The "Enrich Case with URL Analysis in ANY.RUN Sandbox" workflow template automates the process of analyzing URLs from Torq Cases using the ANY.RUN interactive sandbox. This workflow is designed for security teams to enhance their case management and threat intelligence capabilities. By submitting URLs for analysis, it retrieves detailed reports and extracts Indicators of Compromise (IoCs), updating the case with threat levels, scores, and behavioral tags. If a URL is deemed malicious or suspicious, the workflow attaches comprehensive reports and IoC data to the case, facilitating informed decision-making and swift remediation of web security alerts.
Use Cases
Case Management , Phishing , Remediate Web Security Alerts , Threat Intelligence Enrichment
Workflow Breakdown
Triggered from a Torq Case via "Run a workflow"; extracts case observables and validates that a URL is present.
Submits the URL to ANY.RUN Sandbox, attaches the live sandbox link to the case, and enters a polling loop until analysis completes.
Retrieves the completed report and extracts IoCs (IPs, URLs, file hashes) from the analysis output.
Updates the matching observable's reputation, attaches a case note with threat level, scores, and behavioral tags, and updates observable enrichment.
If the verdict is malicious or suspicious, runs parallel actions to attach the HTML report and (when IoCs exist) attach an IOC.csv to the case.
Vendors
Utils, ANY.RUN, Torq Cases
Workflow Output
Enrichment summary containing the analysis report details and extracted IoCs.
