

Detonate URL - Generic

This Playbook is part of the Common Playbooks Pack.#


Use Detonate URL - Generic v1.5 playbook instead.

Detonate URL through active integrations that support URL detonation.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Detonate URL - JoeSecurity
  • Detonate URL - Hybrid Analysis
  • Detonate URL - Lastline v2
  • Detonate URL - ThreatGrid
  • Detonate URL - WildFire v2.1
  • Detonate URL - McAfee ATD
  • Detonate URL - ANYRUN
  • Detonate URL - Group-IB TDS Polygon
  • Detonate URL - CrowdStrike Falcon Intelligence Sandbox
  • Detonate URL - VirusTotal (API v3)
  • Detonate URL - Hatching Triage
  • Detonate URL - FireEye AX
  • Detonate URL - Cuckoo
  • Detonate URL - SecneurX Analysis
  • Detonate URL - VMRay
  • Detonate URL - ThreatStream


  • CrowdStrike Falcon Sandbox V2
  • OPSWAT Filescan


This playbook does not use any scripts.


  • cs-falcon-sandbox-submit-url
  • opswat-filescan-scan-url

Playbook Inputs#

NameDescriptionDefault ValueRequired
URLThe URL object of the URL to be detonated.URLOptional

Playbook Outputs#

FileThe file's object.string
File.NameThe file name.string
File.SizeThe file size.number
File.TypeThe file type, for example "PE" (only for report type=json).string
File.SHA256The SHA256 hash of the file.string
File.SHA1The SHA1 hash of the file.string
File.MD5The MD5 hash of the file.string
File.Malicious.VendorThe vendor that decided the file is malicious.string
File.Malicious.DescriptionThe reason the vendor decided the file is malicious.string
DBotScoreThe indicator's object.string
DBotScore.TypeThe indicator type.string
DBotScore.IndicatorThe indicator that was tested.string
DBotScore.VendorThe vendor used to calculate the score.string
DBotScore.ScoreThe actual score.number
Joe.Analysis.WebIDThe Joe Analysis-related web ID.string
Joe.Analysis.StatusThe Joe Analysis-related status.string
Joe.Analysis.CommentsThe Joe Analysis-related comments.string
Joe.Analysis.TimeThe Joe Analysis-related submitted
Joe.Analysis.RunsThe Joe Analysis-related sub-analysis information.string
Joe.Analysis.ResultThe Joe Analysis-related results.string
Joe.Analysis.ErrorsThe Joe Analysis-related errors raised during sampling.string
Joe.Analysis.SystemsThe Joe Analysis-related operating systems.string
Joe.Analysis.MD5The MD5 hash of the Joe Analysis-related sample.string
Joe.Analysis.SHA1The SHA1 hash of the Joe Analysis-related sample.string
Joe.Analysis.SHA256The SHA256 hash of the Joe Analysis-related sample.string
Joe.Analysis.SampleNameThe Joe Analysis-related sample data name. Can be a file name or a URL.string
InfoFile.NameThe file name.string
InfoFile.EntryIDThe EntryID of the sample.string
InfoFile.SizeThe file size.number
InfoFile.TypeThe file type, for example "PE".string
InfoFile.InfoThe file basic information.string
Sample.StateThe sample state.string
Sample.IDThe sample ID.string
IP.AddressThe IP addresses relevant to the sample.string
InfoFileThe report file's object.string
Cuckoo.Task.CategoryThe Cuckoo-related task category.unknown
Cuckoo.Task.MachineThe Cuckoo-related task machine.unknown
Cuckoo.Task.ErrorsThe Cuckoo-related task errors.unknown
Cuckoo.Task.TargetThe Cuckoo-related task target.unknown
Cuckoo.Task.PackageThe Cuckoo-related task package.unknown
Cuckoo.Task.SampleIDThe Cuckoo-related task sample ID.unknown
Cuckoo.Task.GuestThe Cuckoo-related task guest.unknown
Cuckoo.Task.CustomThe Cuckoo-related task custom values.unknown
Cuckoo.Task.OwnerThe Cuckoo-related task owner.unknown
Cuckoo.Task.PriorityThe Cuckoo-related task priority.unknown
Cuckoo.Task.PlatformThe Cuckoo-related task platform.unknown
Cuckoo.Task.OptionsThe Cuckoo-related task options.unknown
Cuckoo.Task.StatusThe Cuckoo-related task status.unknown
Cuckoo.Task.EnforceTimeoutWhether the Cuckoo-related task timeout is enforced.unknown
Cuckoo.Task.TimeoutThe Cuckoo-related task timeout.unknown
Cuckoo.Task.MemoryThe Cuckoo-related task memory.unknown
Cuckoo.Task.TagsThe Cuckoo-related task tags.unknown
Cuckoo.Task.IDThe Cuckoo-related task ID.unknown
Cuckoo.Task.AddedOnThe date the Cuckoo-related task was added.unknown
Cuckoo.Task.CompletedOnThe date the Cuckoo-related task was completed.unknown
Cuckoo.Task.ScoreThe reported Cuckoo-related task score.unknown
Cuckoo.Task.MonitorThe reported Cuckoo-related task monitor.unknown
ANYRUN.Task.AnalysisDateThe date and time the ANY.RUN analysis was executed.String
ANYRUN.Task.Behavior.CategoryThe ANY.RUN behavior category.String
ANYRUN.Task.Behavior.ActionThe actions performed by an ANY.RUN behavior.String
ANYRUN.Task.Behavior.ThreatLevelThe threat score associated with an ANY.RUN behavior.Number
ANYRUN.Task.Behavior.ProcessUUIDThe ANY.RUN unique ID of the process whose behaviors are profiled.String
ANYRUN.Task.Connection.ReputationThe ANY.RUN connection reputation.String
ANYRUN.Task.Connection.ProcessUUIDThe ANY.RUN UUID of the process that created the connection.String
ANYRUN.Task.Connection.ASNThe ANY.RUN connection autonomous system network.String
ANYRUN.Task.Connection.CountryThe ANY.RUN connection country.String
ANYRUN.Task.Connection.ProtocolThe ANY.RUN connection protocol.String
ANYRUN.Task.Connection.PortThe ANY.RUN connection port number.Number
ANYRUN.Task.Connection.IPThe ANY.RUN connection IP address.String
ANYRUN.Task.DnsRequest.ReputationThe ANY.RUN process reputation of the DNS request.String
ANYRUN.Task.DnsRequest.IPThe ANY.RUN IP addresses associated with a DNS request.string
ANYRUN.Task.DnsRequest.DomainThe ANY.RUN domain resolution of a DNS request.String
ANYRUN.Task.Threat.ProcessUUIDThe unique ANY.RUN UUID of the process that originated the threat.String
ANYRUN.Task.Threat.MsgThe ANY.RUN threat message.String
ANYRUN.Task.Threat.ClassThe ANY.RUN threat class.String
ANYRUN.Task.Threat.SrcPortThe ANY.RUN port on which the threat originated.Number
ANYRUN.Task.Threat.DstPortThe ANY.RUN threat destination port.Number
ANYRUN.Task.Threat.SrcIPThe ANY.RUN source IP address where the threat originated.String
ANYRUN.Task.Threat.DstIPThe ANY.RUN threat destination IP address.String
ANYRUN.Task.HttpRequest.ReputationThe ANY.RUN HTTP request reputation.String
ANYRUN.Task.HttpRequest.CountryThe ANY.RUN HTTP request country.String
ANYRUN.Task.HttpRequest.ProcessUUIDThe ANY.RUN UUID of the process making the HTTP request.String
ANYRUN.Task.HttpRequest.BodyThe ANY.RUN HTTP request body parameters and details.string
ANYRUN.Task.HttpRequest.HttpCodeThe ANY.RUN HTTP request response code.Number
ANYRUN.Task.HttpRequest.StatusThe ANY.RUN status of the HTTP request.String
ANYRUN.Task.HttpRequest.ProxyDetectedWhether the ANY.RUN HTTP request was made through a proxy.Boolean
ANYRUN.Task.HttpRequest.PortThe ANY.RUN HTTP request port.Number
ANYRUN.Task.HttpRequest.IPThe ANY.RUN HTTP request IP address.String
ANYRUN.Task.HttpRequest.URLThe ANY.RUN HTTP request URL.String
ANYRUN.Task.HttpRequest.HostThe ANY.RUN HTTP request host.String
ANYRUN.Task.HttpRequest.MethodThe ANY.RUN HTTP request method type.String
ANYRUN.Task.FileInfoThe ANY.RUN submitted file details.String
ANYRUN.Task.OSThe ANY.RUN operating system of the sandbox in which the file was analyzed.String
ANYRUN.Task.IDThe unique ANY.RUN task ID.String
ANYRUN.Task.MIMEThe ANY.RUN MIME of the file submitted for analysis.String
ANYRUN.Task.VerdictThe ANY.RUN verdict for the maliciousness of the submitted file or URL.String
ANYRUN.Task.Process.FileNameThe ANY.RUN process file name.String
ANYRUN.Task.Process.PIDThe ANY.RUN process identification number.Number
ANYRUN.Task.Process.PPIDThe ANY.RUN process parent process identification number.Number
ANYRUN.Task.Process.ProcessUUIDThe unique ANY.RUN process UUID.String
ANYRUN.Task.Process.CMDThe ANY.RUN process command.String
ANYRUN.Task.Process.PathThe path of the executed ANY.RUN process command.String
ANYRUN.Task.Process.UserThe user who executed the ANY.RUN process command.String
ANYRUN.Task.Process.IntegrityLevelThe ANY.RUN process integrity level.String
ANYRUN.Task.Process.ExitCodeThe ANY.RUN process exit code.Number
ANYRUN.Task.Process.MainProcessWhether the ANY.RUN process is the main process.Boolean
ANYRUN.Task.Process.Version.CompanyThe company responsible for the executed ANY.RUN process program.String
ANYRUN.Task.Process.Version.DescriptionThe description of the ANY.RUN process program type.String
ANYRUN.Task.Process.Version.VersionThe version of the executed program.String
URL.DataThe URL data.String
URL.Malicious.VendorThe vendor that decided the URL is malicious.String
URL.Malicious.DescriptionThe reason the vendor decided the URL is malicious.String
ANYRUN.Task.StatusThe task analysis status.String
FireEyeAX.Submissions.KeyThe submission keyunknown
FireEyeAX.Submissions.SeverityThe severity level of the fileunknown
FireEyeAX.Submissions.InfoLevelThe info level of the report.unknown
DBotScore.ScoreThe actual score.unknown
DBotScore.IndicatorThe indicator that was tested.unknown
DBotScore.VendorThe vendor used to calculate the score.unknown
Triage.sample-summaries.completedThe date the sample analysis was completed.unknown
Triage.sample-summaries.createdThe date the analysis report was created.unknown
Triage.sample-summaries.customThe custom sample analysis.unknown
Triage.sample-summaries.ownerThe owner of the sample summaries.unknown
Triage.sample-summaries.sampleThe unique identifier of the sample.unknown
Triage.sample-summaries.scoreThe score of the sample on a scale of 0 to 10.unknown
Triage.sample-summaries.sha256The SHA256 of the sample.unknown
Triage.sample-summaries.statusThe status of the analysis.unknown
Triage.sample-summaries.targetThe target for the analysis.unknown
Triage.sample-summaries.tasksThe tasks performed in the analysis.unknown
HybridAnalysis.URL.Scanner.NameThe URL scanner name.unknown
HybridAnalysis.URL.Scanner.PositivesThe number of positive scanners.unknown
HybridAnalysis.URL.Scanner.StatusThe status of the scanning.unknown
HybridAnalysis.URL.ScannerThe place holder for the scanner data.unknown
SecneurXAnalysis.Report.SHA256SHA256 value of the analyzed samplestring
SecneurXAnalysis.Report.VerdictSummary result of the analyzed samplestring
SecneurXAnalysis.Report.TagsMore details of the analyzed samplestring
SecneurXAnalysis.Report.IOCList of IOC's observed in the analyzed samplestring
SecneurXAnalysis.Report.StatusAnalysis queued sample stateString

Playbook Image#

Detonate URL - Generic