ANY.RUN Threat Intelligence (Preview)
The connector enables security and IT teams to streamline their operations by incorporating ANY.RUN's threat intelligence capabilities into both manual and automated workflows with applications such as Defender for Endpoint and Sentinel.
This connector is available in the following products and regions:
| Service | Class | Regions |
|---|---|---|
| Logic Apps | Standard | All Logic Apps regions except the following: - Azure Government regions - Azure China regions - US Department of Defense (DoD) |
| Power Automate | Premium | All Power Automate regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Power Apps | Premium | All Power Apps regions except the following: - US Government (GCC) - US Government (GCC High) - China Cloud operated by 21Vianet - US Department of Defense (DoD) |
| Contact | |
|---|---|
| Name | ANY.RUN |
| URL | https://app.any.run/contact-us |
| support@any.run |
| Connector Metadata | |
|---|---|
| Publisher | ANYRUN FZCO |
| ANY.RUN API documentation | https://docs.microsoft.com/connectors/anyrunthreatintellig |
| Website | https://any.run |
| Privacy policy | https://any.run/privacy.pdf |
| Categories | Security;IT Operations |
ANY.RUN Threat Intelligence Connector
The connector enables security and IT teams to streamline their operations by incorporating ANY.RUN's threat intelligence capabilities into both manual and automated workflows with applications such as Defender for Endpoint and Sentinel.
Prerequisites
To use this connector, you need to have an ANY.RUN account, an API key and TI Lookup subscription.
API documentation
https://any.run/api-documentation/
Deployment instructions
Please use these instructions to deploy this connector as custom connector in Microsoft Power Automate and Power Apps.
Supported Operations
The connector supports the following operations:
Get threat intelligence data from ANY.RUN Threat Intelligence service: Performs investigative actions in ANY.RUN Threat Intelligence service
Creating a connection
The connector supports the following authentication types:
| Default | Parameters for creating connection. | All regions | Not shareable |
Default
Applicable: All regions
Parameters for creating connection.
This is not shareable connection. If the power app is shared with another user, another user will be prompted to create new connection explicitly.
| Name | Type | Description | Required |
|---|---|---|---|
| API-Key | securestring | The API key for this API (format: API-Key ) | True |
Throttling Limits
| Name | Calls | Renewal Period |
|---|---|---|
| API calls per connection | 100 | 60 seconds |
Actions
|
Get threat intelligence data from ANY. |
Performs investigative actions in ANY.RUN Threat Intelligence service. |
Get threat intelligence data from ANY.RUN Threat Intelligence service
Performs investigative actions in ANY.RUN Threat Intelligence service.
Parameters
| Name | Key | Required | Type | Description |
|---|---|---|---|---|
|
query
|
query | True | string |
Specify your search query. Several queries can be combined together with the AND operator for more specific results. |
|
startDate
|
startDate | string |
Specify the start date of the desired search period. Must be in YYYY-MM-DD format. |
|
|
endDate
|
endDate | string |
Specify the end date of the desired search period. Must be in YYYY-MM-DD format. |
Returns
- Body
- ResponseApiDto
Definitions
ResponseApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
destinationPort
|
destinationPort | array of integer |
Destination ports numbers. |
|
destinationIPgeo
|
destinationIPgeo | array of string |
Destination IP Geo (countries). |
|
destinationIpAsn
|
destinationIpAsn | array of object |
Destination IP ASN (autonomous system number). |
|
asn
|
destinationIpAsn.asn | string |
Destination IP ASN. |
|
date
|
destinationIpAsn.date | date-time |
Destination IP ASN Date. |
|
relatedTasks
|
relatedTasks | array of string |
Links to related tasks in ANY.RUN sandbox. |
|
threatName
|
threatName | array of string |
Threat names. |
|
threatLevel
|
summary.threatLevel | integer | |
|
lastSeen
|
summary.lastSeen | date-time | |
|
detectedType
|
summary.detectedType | string | |
|
isTrial
|
summary.isTrial | boolean | |
|
relatedIncidents
|
relatedIncidents | array of RelatedIncidentApiDto |
Related incidents. |
|
destinationIP
|
destinationIP | array of DestinationIpApiDto |
Destination IP addresses. |
|
relatedFiles
|
relatedFiles | array of RelatedFileApiDto |
Related files data. |
|
relatedDNS
|
relatedDNS | array of RelatedDnsApiDto |
Related DNS. |
|
relatedURLs
|
relatedURLs | array of RelatedUrlApiDto |
Related URLs. |
|
sourceTasks
|
sourceTasks | array of SourceTaskApiDto |
Source tasks info. |
|
relatedSynchronizationObjects
|
relatedSynchronizationObjects | array of RelatedSynchronizationObjectsApiDto |
Related synchronization objects data. |
|
relatedNetworkThreats
|
relatedNetworkThreats | array of RelatedNetworkThreatApiDto |
Related network threats data. |
RelatedIncidentApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
task
|
task | string |
Link to the task in ANY.RUN sandbox. |
|
time
|
time | date-time |
Creation time. |
|
MITRE
|
MITRE | array of string |
Array of MITRE matrix techniques IDs ans sub-techniques IDs. |
|
threatName
|
threatName | array of string |
Threat names. |
|
event
|
event | EventApiDto | |
|
process
|
process | ProcessApiDto |
EventApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
ruleName
|
ruleName | string |
Rule name. |
|
commandLine
|
commandLine | string |
Command line string. |
|
imagePath
|
imagePath | string |
Image path string. |
|
pid
|
pid | integer |
Process ID. |
|
title
|
title | array of string |
Title of event type. |
|
destinationPort
|
destinationPort | array of string |
Destination ports numbers. |
|
destinationIP
|
destinationIP | string |
Destination IP address. |
|
destinationIPgeo
|
destinationIPgeo | array of string |
Destination IP Geo (countries). |
|
destinationIpAsn
|
destinationIpAsn | array of string |
Destination IP ASN (autonomous system number). |
|
url
|
url | string |
URL. |
|
fileName
|
fileName | string |
File name. |
|
registryKey
|
registryKey | string |
Registry key. |
|
registryName
|
registryName | array of string |
Registry name. |
|
registryValue
|
registryValue | array of string |
Registry value. |
|
moduleImagePath
|
moduleImagePath | string |
Module image path. |
|
injectedFlag
|
injectedFlag | boolean |
Injected flag. |
|
domainName
|
domainName | array of string |
Domain name. |
|
httpRequestContentType
|
httpRequestContentType | string |
Request content type. |
|
httpRequestContentFile
|
httpRequestContentFile | string |
Request content file. |
|
httpResponseContentType
|
httpResponseContentType | string |
Response content type. |
|
httpResponseContentFile
|
httpResponseContentFile | string |
Response content file. |
|
ruleThreatLevel
|
ruleThreatLevel | string |
Rule threat level. |
|
sha256
|
sha256 | string |
SHA256 hash. |
ProcessApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
commandLine
|
commandLine | string |
Command line string. |
|
imagePath
|
imagePath | string |
Image path string. |
|
threatName
|
threatName | string |
Threat names. |
|
MITRE
|
MITRE | array of string |
Array of MITRE matrix techniques IDs ans sub-techniques IDs. |
|
pid
|
pid | integer |
Process ID. |
|
scores
|
scores | ProcessScoresDto |
Process scores. |
|
eventsCounters
|
eventsCounters | EventsCountersDto |
Events counters. |
|
threatLevel
|
threatLevel | integer |
Threat level. |
ProcessScoresDto
Process scores.
| Name | Path | Type | Description |
|---|---|---|---|
|
specs
|
specs | ProcessScoresSpecsDto |
Process scores specs. |
ProcessScoresSpecsDto
Process scores specs.
| Name | Path | Type | Description |
|---|---|---|---|
|
known_threat
|
known_threat | boolean |
Indicates if it is a known threat. |
|
network_loader
|
network_loader | boolean |
Indicates if network download was detected. |
|
network
|
network | boolean |
Indicates if network activity was enabled. |
|
uac_request
|
uac_request | boolean |
Indicates if User Access Control (UAC) request was detected. |
|
injects
|
injects | boolean |
Indicates if threat uses injections. |
|
service_luncher
|
service_luncher | boolean |
Indicates if new service registration was detected. |
|
executable_dropped
|
executable_dropped | boolean |
Indicates if threat uses dropped executables. |
|
multiprocessing
|
multiprocessing | boolean |
Indicates if threat uses multiprocessing. |
|
crashed_apps
|
crashed_apps | boolean |
Indicates if application crashed. |
|
debug_output
|
debug_output | boolean |
Indicates if application has debug output message. |
|
stealing
|
stealing | boolean |
Indicates if process steals info from infected machine. |
|
exploitable
|
exploitable | boolean |
Indicates if any known exploit was detected. |
|
static_detections
|
static_detections | boolean |
Indicates if any malicious pattern was detected by static analysis engine. |
|
susp_struct
|
susp_struct | boolean |
Is susp struct. |
|
autostart
|
autostart | boolean |
Indicates if application was added to autostart. |
|
low_access
|
low_access | boolean |
Indicates if threat uses low level access. |
|
tor
|
tor | boolean |
Indicates if TOR was used. |
|
spam
|
spam | boolean |
Indicates if spam was detected. |
|
malware_config
|
malware_config | boolean |
Indicates if malware config was extracted from submitted file. |
|
process_dump
|
process_dump | boolean |
Indicates if the process memory dump can be extracted. |
EventsCountersDto
Events counters.
| Name | Path | Type | Description |
|---|---|---|---|
|
raw
|
raw | EventsCountersRawDto |
Events counters raw. |
EventsCountersRawDto
Events counters raw.
| Name | Path | Type | Description |
|---|---|---|---|
|
registry
|
registry | integer |
Number or registry events. |
|
files
|
files | integer |
Number or files. |
|
modules
|
modules | integer |
Number or modules. |
|
objects
|
objects | integer |
Number or objects. |
|
rpc
|
rpc | integer |
Number or RPCs. |
DestinationIpApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
destinationIP
|
destinationIP | string |
Destination IP address. |
|
date
|
date | date-time |
Creation date. |
|
threatLevel
|
threatLevel | integer |
Threat level. |
|
threatName
|
threatName | array of string |
Threat names. |
|
isMalconf
|
isMalconf | boolean |
Indicates if the IOC was extracted from malware configuration. |
RelatedFileApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
task
|
task | string |
Link to the task in ANY.RUN sandbox. |
|
title
|
title | string |
Title of event type. |
|
fileLink
|
fileLink | string |
Link to the HTTP response files. |
|
time
|
time | date-time |
Creation date. |
|
fileName
|
fileName | string |
File name. |
|
fileExt
|
fileExt | string |
File extension. |
|
process
|
process | ProcessApiDto | |
|
hashes
|
hashes | HashesApiDto |
RelatedDnsApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
domainName
|
domainName | string |
Domain name. |
|
threatName
|
threatName | array of string |
Threat name. |
|
threatLevel
|
threatLevel | integer |
Threat level. |
|
date
|
date | date-time |
Creation date. |
|
isMalconf
|
isMalconf | boolean |
Indicates if the IOC was extracted from malware configuration. |
RelatedUrlApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
url
|
url | string |
Url. |
|
date
|
date | date-time |
Creation date. |
|
threatLevel
|
threatLevel | integer |
Threat level. |
|
threatName
|
threatName | array of string |
Threat names. |
|
isMalconf
|
isMalconf | boolean |
Indicates if the IOC was extracted from malware configuration. |
SourceTaskApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
uuid
|
uuid | string |
Task UUID. |
|
related
|
related | string |
Link to the task in ANY.RUN sandbox. |
|
date
|
date | date-time |
Task creation time. |
|
threatLevel
|
threatLevel | integer |
Threat level. |
|
tags
|
tags | array of string |
Tags. |
|
mainObject
|
mainObject | MainObjectApiDto |
Main object info. |
MainObjectApiDto
Main object info.
| Name | Path | Type | Description |
|---|---|---|---|
|
type
|
type | string |
Type. |
|
name
|
name | string |
Name. |
|
hashes
|
hashes | HashesApiDto |
RelatedSynchronizationObjectsApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
syncObjectTime
|
syncObjectTime | date-time |
Time. |
|
syncObjectType
|
syncObjectType | string |
Type. |
|
syncObjectOperation
|
syncObjectOperation | string |
Operation. |
|
syncObjectName
|
syncObjectName | string |
Name. |
|
task
|
task | string |
Task link. |
|
process
|
process | ProcessApiDto |
RelatedNetworkThreatApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
suricataClass
|
suricataClass | string |
Suricata class. |
|
imagePath
|
imagePath | string |
Image path. |
|
suricataID
|
suricataID | string |
SID. |
|
suricataMessage
|
suricataMessage | string |
Suricata message. |
|
tags
|
tags | array of string |
Tags. |
|
MITRE
|
MITRE | array of string |
Array of MITRE matrix techniques IDs ans sub-techniques IDs. |
|
suricataThreatLevel
|
suricataThreatLevel | string |
Suricata threat level. |
|
task
|
task | string |
Task link. |
HashesApiDto
| Name | Path | Type | Description |
|---|---|---|---|
|
md5
|
md5 | string |
MD5 hash string. |
|
sha1
|
sha1 | string |
SHA1 hash string. |
|
sha256
|
sha256 | string |
SHA256 hash string. |
|
ssdeep
|
ssdeep | string |
Ssdeep hash string. |