ANY.RUN

Details
Content
Dependencies
Version History

Empowers SOC teams with a Cloud Sandbox for real-time malware analysis, Threat Intelligence Lookup, and high-quality feeds to enhance detection and threat coverage.

Note: Support for this Pack will be moved to Partner starting June 17, 2025.

Pack Contributors:

ANY.RUN integrations team

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Note: Support for this Pack will be moved to Partner starting June 17, 2025.

Pack Contributors:

ANY.RUN integrations team

Contributions are welcome and appreciated. For more info, visit our Contribution Guide.

Integrations

Name	Description
ANY.RUN TI Feed (Partner Contribution)	Threat Intelligence Feeds provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.
ANY.RUN TI Lookup (Partner Contribution)	TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.
ANY.RUN Cloud Sandbox (Partner Contribution)	ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.
ANY.RUN (Partner Contribution)	Deprecated. Use ANY.RUN TI Feeds, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.

Playbooks

Name	Description
ANYRUN Detonate File Android	This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It helps to automate malware detonation and behavior observation on Android OS.
ANYRUN Detonate Url Android	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It automates the analysis of potentially malicious URLs on Android OS.
ANYRUN Detonate Url Windows	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It automates the analysis of potentially malicious URLs on Windows OS.
Detonate File - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.
ANYRUN Detonate Url Linux	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It automates the analysis of potentially malicious URLs on Ubuntu OS.
Detonate File From URL - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.
Detonate URL - ANYRUN	Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.
ANYRUN Detonate File Windows	This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It helps to automate malware detonation and behavior observation on Windows OS.
ANYRUN Detonate File Linux	This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It helps to automate malware detonation and behavior observation on Ubuntu OS.

Integrations

Name	Description
ANY.RUN Cloud Sandbox (Partner Contribution)	ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.
ANY.RUN TI Feed (Partner Contribution)	Threat Intelligence Feeds provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.
ANY.RUN (Partner Contribution)	Deprecated. Use ANY.RUN TI Feeds, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.
ANY.RUN TI Lookup (Partner Contribution)	TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.

Playbooks

Name	Description
ANYRUN Detonate Url Linux	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It automates the analysis of potentially malicious URLs on Ubuntu OS.
Detonate File - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.
ANYRUN Detonate Url Android	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It automates the analysis of potentially malicious URLs on Android OS.
ANYRUN Detonate Url Windows	This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It automates the analysis of potentially malicious URLs on Windows OS.
Detonate URL - ANYRUN	Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.
ANYRUN Detonate File Android	This playbook submits a file extracted from an alert attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It helps to automate malware detonation and behavior observation on Android OS.
ANYRUN Detonate File Linux	This playbook submits a file extracted from an alert attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Linux environment. It helps to automate malware detonation and behavior observation on Ubuntu OS.
ANYRUN Detonate File Windows	This playbook submits a file extracted from an alert attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Windows environment. It helps to automate malware detonation and behavior observation on Windows OS.
Detonate File From URL - ANYRUN	Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (6)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

2.0.0 - 4324039 (July 27, 2025)

Integrations

ANY.RUN

Deprecated. Use ANY.RUN TI Feed, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.

New: ANY.RUN TI Feed

New: Added a new integration- ANY.RUN TI Feed that Threat Intelligence Feed provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.

New: ANY.RUN Cloud Sandbox

New: Added a new integration- ANY.RUN Cloud Sandbox. ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

New: ANY.RUN TI Lookup

New: Added a new integration- ANY.RUN TI Lookup. TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.

Playbooks

Detonate File - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate File From URL - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate URL - ANYRUN

Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.

New: ANYRUN Detonate Url Linux

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in a Linux environment. It automates the analysis of potentially malicious URLs on Ubuntu OS.

New: ANYRUN Detonate File Android

This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It helps to automate malware detonation and behavior observation on Android OS.

New: ANYRUN Detonate File Linux

This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in a Linux environment. It helps to automate malware detonation and behavior observation on Ubuntu OS.

New: ANYRUN Detonate File Windows

This playbook submits a file extracted from an incident attachment to the ANY.RUN cloud sandbox for dynamic analysis in a Windows environment. It helps to automate malware detonation and behavior observation on Windows OS.

New: ANYRUN Detonate Url Windows

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in a Windows environment. It automates the analysis of potentially malicious URLs on Windows OS.

New: ANYRUN Detonate Url Android

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in an Android environment. It automates the analysis of potentially malicious URLs on Android OS.

Related pull requests:
- 40726
- 40283

Download

1.0.25 - 4006198 (June 29, 2025)

Integrations

ANY.RUN

Updated the anyrun-run-analysis command:
- Added support for Windows 11 virtual machines.
- Added support for the "By Team" privacy type.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40356
- 40395

Download

1.0.24 - R3414854 (May 15, 2025)

Integrations

ANY.RUN

Metadata and documentation improvements.

Related pull requests:
- 39089

Download

1.0.23 - R2988287 (March 26, 2025)

ANY.RUN

Started adoption process.

Related pull requests:
- 39037
- 39123

Download

1.0.22 - R1931958 (January 6, 2025)

Integrations

ANY.RUN

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

2.0.0 - 4324039 (July 27, 2025)

Integrations

ANY.RUN

Deprecated. Use ANY.RUN TI Feed, ANY.RUN TI Lookup, ANY.RUN Cloud Sandbox instead.

New: ANY.RUN TI Feed

New: Added a new integration- ANY.RUN TI Feed that Threat Intelligence Feed provide data on the known indicators of compromise such as malicious IPs, URLs, Domains.

New: ANY.RUN Cloud Sandbox

New: Added a new integration- ANY.RUN Cloud Sandbox. ANY.RUN Sandbox is an online interactive sandbox for malware analysis, a tool for detection, monitoring, and research of cyber threats in real time.

New: ANY.RUN TI Lookup

New: Added a new integration- ANY.RUN TI Lookup. TI Lookup is a searchable database of IOCs, IOAs, IOBs, and events for threat hunting and a service for browsing malicious files by their content.

Playbooks

Detonate File - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate File From URL - ANYRUN

Deprecated. Use ANY.RUN Detonate File [Windows, Linux, Android] instead.

Detonate URL - ANYRUN

Deprecated. Use ANY.RUN Detonate URL [Windows, Linux, Android] instead.

New: ANYRUN Detonate Url Linux

This playbook submits a URL extracted from an indicator to the ANY.RUN cloud sandbox for dynamic analysis in a Linux environment. It automates the analysis of potentially malicious URLs on Ubuntu OS.

New: ANYRUN Detonate File Android

New: ANYRUN Detonate File Linux

New: ANYRUN Detonate File Windows

New: ANYRUN Detonate Url Windows

New: ANYRUN Detonate Url Android

Related pull requests:
- 40726
- 40283

Download

1.0.25 - 4006198 (June 29, 2025)

Integrations

ANY.RUN

Updated the anyrun-run-analysis command:
- Added support for Windows 11 virtual machines.
- Added support for the "By Team" privacy type.
Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40356
- 40395

Download

1.0.24 - R3414854 (May 15, 2025)

Integrations

ANY.RUN

Metadata and documentation improvements.

Related pull requests:
- 39089

Download

1.0.23 - R2988287 (March 26, 2025)

ANY.RUN

Started adoption process.

Related pull requests:
- 39037
- 39123

Download

1.0.22 - R1931958 (January 6, 2025)

Integrations

ANY.RUN

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37407
- 37402
- 37403
- 37405
- 37406
- 37404

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	January 26, 2021
Last Release	July 27, 2025

Ransomware

Malware

Phishing

Threat Intelligence Management

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.