ANY.RUN Threat Intelligence (Preview)

The connector enables security and IT teams to streamline their operations by incorporating ANY.RUN's threat intelligence capabilities into both manual and automated workflows with applications such as Defender for Endpoint and Sentinel.

This connector is available in the following products and regions:

Service Class Regions
Logic Apps Standard All Logic Apps regions except the following:
     -   Azure Government regions
     -   Azure China regions
     -   US Department of Defense (DoD)
Power Automate Premium All Power Automate regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Power Apps Premium All Power Apps regions except the following:
     -   US Government (GCC)
     -   US Government (GCC High)
     -   China Cloud operated by 21Vianet
     -   US Department of Defense (DoD)
Contact
Name ANY.RUN
URL https://app.any.run/contact-us
Email [email protected]
Connector Metadata
Publisher ANYRUN FZCO
ANY.RUN API documentation https://docs.microsoft.com/connectors/anyrunthreatintellig
Website https://any.run
Privacy policy https://any.run/privacy.pdf
Categories Security;IT Operations

ANY.RUN Threat Intelligence Connector

The connector enables security and IT teams to streamline their operations by incorporating ANY.RUN's threat intelligence capabilities into both manual and automated workflows with applications such as Defender for Endpoint and Sentinel.

Prerequisites

To use this connector, you need to have an ANY.RUN account, an API key and TI Lookup subscription.

API documentation

https://any.run/api-documentation/

Deployment instructions

Please use these instructions to deploy this connector as custom connector in Microsoft Power Automate and Power Apps.

Supported Operations

The connector supports the following operations:

  • Get threat intelligence data from ANY.RUN Threat Intelligence service: Performs investigative actions in ANY.RUN Threat Intelligence service

Creating a connection

The connector supports the following authentication types:

Default Parameters for creating connection. All regions Not shareable

Default

Applicable: All regions

Parameters for creating connection.

This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.

Name Type Description Required
API-Key securestring The API key for this API (format: API-Key ) True

Throttling Limits

Name Calls Renewal Period
API calls per connection 100 60 seconds

Actions

Get threat intelligence data from ANY.RUN Threat Intelligence service

Performs investigative actions in ANY.RUN Threat Intelligence service.

Get threat intelligence data from ANY.RUN Threat Intelligence service

Performs investigative actions in ANY.RUN Threat Intelligence service.

Parameters

Name Key Required Type Description
query
query True string

Specify your search query. Several queries can be combined together with the AND operator for more specific results.

startDate
startDate string

Specify the start date of the desired search period. Must be in YYYY-MM-DD format.

endDate
endDate string

Specify the end date of the desired search period. Must be in YYYY-MM-DD format.

Returns

Definitions

ResponseApiDto

Name Path Type Description
destinationPort
destinationPort array of integer

Destination ports numbers.

destinationIPgeo
destinationIPgeo array of string

Destination IP Geo (countries).

destinationIpAsn
destinationIpAsn array of object

Destination IP ASN (autonomous system number).

asn
destinationIpAsn.asn string

Destination IP ASN.

date
destinationIpAsn.date date-time

Destination IP ASN Date.

relatedTasks
relatedTasks array of string

Links to related tasks in ANY.RUN sandbox.

threatName
threatName array of string

Threat names.

threatLevel
summary.threatLevel integer
lastSeen
summary.lastSeen date-time
detectedType
summary.detectedType string
isTrial
summary.isTrial boolean
relatedIncidents
relatedIncidents array of RelatedIncidentApiDto

Related incidents.

destinationIP
destinationIP array of DestinationIpApiDto

Destination IP addresses.

relatedFiles
relatedFiles array of RelatedFileApiDto

Related files data.

relatedDNS
relatedDNS array of RelatedDnsApiDto

Related DNS.

relatedURLs
relatedURLs array of RelatedUrlApiDto

Related URLs.

sourceTasks
sourceTasks array of SourceTaskApiDto

Source tasks info.

relatedSynchronizationObjects
relatedSynchronizationObjects array of RelatedSynchronizationObjectsApiDto

Related synchronization objects data.

relatedNetworkThreats
relatedNetworkThreats array of RelatedNetworkThreatApiDto

Related network threats data.

RelatedIncidentApiDto

Name Path Type Description
task
task string

Link to the task in ANY.RUN sandbox.

time
time date-time

Creation time.

MITRE
MITRE array of string

Array of MITRE matrix techniques IDs ans sub-techniques IDs.

threatName
threatName array of string

Threat names.

event
event EventApiDto
process
process ProcessApiDto

EventApiDto

Name Path Type Description
ruleName
ruleName string

Rule name.

commandLine
commandLine string

Command line string.

imagePath
imagePath string

Image path string.

pid
pid integer

Process ID.

title
title array of string

Title of event type.

destinationPort
destinationPort array of string

Destination ports numbers.

destinationIP
destinationIP string

Destination IP address.

destinationIPgeo
destinationIPgeo array of string

Destination IP Geo (countries).

destinationIpAsn
destinationIpAsn array of string

Destination IP ASN (autonomous system number).

url
url string

URL.

fileName
fileName string

File name.

registryKey
registryKey string

Registry key.

registryName
registryName array of string

Registry name.

registryValue
registryValue array of string

Registry value.

moduleImagePath
moduleImagePath string

Module image path.

injectedFlag
injectedFlag boolean

Injected flag.

domainName
domainName array of string

Domain name.

httpRequestContentType
httpRequestContentType string

Request content type.

httpRequestContentFile
httpRequestContentFile string

Request content file.

httpResponseContentType
httpResponseContentType string

Response content type.

httpResponseContentFile
httpResponseContentFile string

Response content file.

ruleThreatLevel
ruleThreatLevel string

Rule threat level.

sha256
sha256 string

SHA256 hash.

ProcessApiDto

Name Path Type Description
commandLine
commandLine string

Command line string.

imagePath
imagePath string

Image path string.

threatName
threatName string

Threat names.

MITRE
MITRE array of string

Array of MITRE matrix techniques IDs ans sub-techniques IDs.

pid
pid integer

Process ID.

scores
scores ProcessScoresDto

Process scores.

eventsCounters
eventsCounters EventsCountersDto

Events counters.

threatLevel
threatLevel integer

Threat level.

ProcessScoresDto

Process scores.

Name Path Type Description
specs
specs ProcessScoresSpecsDto

Process scores specs.

ProcessScoresSpecsDto

Process scores specs.

Name Path Type Description
known_threat
known_threat boolean

Indicates if it is a known threat.

network_loader
network_loader boolean

Indicates if network download was detected.

network
network boolean

Indicates if network activity was enabled.

uac_request
uac_request boolean

Indicates if User Access Control (UAC) request was detected.

injects
injects boolean

Indicates if threat uses injections.

service_luncher
service_luncher boolean

Indicates if new service registration was detected.

executable_dropped
executable_dropped boolean

Indicates if threat uses dropped executables.

multiprocessing
multiprocessing boolean

Indicates if threat uses multiprocessing.

crashed_apps
crashed_apps boolean

Indicates if application crashed.

debug_output
debug_output boolean

Indicates if application has debug output message.

stealing
stealing boolean

Indicates if process steals info from infected machine.

exploitable
exploitable boolean

Indicates if any known exploit was detected.

static_detections
static_detections boolean

Indicates if any malicious pattern was detected by static analysis engine.

susp_struct
susp_struct boolean

Is susp struct.

autostart
autostart boolean

Indicates if application was added to autostart.

low_access
low_access boolean

Indicates if threat uses low level access.

tor
tor boolean

Indicates if TOR was used.

spam
spam boolean

Indicates if spam was detected.

malware_config
malware_config boolean

Indicates if malware config was extracted from submitted file.

process_dump
process_dump boolean

Indicates if the process memory dump can be extracted.

EventsCountersDto

Events counters.

Name Path Type Description
raw
raw EventsCountersRawDto

Events counters raw.

EventsCountersRawDto

Events counters raw.

Name Path Type Description
registry
registry integer

Number or registry events.

files
files integer

Number or files.

modules
modules integer

Number or modules.

objects
objects integer

Number or objects.

rpc
rpc integer

Number or RPCs.

DestinationIpApiDto

Name Path Type Description
destinationIP
destinationIP string

Destination IP address.

date
date date-time

Creation date.

threatLevel
threatLevel integer

Threat level.

threatName
threatName array of string

Threat names.

isMalconf
isMalconf boolean

Indicates if the IOC was extracted from malware configuration.

RelatedFileApiDto

Name Path Type Description
task
task string

Link to the task in ANY.RUN sandbox.

title
title string

Title of event type.

fileLink
fileLink string

Link to the HTTP response files.

time
time date-time

Creation date.

fileName
fileName string

File name.

fileExt
fileExt string

File extension.

process
process ProcessApiDto
hashes
hashes HashesApiDto

RelatedDnsApiDto

Name Path Type Description
domainName
domainName string

Domain name.

threatName
threatName array of string

Threat name.

threatLevel
threatLevel integer

Threat level.

date
date date-time

Creation date.

isMalconf
isMalconf boolean

Indicates if the IOC was extracted from malware configuration.

RelatedUrlApiDto

Name Path Type Description
url
url string

Url.

date
date date-time

Creation date.

threatLevel
threatLevel integer

Threat level.

threatName
threatName array of string

Threat names.

isMalconf
isMalconf boolean

Indicates if the IOC was extracted from malware configuration.

SourceTaskApiDto

Name Path Type Description
uuid
uuid string

Task UUID.

related
related string

Link to the task in ANY.RUN sandbox.

date
date date-time

Task creation time.

threatLevel
threatLevel integer

Threat level.

tags
tags array of string

Tags.

mainObject
mainObject MainObjectApiDto

Main object info.

MainObjectApiDto

Main object info.

Name Path Type Description
type
type string

Type.

name
name string

Name.

hashes
hashes HashesApiDto

RelatedSynchronizationObjectsApiDto

Name Path Type Description
syncObjectTime
syncObjectTime date-time

Time.

syncObjectType
syncObjectType string

Type.

syncObjectOperation
syncObjectOperation string

Operation.

syncObjectName
syncObjectName string

Name.

task
task string

Task link.

process
process ProcessApiDto

RelatedNetworkThreatApiDto

Name Path Type Description
suricataClass
suricataClass string

Suricata class.

imagePath
imagePath string

Image path.

suricataID
suricataID string

SID.

suricataMessage
suricataMessage string

Suricata message.

tags
tags array of string

Tags.

MITRE
MITRE array of string

Array of MITRE matrix techniques IDs ans sub-techniques IDs.

suricataThreatLevel
suricataThreatLevel string

Suricata threat level.

task
task string

Task link.

HashesApiDto

Name Path Type Description
md5
md5 string

MD5 hash string.

sha1
sha1 string

SHA1 hash string.

sha256
sha256 string

SHA256 hash string.

ssdeep
ssdeep string

Ssdeep hash string.