ANY.RUN

Details
Content
Dependencies
Version History

Empowers SOC teams with a Cloud Sandbox for real-time malware analysis, Threat Intelligence Lookup, and high-quality feeds to enhance detection and threat coverage.

Note: Support for this Pack was moved to Partner on June 17, 2025.

The Challenge

Modern SOCs are overwhelmed with incident alerts and lack
fast, reliable ways to assess and prioritize them effectively.
This leaves critical infrastructures vulnerable to attacks like
ransomware and data theft, which might slip through security gaps and cause major damage and downtime.

ANY.RUN Content Pack for Cortex XSOAR

The Palo Alto Networks Cortex XSOAR and ANY.RUN integration enables SOCs to automate triage, expand threat
coverage, and increase the detection rate, including hidden and missed malware.

With the ANY.RUN content pack for Cortex XSOAR, your
organization can:

Submit files and URLs to a secure sandbox for analysis across Windows, Linux, and Android to streamline triage.
Retrieve detailed reports in JSON, HTML, or IoC formats for incident response.
Ingest fresh threat data in real time from over 15,000 organizations for threat hunting.
Query threat details for IoCs, indicators of attack (IoAs), and indicators of behavior (IoBs) to enrich incident investigations.
Automate workflows using Cortex XSOAR playbooks to reduce manual workload.

Palo Alto Networks and ANY.RUN Integrations

Product integrations between Palo Alto Networks and ANY.RUN include:

Key Benefits

Slash incident response time with automated, secure
malware analysis in Cortex XSOAR®
Increase detection rates via interactive sandboxing across Windows, Linux, and Android.
Improve proactive security with fresh indicators of compromise (IoCs) from 15,000 SOCs, updated in real time.
Enhance incident context with threat analysis results right in Cortex XSOAR.
Reduce SOC workload by automating threat triage and response tasks.
Help ensure compliance with SOC 2/GDPR via a secure, private analysis mode.

Support

This is an ANY.RUN’s supported connector. You can write to us for help with integration via support@any.run.
Contact us for a quote or demo via this form

Pack Contributors:

ANY.RUN

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Note: Support for this Pack was moved to Partner on June 17, 2025.

The Challenge

ANY.RUN Content Pack for Cortex

The Palo Alto Networks Cortex and ANY.RUN integration enables SOCs to automate triage, expand threat
coverage, and increase the detection rate, including hidden and missed malware.

With the ANY.RUN content pack for Cortex, your
organization can:

Submit files and URLs to a secure sandbox for analysis across Windows, Linux, and Android to streamline triage.
Retrieve detailed reports in JSON, HTML, or IoC formats for incident response.
Ingest fresh threat data in real time from over 15,000 organizations for threat hunting.
Query threat details for IoCs, indicators of attack (IoAs), and indicators of behavior (IoBs) to enrich incident investigations.
Automate workflows using Cortex playbooks to reduce manual workload.

Palo Alto Networks and ANY.RUN Integrations

Product integrations between Palo Alto Networks and ANY.RUN include:

Key Benefits

Slash incident response time with automated, secure
malware analysis in Cortex®
Increase detection rates via interactive sandboxing across Windows, Linux, and Android.
Improve proactive security with fresh indicators of compromise (IoCs) from 15,000 SOCs, updated in real time.
Enhance incident context with threat analysis results right in Cortex.
Reduce SOC workload by automating threat triage and response tasks.
Help ensure compliance with SOC 2/GDPR via a secure, private analysis mode.

Support

This is an ANY.RUN’s supported connector. You can write to us for help with integration via support@any.run.
Contact us for a quote or demo via this form

Pack Contributors:

ANY.RUN

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Integrations

Name	Description
ANY.RUN TI Lookup (Partner Contribution)	TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.
ANY.RUN (Deprecated) (Partner Contribution)	Deprecated. Use ANY.RUN TI Feeds, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.
ANY.RUN TI Feed (Partner Contribution)	Threat Intelligence Feeds provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.
ANY.RUN Cloud Sandbox (Partner Contribution)	ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

Playbooks

Name	Description
ANYRUN Detonate File Android	This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It helps to automate malware detonation and behavior observation on Android OS.
ANYRUN Detonate Url Windows	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It automates the analysis of potentially malicious URLs on Windows OS.
ANYRUN Detonate Url Android	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It automates the analysis of potentially malicious URLs on Android OS.
ANYRUN Detonate File Windows	This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It helps to automate malware detonation and behavior observation on Windows OS.
Detonate URL - ANYRUN	Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.
ANYRUN Detonate Url Linux	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It automates the analysis of potentially malicious URLs on Linux OS.
Detonate File - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.
Detonate File From URL - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.
ANYRUN Detonate File Linux	This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It helps to automate malware detonation and behavior observation on Linux OS.

Integrations

Name	Description
ANY.RUN (Deprecated) (Partner Contribution)	Deprecated. Use ANY.RUN TI Feeds, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.
ANY.RUN TI Lookup (Partner Contribution)	TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.
ANY.RUN TI Feed (Partner Contribution)	Threat Intelligence Feeds provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.
ANY.RUN Cloud Sandbox (Partner Contribution)	ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

Playbooks

Name	Description
ANYRUN Detonate File Windows	This playbook submits a file extracted from an alert attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It helps to automate malware detonation and behavior observation on Windows OS.
ANYRUN Detonate Url Android	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It automates the analysis of potentially malicious URLs on Android OS.
ANYRUN Detonate File Android	This playbook submits a file extracted from an alert attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It helps to automate malware detonation and behavior observation on Android OS.
Detonate File From URL - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.
ANYRUN Detonate File Linux	This playbook submits a file extracted from an alert attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It helps to automate malware detonation and behavior observation on Linux OS.
Detonate URL - ANYRUN	Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.
ANYRUN Detonate Url Linux	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It automates the analysis of potentially malicious URLs on Linux OS.
ANYRUN Detonate Url Windows	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It automates the analysis of potentially malicious URLs on Windows OS.
Detonate File - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

2.1.1 - 6025169 (November 26, 2025)

Integrations

ANY.RUN TI Feed

Updated the modified_after and feedReliability parameters to optional instead of required.

ANY.RUN TI Lookup

Updated the integrationReliability parameter to optional instead of required.

Related pull requests:
- 42021

Download

2.1.0 - 5811311 (November 10, 2025)

Integrations

ANY.RUN TI Feed

New: Added SSL and Proxy settings options.
Updated the Docker image to: demisto/anyrun-sdk:1.0.0.5185978.

ANY.RUN Cloud Sandbox

New: Added SSL and Proxy settings options.
New: Debian VM is now available for file and URL analysis.
Updated the Docker image to: demisto/anyrun-sdk:1.0.0.5185978.

ANY.RUN TI Lookup

New: Added SSL and Proxy settings options. Added support of the reputation commands: ip, domain, url, file.
New: anyrun-get-intelligence command now attaches a JSON summary to WarRoom.
Updated the Docker image to: demisto/anyrun-sdk:1.0.0.5185978.

Playbooks

ANYRUN Detonate Url Linux

New: Added Debian VM. Use env_os=debian to access a new functionality.

ANYRUN Detonate File Linux

New: Added Debian VM. Use env_os=debian to access a new functionality.

Related pull requests:
- 41862
- 41693

Download

2.0.1 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.0.0 - R5469292 (October 20, 2025)

Integrations

Deprecated. Use ANY.RUN TI Feed, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.

New: ANY.RUN TI Feed

New: Added a new integration- ANY.RUN TI Feed that Threat Intelligence Feed provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.

New: ANY.RUN Cloud Sandbox

New: Added a new integration- ANY.RUN Cloud Sandbox. ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

New: ANY.RUN TI Lookup

New: Added a new integration- ANY.RUN TI Lookup. TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.

Playbooks

Detonate File - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate File From URL - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate URL - ANYRUN

Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.

New: ANYRUN Detonate Url Linux

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in a Linux environment. It automates the analysis of potentially malicious URLs on Ubuntu OS.

New: ANYRUN Detonate File Android

This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It helps to automate malware detonation and behavior observation on Android OS.

New: ANYRUN Detonate File Linux

This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in a Linux environment. It helps to automate malware detonation and behavior observation on Ubuntu OS.

New: ANYRUN Detonate File Windows

This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in a Windows environment. It helps to automate malware detonation and behavior observation on Windows OS.

New: ANYRUN Detonate Url Windows

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in a Windows environment. It automates the analysis of potentially malicious URLs on Windows OS.

New: ANYRUN Detonate Url Android

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It automates the analysis of potentially malicious URLs on Android OS.

Related pull requests:
- 40726
- 40283

Download

1.0.25 - 4006198 (June 29, 2025)

Integrations

ANY.RUN

Updated the anyrun-run-analysis command:
- Added support for Windows 11 virtual machines.
- Added support for the "By Team" privacy type.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40356
- 40395

Download

1.0.24 - R3414854 (May 15, 2025)

Integrations

ANY.RUN

Metadata and documentation improvements.

Related pull requests:
- 39089

Download

1.0.23 - R2988287 (March 26, 2025)

ANY.RUN

Started adoption process.

Related pull requests:
- 39037
- 39123

Download

1.0.22 - R1931958 (January 6, 2025)

Integrations

ANY.RUN

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

2.1.1 - 6025169 (November 26, 2025)

Integrations

ANY.RUN TI Feed

Updated the modified_after and feedReliability parameters to optional instead of required.

ANY.RUN TI Lookup

Updated the integrationReliability parameter to optional instead of required.

Related pull requests:
- 42021

Download

2.1.0 - 5811311 (November 10, 2025)

Integrations

ANY.RUN TI Feed

New: Added SSL and Proxy settings options.
Updated the Docker image to: demisto/anyrun-sdk:1.0.0.5185978.

ANY.RUN Cloud Sandbox

New: Added SSL and Proxy settings options.
New: Debian VM is now available for file and URL analysis.
Updated the Docker image to: demisto/anyrun-sdk:1.0.0.5185978.

ANY.RUN TI Lookup

New: Added SSL and Proxy settings options. Added support of the reputation commands: ip, domain, url, file.
New: anyrun-get-intelligence command now attaches a JSON summary to WarRoom.
Updated the Docker image to: demisto/anyrun-sdk:1.0.0.5185978.

Playbooks

ANYRUN Detonate Url Linux

New: Added Debian VM. Use env_os=debian to access a new functionality.

ANYRUN Detonate File Linux

New: Added Debian VM. Use env_os=debian to access a new functionality.

Related pull requests:
- 41862
- 41693

Download

2.0.1 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.0.0 - R5469292 (October 20, 2025)

Integrations

ANY.RUN

Deprecated. Use ANY.RUN TI Feed, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.

New: ANY.RUN TI Feed

New: Added a new integration- ANY.RUN TI Feed that Threat Intelligence Feed provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.

New: ANY.RUN Cloud Sandbox

New: Added a new integration- ANY.RUN Cloud Sandbox. ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

New: ANY.RUN TI Lookup

New: Added a new integration- ANY.RUN TI Lookup. TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.

Playbooks

Detonate File - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate File From URL - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate URL - ANYRUN

Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.

New: ANYRUN Detonate Url Linux

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in a Linux environment. It automates the analysis of potentially malicious URLs on Ubuntu OS.

New: ANYRUN Detonate File Android

New: ANYRUN Detonate File Linux

New: ANYRUN Detonate File Windows

New: ANYRUN Detonate Url Windows

New: ANYRUN Detonate Url Android

Related pull requests:
- 40726
- 40283

Download

1.0.25 - 4006198 (June 29, 2025)

Integrations

ANY.RUN

Updated the anyrun-run-analysis command:
- Added support for Windows 11 virtual machines.
- Added support for the "By Team" privacy type.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40356
- 40395

Download

1.0.24 - R3414854 (May 15, 2025)

Integrations

ANY.RUN

Metadata and documentation improvements.

Related pull requests:
- 39089

Download

1.0.23 - R2988287 (March 26, 2025)

ANY.RUN

Started adoption process.

Related pull requests:
- 39037
- 39123

Download

1.0.22 - R1931958 (January 6, 2025)

Integrations

ANY.RUN

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	January 26, 2021
Last Release	November 26, 2025

Ransomware

Malware

Phishing

Threat Intelligence Management

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.