The "Enrich Case with File Analysis in ANY.RUN Sandbox" workflow template is designed to enhance case management by automating the analysis of file attachments within the ANY.RUN interactive sandbox. This workflow streamlines the process of submitting files for analysis, retrieving detailed reports, and extracting Indicators of Compromise (IoCs) such as IPs, URLs, and file hashes. It updates the case with critical threat intelligence, including verdicts and behavioral tags, and attaches comprehensive HTML reports and IoC data, enabling efficient threat intelligence enrichment and endpoint detection and response (EDR).
Use Cases
Case Management , Endpoint Detection and Response (EDR) , Threat Intelligence Enrichment
Workflow Breakdown
Lists case attachments and prompts the analyst to select a file.
Generates an attachment download link, submits the file to ANY.RUN Sandbox, and attaches the live sandbox link to the case.
Polls ANY.RUN until the analysis completes, then retrieves the report and extracts IoCs (IPs, URLs, file hashes).
Updates the case with a note containing threat level, scores, and behavioral tags from the sandbox verdict.
If the verdict is malicious or suspicious, runs parallel actions to attach the HTML report and (when IoCs exist) attach an IOC.csv to the case.
Vendors
Utils, ANY.RUN, Torq Cases
Workflow Output
Enrichment summary containing the analysis report details and extracted IoCs.