ANY.RUN Now Integrates with Splunk!
2024-9-12 15:47:27 Author: any.run(查看原文) 阅读量:12 收藏

We have some thrilling news to share with you today. Our team at ANY.RUN is happy to announce the launch of our new integration with Splunk!

How this integration benefits you 

Official page of ANY.RUN’s connector for Splunk

If you’re a Splunk user, you can now leverage ANY.RUN’s Interactive Sandbox and Threat Intelligence Lookup directly from your Splunk SOAR environment.  

This means that you can analyze potentially malicious files and URLs in the sandbox and enrich your investigations with threat data from TI Lookup without leaving the familiar Splunk interface.  

Our main goal with this integration is to give you more options and help you make the most out of ANY.RUN while working with familiar systems.  

The integration supports a wide range of actions, from simple reputation checks to full detonation and analysis of suspicious objects.  

Key Features 

Comprehensive Threat Intelligence 

The integration allows analysts to query ANY.RUN’s threat intelligence database directly from Splunk SOAR. 

Use the get intelligence action to query TI Lookup’s database

Automated Malware Analysis 

One of the most powerful features of this integration is the ability to automatically detonate files and URLs in ANY.RUN’s sandbox.  

This process can be triggered as part of a Splunk SOAR playbook, allowing for analysis of attachments in phishing emails or suspicious downloads detected by network monitors. You can also access any analysis session you launch in the sandbox to perform manual actions or gain a deeper understanding of the threat.

You can perform file analysis, collect IOCs, get IP reputation, and more

Detailed Reporting and IOC Extraction 

The ‘get report’ action retrieves key analysis details, including the verdict on the sample’s threat level. You can also see the rest of the analysis results by navigating to the corresponding part of the interface.

The interface lets you quickly see the verdict on the sample

Advanced Threat Hunting 

If you have ANY.RUN’s TI License, you can use the ‘get intelligence’ action to perform complex queries against ANY.RUN’s threat intelligence database. 

Threat Intelligence Lookup lets you use dozens of search parameters

Search for specific file hashes, IP addresses, domains, or even MITRE ATT&CK techniques you uncover in previous analyses.

Real-World Application 

Consider a scenario where a Splunk SOAR playbook is triggered by a potential phishing email. 

The playbook could automatically extract any URLs and attachments from the email, then use the ‘url reputation’ action to check if the URLs have been previously analyzed by ANY.RUN. 

  • For new or suspicious URLs, the playbook could use the ‘detonate url’ action to analyze them in a sandbox environment. 
  • Similarly, for attachments, the ‘detonate file’ action could be used to safely execute and analyze them. 

The playbook could then retrieve detailed reports and IOCs using the ‘get report’ and ‘get iocs’ actions. 

Finally, it could use the extracted IOCs to automatically update firewall rules, trigger endpoint scans, or create new detection rules in the SIEM. 

How to Set it Up 

To leverage this new integration, users will need a Splunk SOAR environment and an ANY.RUN account with API access. Preferably, a ‘Hunter’ or ‘Enterprise’ subscription is recommended for full feature access. 

Splunk connector details

The setup process is straightforward: 

  • Configure a new ANY.RUN asset in Splunk SOAR.
  • Provide the ANY.RUN base URL (typically https://api.any.run).
  • Enter the API key from your ANY.RUN profile page.
  • Set a default timeout for API requests.
The connector is easy to set up

Once configured, the ANY.RUN actions will be available for use in Splunk SOAR playbooks and for manual invocation by analysts. 

About ANY.RUN  

ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, TI Lookup, Yara Search and Feeds, help you find IOCs or files to learn more about the threats and respond to incidents faster.  

With ANY.RUN you can: 

  • Detect malware in seconds
  • Interact with samples in real time
  • Save time and money on sandbox setup and maintenance
  • Record and study all aspects of malware behavior
  • Collaborate with your team 
  • Scale as you need

Request free trial → 


文章来源: https://any.run/cybersecurity-blog/splunk-integration/
如有侵权请联系:admin#unsafe.sh