ANY.RUN

LAST UPDATED: JUNE 5, 2025

Overview

ANY.RUN is an interactive malware analysis sandbox used to detect, analyze, and monitor cybersecurity threats. This integration allows organizations to analyze URL and file reputations and submit files and URLs for sandbox analysis.

D3 SOAR is providing REST operations to function with ANY.RUN.

ANY.RUN is available for use in:

D3 SOAR	V12.7.0+
Category	Forensics & Malware Analysis
Deployment Options	Option II, Option IV

Known Limitations

ANY.RUN enforces API rate limits based on the subscribed plan:

Hunter Plan: Allows up to 250 requests per month.
Enterprise Plan: Provides 1,500 or more requests per month per team.

For further information, refer to ANY.RUN - Plans and Pricing.

Connection

To connect to ANY.RUN from D3 SOAR, follow this part to collect the required information below:

Parameter	Description	Example
Default
Server URL	The Any.Run server URL.	https://api.any.run
Authentication Type	The authentication method to use. Available options are: Basic Authentication API Key Authentication For API Key Authorization, ensure an API key has been generated.	Basic Authentication
API Version	The API version.	v1
Basic Authentication
Username	The username for basic authentication.	sample@d3security.com
Password	The password for basic authentication.	*****
API Key Authorization
API Key	The Any.Run API key. The API key can be obtained from the user profile.	TtG5*****QGgu

Configuring ANY.RUN to Work with D3 SOAR

Two token types are supported for authentication:

Basic access authentication: Uses the ANY.RUN username and password for authentication.
API Key authentication: Uses an API key generated from the Profile page. Refer to Generating the API Key for detailed instructions.

Generating the API Key

Click the Sign In menu item to log into ANY.RUN.
Generate the API Key.
1. Click the Profile menu item.
2. Select the API and Limits tab.
3. Click the Generate button to create the API key.
4. Click the button to copy the generated key. Refer to Step 4 under the Authentication Type: API Key Authentication section in Configuring D3 SOAR to Work with ANY.RUN.

Configuring D3 SOAR to Work with ANY.RUN

Log in to D3 SOAR.
Find the ANY.RUN integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type ANY.RUN in the search box to find the integration, then click it to select it.
4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to ANY.RUN.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add a description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, users have the option to choose the specific tenant sites to share the connection with. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Active: Check the checkbox to ensure the connection is available for use.
8. Configure User Permissions: Defines which users have access to the connection.
9. System Reputation Check: Selecting one or more reputation check tick boxes will run the corresponding check reputation commands under this integration connection to enrich the corresponding artifacts with reputation details.
  For example, an integration connection named "ConnectionA" is configured with the "Sandbox" site. All URL artifacts from the "Sandbox" site will undergo a reputation check using the Check URL Reputation command from that integration. The return data output from this command will then be used to update the risk level of artifacts, which may affect the risk level of incoming events.
10. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input the Server URL. The default value is https://api.any.run.
  2. Select the Authentication Type.
  3. Input the API Version. The default value is v1.
  Authentication Type: Basic Authentication
  
  4. Input the Username.
  5. Input the Password.
  Authentication Type: API Key Authentication
  4. Input the API Key. Refer to Step 2d in Generating the API Key.
11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
12. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

ANY.RUN includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the ANY.RUN API, refer to the ANY.RUN API reference.

Check File Reputation

Retrieves reputation information for the specified files.

File IDs and File Source

It is not recommended to use the Test Command feature with the Check File Reputation command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

Navigate to Configuration on the top bar menu.
Click on Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Click on the Test tab.
Input the required information for the parameters.
Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter	Required/Optional	Description	Example
File IDs	Required	The file IDs of the file source.	JSON `[ "*****" ]`
File Source	Required	The file source of the files. The options for file source are: Incident Attachment File: Manually uploaded file from Incident Playbook File: Output from another Task Artifact File: Ingested Artifact in an Event	Playbook File
Interval Time	Optional	The interval time in seconds to wait for the analysis results. By default, the value is 120 seconds.	1200
Operating System Version	Optional	The operating system version in which the task is launched. Available options are: Windows 7 Windows 8.1 Windows 10 Windows 11 Linux Ubuntu 22.04.2 By default, the value is Windows 7.	Windows 10
Operating System Bitness	Optional	The bitness of the operating system in which the task is launched. Available options are: 32 (Only for Windows) 64 For Windows 11, only 64-bit is supported. By default, the value is 32 for Windows and 64 for Linux.	64
Environment Type	Optional	The preset environment type used. Available options are: Complete (Only for Windows) Clean (Only for Windows) Office By default, the value is Complete for Windows and Office for Linux.	64
Command Line	Optional	The command line input used during execution. The size must be between 2 and 256 characters.	edit
Run As Root	Optional	Whether to run the file with superuser privileges. This parameter applies only to Linux environments. By default, the value is False.	True
Privacy	Optional	The privacy level for the analysis. Available options are: Only me Team Who has a link Public By default, the value is Only me.	Team
Duration Timeout	Optional	The analysis timeout duration in seconds. By default, the value is 60 seconds.	300
Start Folder	Optional	The folder from which the analysis begins. Available options are: Desktop Home Downloads Appdata Temp Windows Root By default, the value is Temp.	Desktop

Output

Output Type	Description	Return Data Type
Return Data	In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.	String
Raw Data	The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.	JSON
Key Fields	Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. Users can use these key-value pairs as data points for playbook task inputs.	JSON
Result	Provides a brief summary of outputs in an HTML formatted table.	HTML

D3-defined Risk Levels and Risk Level Names

The table below lists the possible output risk levels and their corresponding risk level names:

Risk Levels	Risk Level Names
1	High
2	Medium
3	Low
4	N/A
5	ZeroRisk

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check File Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Check File Reputation failed.

Status Code: 400.

Message: Bad request.

Check URL Reputation

Retrieves reputation information for the specified URLs.

Input

Input Parameter	Required/Optional	Description	Example
URLs	Required	The list of URLs to evaluate for reputation in the http://your-link or https://your-link format.	JSON `[ "https://***.***" ]`
Interval Time	Optional	The interval time in seconds to wait for the analysis results. By default, the value is 120 seconds.	120
Operating System Version	Optional	The operating system version in which the task is launched. Available options are: Windows 7 Windows 8.1 Windows 10 Windows 11 Linux Ubuntu 22.04.2 By default, the value is Windows 7.	Windows 10
Operating System Bitness	Optional	The bitness of the operating system in which the task is launched. Available options are: 32 (Only for Windows) 64 For Windows 11, only 64-bit is supported. By default, the value is 32 for Windows and 64 for Linux.	64
Environment Type	Optional	The preset environment type used. Available options are: Complete (Only for Windows) Clean (Only for Windows) Office By default, the value is Complete for Windows and Office for Linux.	64
Browser Type	Optional	The browser type used for URL analysis. Available options are: Microsoft Edge (For Windows environment Only) Internet Explorer (For Windows 7 and 8.1 Only) Mozilla Firefox (For Windows 7 and 8.1 and Linux Ubuntu 22.04.2) Google Chrome (For Windows 7 and 8.1 and Linux Ubuntu 22.04.2) Microsoft Edge is available only on Windows 10 and Windows 11. By default, the browser is Internet Explorer for other Windows versions and Mozilla Firefox for Linux.	Google Chrome
Privacy	Optional	The privacy level for the analysis. Available options are: Only me Team Who has a link Public By default, the value is Only me.	Team
Duration Timeout	Optional	The analysis timeout duration in seconds. By default, the value is 60 seconds.	300

Output

Output Type	Description	Return Data Type
Return Data	In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.	String
Raw Data	The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.	JSON
Key Fields	Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. Users can use these key-value pairs as data points for playbook task inputs.	JSON
Result	Provides a brief summary of outputs in an HTML formatted table.	HTML

D3-defined Risk Levels and Risk Level Names

The table below lists the possible output risk levels and their corresponding risk level names:

Risk Levels	Risk Level Names
1	High
2	Medium
3	Low
4	N/A
5	ZeroRisk

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Check URL Reputation failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Check URL Reputation failed.

Status Code: 400.

Message: Bad request.

Create File Analysis

Creates an analysis task for the specified file.

File ID and File Source

It is not recommended to use the Test Command feature with the Create File Analysis command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

Navigate to Configuration on the top bar menu.
Click on Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Click on the Test tab.
Input the required information for the parameters.
Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.

Input

Input Parameter	Required/Optional	Description	Example
File ID	Required	The file ID of the file source.	*****
File Source	Required	The file source of the file. The options for file source are: Incident Attachment File: Manually uploaded file from Incident Playbook File: Output from another Task Artifact File: Ingested Artifact in an Event	Playbook File
Operating System Version	Optional	The operating system version in which the task is launched. Available options are: Windows 7 Windows 8.1 Windows 10 Windows 11 Linux Ubuntu 22.04.2 By default, the value is Windows 7.	Windows 10
Operating System Bitness	Optional	The bitness of the operating system in which the task is launched. Available options are: 32 (Only for Windows) 64 By default, the value is 32 for Windows and 64 for Linux.	64
Environment Type	Optional	The preset environment type used. Available options are: Complete (Only for Windows) Clean (Only for Windows) Office By default, the value is Complete for Windows and Office for Linux.	64
Command Line	Optional	The command line input used during execution. The size must be between 2 and 256 characters.	edit
Run As Root	Optional	Whether to run the file with superuser privileges. This parameter applies only to Linux environments. By default, the value is False.	True
Privacy	Optional	The privacy level for the analysis. Available options are: Only me Team Who has a link Public By default, the value is Only me.	Team
Duration Timeout	Optional	The analysis timeout duration in seconds. By default, the value is 60 seconds.	300
Start Folder	Optional	The folder from which the analysis begins. Available options are: Desktop Home Downloads Appdata Temp Windows Root By default, the value is Temp.	Desktop

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create File Analysis failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Create File Analysis failed.

Status Code: 400.

Message: Bad request.

Create URL Analysis

Creates an analysis task for the specified URL.

Input

Input Parameter	Required/Optional	Description	Example
URL	Required	The URL to be analyzed in the task in the http://your-link or https://your-link format.	https://www.uberconference.com
Operating System Version	Optional	The operating system version in which the task is launched. Available options are: Windows 7 Windows 8.1 Windows 10 Windows 11 Linux Ubuntu 22.04.2 By default, the value is Windows 7.	Windows 10
Operating System Bitness	Optional	The bitness of the operating system in which the task is launched. Available options are: 32 (Only for Windows) 64 For Windows 11, only 64-bit is supported. By default, the value is 32 for Windows and 64 for Linux.	64
Environment Type	Optional	The preset environment type used. Available options are: Complete (Only for Windows) Clean (Only for Windows) Office By default, the value is Complete for Windows and Office for Linux.	64
Browser Type	Optional	The browser type used for URL analysis. Available options are: Microsoft Edge (For Windows environment Only) Internet Explorer (For Windows 7 and 8.1 Only) Mozilla Firefox (For Windows 7 and 8.1 and Linux Ubuntu 22.04.2) Google Chrome (For Windows 7 and 8.1 and Linux Ubuntu 22.04.2) Microsoft Edge is available only on Windows 10 and Windows 11. By default, the browser is Internet Explorer for other Windows versions and Mozilla Firefox for Linux.	Google Chrome
Privacy	Optional	The privacy level for the analysis. Available options are: Only me Team Who has a link Public By default, the value is Only me.	Team
Duration Timeout	Optional	The analysis timeout duration in seconds. By default, the value is 60 seconds.	300

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Create URL Analysis failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Create URL Analysis failed.

Status Code: 400.

Message: Bad request.

Get Analysis Task Results

Retrieves the results of analysis tasks by their task IDs. The results can originate from a newly created analysis task or from the analysis history using the List Analysis History command.

READER NOTE

Task IDs is a required parameter to run this command.

Run the Create URL Analysis, Create File Analysis, or List Analysis History command to obtain the Task IDs. Task IDs can be found in the raw data at the path:
- $.data.taskid for Create URL Analysis and Create File Analysis
- $.data.tasks[*].related for List Analysis History.

Input

Input Parameter	Required/Optional	Description	Example
Task IDs	Required	The IDs of the analysis tasks for which to retrieve results. Task IDs can be obtained using the Create URL Analysis, Create File Analysis, or List Analysis History command.	JSON `[ "64e7*****c6d2" ]`

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Analysis Task Results failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Get Analysis Task Results failed.

Status Code: 400.

Message: Bad request.

Get Graph Report

Retrieves the graph report generated for a specified analysis task.

READER NOTE

Task ID is a required parameter to run this command.

Run the List Analysis History command to obtain the Task ID. Task IDs can be found in the raw data at the path $.data.tasks[*].related.

Input

Input Parameter	Required/Optional	Description	Example
Task ID	Required	The task ID of the analysis used to retrieve the graph report. Task ID can be obtained using the List Analysis History command.	6b57*****32bf

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Graph Report failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Get Graph Report failed.

Status Code: 400.

Message: Bad request.

Get HTML Summary Report

Retrieves the HTML summary report associated with the specified analysis task.

READER NOTE

Task ID is a required parameter to run this command.

Run the List Analysis History command to obtain the Task ID. Task IDs can be found in the raw data at the path $.data.tasks[*].related.

Input

Input Parameter	Required/Optional	Description	Example
Task ID	Required	The task ID of the analysis for which to retrieve the HTML summary report. Task ID can be obtained using the List Analysis History command.	6b57*****32bf

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get HTML Summary Report failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Get HTML Summary Report failed.

Status Code: 400.

Message: Bad request.

Get IOC Report

Retrieves the IOC report associated with the specified analysis task.

READER NOTE

Task ID is a required parameter to run this command.

Run the List Analysis History command to obtain the Task ID. Task IDs can be found in the raw data at the path $.data.tasks[*].related.

Input

Input Parameter	Required/Optional	Description	Example
Task ID	Required	The task ID of the analysis for which to retrieve the IOC report. Task ID can be obtained using the List Analysis History command.	6b57*****32bf

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get IOC Report failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Get IOC Report failed.

Status Code: 400.

Message: Bad request.

Get MISP Report

Retrieves the MISP report associated with the specified analysis task.

READER NOTE

Task ID is a required parameter to run this command.

Run the List Analysis History command to obtain the Task ID. Task IDs can be found in the raw data at the path $.data.tasks[*].related.

Input

Input Parameter	Required/Optional	Description	Example
Task ID	Required	The task ID of the analysis for which to retrieve the MISP report. Task ID can be obtained using the List Analysis History command.	6b57*****32bf

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get MISP Report failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

Get MISP Report failed.

Status Code: 400.

Message: Bad request.

List Analysis

Lists analysis tasks.

Input

Input Parameter	Required/Optional	Description	Example
Team	Required	Whether to retrieve team analysis history. Select False to retrieve personal analysis history.	false
Skip	Optional	The number of records to skip from the beginning of the result set. By default, the value is 0.	0
Limit	Optional	The maximum number of records to return. The acceptable range is 1–100. By default, the value is 25.	10

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Analysis failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

List Analysis failed.

Status Code: 400.

Message: Bad request.

List Analysis History

Retrieves analysis history. Use this command to examine previously executed analysis tasks without creating a new analysis.

Input

Input Parameter	Required/Optional	Description	Example
Team	Optional	Whether to retrieve team analysis history. Select False to retrieve personal analysis history. By default, the value is False.	False
History Limit	Optional	The number of historic analysis tasks to search for the specified hashes or URLs. The valid range is an integer from 1 to 10,000. By default, the value is 25.	100
Hash	Optional	The file or URL hash value used to filter the results. Acceptable formats include MD5, SHA-1, and SHA-256 for files, and SHA-1 or SHA-256 for URLs.	cc87*****9457

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Analysis History failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Bad request.

Error Sample Data

List Analysis History failed.

Status Code: 400.

Message: Bad request.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ANY.RUN portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: API is not available on the free plan.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 403.

Message: API is not available on the free plan.