Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The ANY.RUN Action enables users to submit a collection of URLs and FQDNs to ANY.RUN for sandbox analysis. The results of this analysis are later utilized by the ANY.RUN CDF to collect and enrich contextual information derived from the executed analysis.

The integration provides the following action:

• ANY.RUN Submit for Analysis - submits a collection of URL and FQDN type indicators to ANY.RUN sandbox for analysis.

The integration is compatible with the following indicator types:

• FQDN
• URL

The integration enriches the following indicator types:

• FQDN
• URL

This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

Prerequisites

• A valid ANY.RUN API Key.
• An active ThreatQ TDR Orchestrator (TQO) license.
• A data collection containing the following indicator object types:
  • FQDN
  • URL

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Actions option from the Category dropdown (optional).
3. Click on the action entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.

   Parameter	Description
   API Key	Enter your ANY.RUN API Key.
   Enable SSL Certificate Verification	Enable this parameter if the action should validate the host-provided SSL certificate.
   Disable Proxies	Enable this parameter if the action should not honor proxies set in the ThreatQ UI.
   Environment	Select which environment to sandbox this sample. Options include: Windows 10 64 bit (default) Windows 8.1 64 bit Windows 8.1 32 bit  Windows 7 64 bit Windows 7 32 bit Windows Vista 64 bit Windows Vista 32 bit
   Offline Analysis	Enable this parameter analyze the file offline. This parameter is disabled be default.
   Network Location	Select the network location to sandbox the sample. Options include: Fastest (default) Australia Brazil France Germany Italy Russia South Korea Switzerland United Kingdom United States

   
   
5. Review any additional settings, make any changes if needed, and click on Save.

Actions

The following action is available:

data={
      "obj_type": "url",
      "obj_url": "google.nl",
      "env_os": "windows",
      "env_bitness": "64",
      "env_version": "10",
      "opt_network_connect": "true",
      "opt_network_geo": "fastest"
    }

{
  "error": false,
  "data": {
    "taskid": "d2db3dc6-b86d-465f-b641-4f9fd924efd8"
  }
}

Enriched Data

Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.

Use Case Example

1. A user submits a collection of indicators to ANY.RUN using the Submit for Analysis action.
2. ANY.RUN processes the submission, applying the specified environment configuration options and indicator values, and returns a unique task ID for the newly initiated analysis.
3. The action records the timestamp marking when the feed begins, allowing for accurate reference in future operations.
4. At a later stage, the user executes the CDF to retrieve the contextual information collected by ANY.RUN during the analysis.

Change Log

• Version 1.0.0
  • Initial release