Skip to main content

Workflow Template: Enrich Case with File Analysis in ANY.RUN Sandbox

Detonate a file attachment from a Torq Case in ANY.RUN Sandbox and enrich the case with verdict, IoCs, HTML report, and notes.

The "Enrich Case with File Analysis in ANY.RUN Sandbox" workflow template automates the process of analyzing file attachments from Torq Cases using the ANY.RUN interactive sandbox. This workflow is designed for security analysts to enhance case management by providing detailed threat intelligence. It extracts and submits case attachments for analysis, retrieves verdicts, scores, and behavioral tags, and updates the case with comprehensive reports and Indicators of Compromise (IoCs). If a file is deemed malicious or suspicious, the workflow attaches detailed HTML reports and IoC data, streamlining threat detection and response efforts.

Use Cases

Case Management , Endpoint Detection and Response (EDR) , Threat Intelligence Enrichment

Workflow Breakdown

  1. Lists case attachments and prompts the analyst to select a file.

  2. Generates an attachment download link, submits the file to ANY.RUN Sandbox, and attaches the live sandbox link to the case.

  3. Polls ANY.RUN until the analysis completes, then retrieves the report and extracts IoCs (IPs, URLs, file hashes).

  4. Updates the case with a note containing threat level, scores, and behavioral tags from the sandbox verdict.

  5. If the verdict is malicious or suspicious, runs parallel actions to attach the HTML report and (when IoCs exist) attach an IOC.csv to the case.

Vendors

Utils, ANY.RUN, Torq Cases

Workflow Output

Enrichment summary containing the analysis report details and extracted IoCs.

Did this answer your question?