ANY.RUN Threat Intelligence (Preview)

  • Reference

The connector enables security and IT teams to streamline their operations by incorporating ANY.RUN's threat intelligence capabilities into both manual and automated workflows with applications such as Defender for Endpoint and Sentinel.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name ANY.RUN
URL https://app.any.run/contact-us
Email support@any.run
Connector Metadata
Publisher ANYRUN FZCO
ANY.RUN API documentation https://docs.microsoft.com/connectors/anyrunthreatintellig
Website https://any.run
Privacy policy https://any.run/privacy.pdf
Categories Security;IT Operations

ANY.RUN Threat Intelligence Connector

The connector enables security and IT teams to streamline their operations by incorporating ANY.RUN's threat intelligence capabilities into both manual and automated workflows with applications such as Defender for Endpoint and Sentinel.

Prerequisites

To use this connector, you need to have an ANY.RUN account, an API key and TI Lookup subscription.

API documentation

https://any.run/api-documentation/

Deployment instructions

Please use these instructions to deploy this connector as custom connector in Microsoft Power Automate and Power Apps.

Supported Operations

The connector supports the following operations:

  • Get threat intelligence data from ANY.RUN Threat Intelligence service: Performs investigative actions in ANY.RUN Threat Intelligence service

Creating a connection

The connector supports the following authentication types:
Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API-Key securestring The API key for this API (format: API-Key ) True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Get threat intelligence data from ANY.RUN Threat Intelligence service

Performs investigative actions in ANY.RUN Threat Intelligence service.

Get threat intelligence data from ANY.RUN Threat Intelligence service

Operation ID:
GetIntelligence

Performs investigative actions in ANY.RUN Threat Intelligence service.

Parameters

Name Key Required Type Description
query
 query True string

Specify your search query. Several queries can be combined together with the AND operator for more specific results.
startDate
 startDate string

Specify the start date of the desired search period. Must be in YYYY-MM-DD format.
endDate
 endDate string

Specify the end date of the desired search period. Must be in YYYY-MM-DD format.

Returns

Body
ResponseApiDto

Definitions

ResponseApiDto

Name Path Type Description
destinationPort
 destinationPort array of integer

Destination ports numbers.
destinationIPgeo
 destinationIPgeo array of string

Destination IP Geo (countries).
destinationIpAsn
 destinationIpAsn array of object

Destination IP ASN (autonomous system number).
asn
 destinationIpAsn.asn string

Destination IP ASN.
date
 destinationIpAsn.date date-time

Destination IP ASN Date.
relatedTasks
 relatedTasks array of string

Links to related tasks in ANY.RUN sandbox.
threatName
 threatName array of string

Threat names.
threatLevel
 summary.threatLevel integer
lastSeen
 summary.lastSeen date-time
detectedType
 summary.detectedType string
isTrial
 summary.isTrial boolean
relatedIncidents
 relatedIncidents array of RelatedIncidentApiDto

Related incidents.
destinationIP
 destinationIP array of DestinationIpApiDto

Destination IP addresses.
relatedFiles
 relatedFiles array of RelatedFileApiDto

Related files data.
relatedDNS
 relatedDNS array of RelatedDnsApiDto

Related DNS.
relatedURLs
 relatedURLs array of RelatedUrlApiDto

Related URLs.
sourceTasks
 sourceTasks array of SourceTaskApiDto

Source tasks info.
relatedSynchronizationObjects
 relatedSynchronizationObjects array of RelatedSynchronizationObjectsApiDto

Related synchronization objects data.
relatedNetworkThreats
 relatedNetworkThreats array of RelatedNetworkThreatApiDto

Related network threats data.

RelatedIncidentApiDto

Name Path Type Description
task
 task string

Link to the task in ANY.RUN sandbox.
time
 time date-time

Creation time.
MITRE
 MITRE array of string

Array of MITRE matrix techniques IDs ans sub-techniques IDs.
threatName
 threatName array of string

Threat names.
event
 event EventApiDto
process
 process ProcessApiDto

EventApiDto

Name Path Type Description
ruleName
 ruleName string

Rule name.
commandLine
 commandLine string

Command line string.
imagePath
 imagePath string

Image path string.
pid
 pid integer

Process ID.
title
 title array of string

Title of event type.
destinationPort
 destinationPort array of string

Destination ports numbers.
destinationIP
 destinationIP string

Destination IP address.
destinationIPgeo
 destinationIPgeo array of string

Destination IP Geo (countries).
destinationIpAsn
 destinationIpAsn array of string

Destination IP ASN (autonomous system number).
url
 url string

URL.
fileName
 fileName string

File name.
registryKey
 registryKey string

Registry key.
registryName
 registryName array of string

Registry name.
registryValue
 registryValue array of string

Registry value.
moduleImagePath
 moduleImagePath string

Module image path.
injectedFlag
 injectedFlag boolean

Injected flag.
domainName
 domainName array of string

Domain name.
httpRequestContentType
 httpRequestContentType string

Request content type.
httpRequestContentFile
 httpRequestContentFile string

Request content file.
httpResponseContentType
 httpResponseContentType string

Response content type.
httpResponseContentFile
 httpResponseContentFile string

Response content file.
ruleThreatLevel
 ruleThreatLevel string

Rule threat level.
sha256
 sha256 string

SHA256 hash.

ProcessApiDto

Name Path Type Description
commandLine
 commandLine string

Command line string.
imagePath
 imagePath string

Image path string.
threatName
 threatName string

Threat names.
MITRE
 MITRE array of string

Array of MITRE matrix techniques IDs ans sub-techniques IDs.
pid
 pid integer

Process ID.
scores
 scores ProcessScoresDto

Process scores.
eventsCounters
 eventsCounters EventsCountersDto

Events counters.
threatLevel
 threatLevel integer

Threat level.

ProcessScoresDto

Process scores.

Name Path Type Description
specs
 specs ProcessScoresSpecsDto

Process scores specs.

ProcessScoresSpecsDto

Process scores specs.

Name Path Type Description
known_threat
 known_threat boolean

Indicates if it is a known threat.
network_loader
 network_loader boolean

Indicates if network download was detected.
network
 network boolean

Indicates if network activity was enabled.
uac_request
 uac_request boolean

Indicates if User Access Control (UAC) request was detected.
injects
 injects boolean

Indicates if threat uses injections.
service_luncher
 service_luncher boolean

Indicates if new service registration was detected.
executable_dropped
 executable_dropped boolean

Indicates if threat uses dropped executables.
multiprocessing
 multiprocessing boolean

Indicates if threat uses multiprocessing.
crashed_apps
 crashed_apps boolean

Indicates if application crashed.
debug_output
 debug_output boolean

Indicates if application has debug output message.
stealing
 stealing boolean

Indicates if process steals info from infected machine.
exploitable
 exploitable boolean

Indicates if any known exploit was detected.
static_detections
 static_detections boolean

Indicates if any malicious pattern was detected by static analysis engine.
susp_struct
 susp_struct boolean

Is susp struct.
autostart
 autostart boolean

Indicates if application was added to autostart.
low_access
 low_access boolean

Indicates if threat uses low level access.
tor
 tor boolean

Indicates if TOR was used.
spam
 spam boolean

Indicates if spam was detected.
malware_config
 malware_config boolean

Indicates if malware config was extracted from submitted file.
process_dump
 process_dump boolean

Indicates if the process memory dump can be extracted.

EventsCountersDto

Events counters.

Name Path Type Description
raw
 raw EventsCountersRawDto

Events counters raw.

EventsCountersRawDto

Events counters raw.

Name Path Type Description
registry
 registry integer

Number or registry events.
files
 files integer

Number or files.
modules
 modules integer

Number or modules.
objects
 objects integer

Number or objects.
rpc
 rpc integer

Number or RPCs.

DestinationIpApiDto

Name Path Type Description
destinationIP
 destinationIP string

Destination IP address.
date
 date date-time

Creation date.
threatLevel
 threatLevel integer

Threat level.
threatName
 threatName array of string

Threat names.
isMalconf
 isMalconf boolean

Indicates if the IOC was extracted from malware configuration.

RelatedFileApiDto

Name Path Type Description
task
 task string

Link to the task in ANY.RUN sandbox.
title
 title string

Title of event type.
fileLink
 fileLink string

Link to the HTTP response files.
time
 time date-time

Creation date.
fileName
 fileName string

File name.
fileExt
 fileExt string

File extension.
process
 process ProcessApiDto
hashes
 hashes HashesApiDto

RelatedDnsApiDto

Name Path Type Description
domainName
 domainName string

Domain name.
threatName
 threatName array of string

Threat name.
threatLevel
 threatLevel integer

Threat level.
date
 date date-time

Creation date.
isMalconf
 isMalconf boolean

Indicates if the IOC was extracted from malware configuration.

RelatedUrlApiDto

Name Path Type Description
url
 url string

Url.
date
 date date-time

Creation date.
threatLevel
 threatLevel integer

Threat level.
threatName
 threatName array of string

Threat names.
isMalconf
 isMalconf boolean

Indicates if the IOC was extracted from malware configuration.

SourceTaskApiDto

Name Path Type Description
uuid
 uuid string

Task UUID.
related
 related string

Link to the task in ANY.RUN sandbox.
date
 date date-time

Task creation time.
threatLevel
 threatLevel integer

Threat level.
tags
 tags array of string

Tags.
mainObject
 mainObject MainObjectApiDto

Main object info.

MainObjectApiDto

Main object info.

Name Path Type Description
type
 type string

Type.
name
 name string

Name.
hashes
 hashes HashesApiDto

RelatedSynchronizationObjectsApiDto

Name Path Type Description
syncObjectTime
 syncObjectTime date-time

Time.
syncObjectType
 syncObjectType string

Type.
syncObjectOperation
 syncObjectOperation string

Operation.
syncObjectName
 syncObjectName string

Name.
task
 task string

Task link.
process
 process ProcessApiDto

RelatedNetworkThreatApiDto

Name Path Type Description
suricataClass
 suricataClass string

Suricata class.
imagePath
 imagePath string

Image path.
suricataID
 suricataID string

SID.
suricataMessage
 suricataMessage string

Suricata message.
tags
 tags array of string

Tags.
MITRE
 MITRE array of string

Array of MITRE matrix techniques IDs ans sub-techniques IDs.
suricataThreatLevel
 suricataThreatLevel string

Suricata threat level.
task
 task string

Task link.

HashesApiDto

Name Path Type Description
md5
 md5 string

MD5 hash string.
sha1
 sha1 string

SHA1 hash string.
sha256
 sha256 string

SHA256 hash string.
ssdeep
 ssdeep string

Ssdeep hash string.