{"id":17894,"date":"2026-01-22T08:12:40","date_gmt":"2026-01-22T08:12:40","guid":{"rendered":"\/cybersecurity-blog\/?p=17894"},"modified":"2026-01-26T11:10:52","modified_gmt":"2026-01-26T11:10:52","slug":"anyrun-sandbox-misp-integration","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/","title":{"rendered":"ANY.RUN Sandbox\u00a0&amp;\u00a0MISP Integration: Confirm Alerts Faster,\u00a0Stop\u00a0Incidents Early\u00a0"},"content":{"rendered":"\n<p>Most SOC teams are overloaded with routine work.&nbsp;Tier 1 &amp; 2 analysts spend too much time&nbsp;validating&nbsp;alerts, moving samples between tools, and chasing missing context. When integrations are weak, investigations slow down,&nbsp;MTTR grows, and SLAs suffer delays. That directly increases operational risk and cost for the business.&nbsp;&nbsp;<\/p>\n\n\n\n<p>ANY.RUN has already helped teams close part of this gap with continuous, high-quality <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a>. Now, with the <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktosandboxanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Sandbox integration<\/a> for MISP, analysts can go further: enrich alerts with real execution behavior, speed up triage, and use actionable evidence to stop incidents before they have a chance to escalate.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">ANY.RUN&nbsp;x MISP: Boost Your Triage &amp; Response&nbsp;<\/h2>\n\n\n\n<p>With this integration, analysts can send suspicious files and URLs from MISP straight into the&nbsp;<a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktosandboxanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN Sandbox<\/a>.&nbsp;The integration is deployed through native MISP modules.&nbsp;There is no need to export samples or switch tools. Everything happens inside the analyst\u2019s usual workspace.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-1024x580.png\" alt=\"\" class=\"wp-image-17949\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-2048x1159.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.31.24-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MISP \u201cPhishing attempt\u201d event enriched with ANY.RUN Sandbox and phishing-related tags<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Integrate the modules using these links:&nbsp;&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/misp.github.io\/misp-modules\/expansion\/#anyrun-sandbox-submit\" target=\"_blank\" rel=\"noreferrer noopener\">Submit files\/URLs for analysis<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/misp.github.io\/misp-modules\/import_mod\/#anyrun-sandbox-import\" target=\"_blank\" rel=\"noreferrer noopener\">Get analysis reports<\/a>&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The analysis uses&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/automated-interactivity-stage-two\/\" target=\"_blank\" rel=\"noreferrer noopener\">Automated&nbsp;Interactivity<\/a>, which means the sandbox behaves like a real user. It clicks, opens files, and waits when needed. This matters because many modern threats stay quiet until they see user activity.&nbsp;&nbsp;<\/p>\n\n\n\n<p>As a result, the sandbox reveals evasive malware that most detection systems miss, giving the SOC earlier and clearer signals.&nbsp;&nbsp;<\/p>\n\n\n\n<p>After execution, the results are automatically returned to MISP, including the verdict, <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">related IOCs<\/a>, a link to the interactive analysis session, an HTML report, and mapped&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-ttps-in-ti-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK&nbsp;techniques<\/a> and tactics.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-1024x580.png\" alt=\"MITRE ATT&amp;CK technique expanded inside MISP\" class=\"wp-image-17907\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-1536x869.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-2048x1159.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/MITRE-ATTCK-technique-inside-MISP-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE ATT&amp;CK technique (T1082 \u2013 System Information Discovery) expanded inside MISP, displaying its description and related metadata<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Here\u2019s&nbsp;what&nbsp;your&nbsp;SOC can do with the integration:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Catch evasive threats earlier&nbsp;<\/strong>by triggering delayed or user-driven malware behavior that bypasses traditional detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Validate alerts using real execution evidence&nbsp;<\/strong>instead of relying on static indicators.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enrich investigations automatically&nbsp;<\/strong>with verdicts, IOCs,&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK techniques<\/a>, and&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-report\/\" target=\"_blank\" rel=\"noreferrer noopener\">detailed reports<\/a>&nbsp;attached to MISP events.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Work faster&nbsp;<\/strong>by running analysis and reviewing results without leaving MISP.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Make confident escalation&nbsp;<\/strong>or closure decisions backed by&nbsp;real behavioral&nbsp;evidence.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAdd <span class=\"highlight\">behavior-based evidence<\/span> to your MISP\n<br>Cut triage\u00a0time and reduce noise\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/enterprise\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=MISP-integration-with-anyrun&#038;utm_term=220126&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nReach out for details\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Benefits for Your SOC and Business&nbsp;<\/h2>\n\n\n\n<p>For your organization, this integration means:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower incident costs<\/strong>: Shorter investigations reduce operational effort per case.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced MTTR<\/strong>: Faster response limits business impact.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger SLA performance<\/strong>:&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/how-mssps-win-clients\/\" target=\"_blank\" rel=\"noreferrer noopener\">Help MSSPs<\/a>&nbsp;meet response time and quality commitments.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No extra headcount<\/strong>: Scale SOC performance without growing the team.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Zero integration costs<\/strong>: No need for custom development if MISP is already in use.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"580\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-1024x580.png\" alt=\"\" class=\"wp-image-17950\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-1024x580.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-768x435.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-1536x870.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-2048x1161.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/Screenshot-2026-01-16-at-17.32.02-740x419.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Enriched MISP event attributes, including the ANY.RUN verdict, report, &amp; IOC<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>For MSSPs, the integration helps meet customer SLA requirements by reducing response times, increasing analysis quality, and improving the overall value of managed security services without increasing operational costs.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Expand Threat Coverage in MISP with ANY.RUN TI Feeds&nbsp;<\/h2>\n\n\n\n<p>Sandbox analysis helps with individual investigations, while <a href=\"https:\/\/any.run\/cybersecurity-blog\/misp-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence Feeds<\/a> help the SOC stay ahead at scale.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"656\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-1024x656.png\" alt=\"\" class=\"wp-image-17942\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-1024x656.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-300x192.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-768x492.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-1536x984.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-2048x1312.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-370x237.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-270x173.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2026\/01\/TI-Feeds-1920-v1-1-740x474.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>TI Feeds contribute to your company&#8217;s proactive defense and help you catch attacks early<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>ANY.RUN&#8217;s <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a> continuously deliver verified malicious network IOCs extracted from real attacks&nbsp;observed&nbsp;across more than&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-from-organizations\/\" target=\"_blank\" rel=\"noreferrer noopener\">15,000 organizations<\/a>. Indicators come directly from live sandbox executions and are delivered in STIX\/TAXII format, ready for use in MISP, SIEM, or SOAR platforms.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/misp-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about TI Feeds integration with MISP<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Early detection<\/strong>:&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/enrich-iocs-with-threat-intelligence\/\" target=\"_blank\" rel=\"noreferrer noopener\">New IOCs<\/a>&nbsp;appear as soon as they are seen in real attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Expanded coverage<\/strong>: 99 percent unique indicators expose threats traditional feeds&nbsp;miss.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced false positives<\/strong>: Only confirmed malicious data reaches analysts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Better correlation<\/strong>: Shared attributes help link incidents and campaigns faster.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Lower analyst workload<\/strong>: Continuous enrichment removes manual lookup and curation.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nImprove early detection <span class=\"highlight\">at scale<\/span>\n<br>Get <span class=\"highlight\">fresh IOCs<\/span> from over 15k+ orgs\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=MISP-integration-with-anyrun-sandbox&#038;utm_term=220126&#038;utm_content=linktoenterprise#contact-sales\" target=\"_blank\" rel=\"noopener\">\nContact us\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion&nbsp;<\/h2>\n\n\n\n<p>The ANY.RUN Sandbox integration turns MISP into a practical investigation tool, not just an IOC repository. Analysts get real behavior, faster verdicts, and better context without changing how they work. TI Feeds add continuous visibility into active attacker infrastructure. Together, these capabilities reduce MTTR, lower analyst workload, and help protect the business more effectively.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/integrations\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktointegrations\" target=\"_blank\" rel=\"noreferrer noopener\">Discover all ANY.RUN integrations and simplify your analysis flow \u2192<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN is a leading provider of interactive malware analysis and threat intelligence solutions trusted by more than 600,000 cybersecurity professionals and 15,000 organizations worldwide.\u00a0<\/p>\n\n\n\n<p>The platform gives defenders a clear view of real attacker behavior by combining:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktosandboxanding\" target=\"_blank\" rel=\"noreferrer noopener\">Interactive Sandbox<\/a><strong>:<\/strong>&nbsp;Runs files, URLs, and entire infection chains with automatic user-like activity to reveal tactics hidden from classic detection tools.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a><strong>:<\/strong>&nbsp;Verified reputation data, history, and related indicators gathered from real attacks.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=MISP-integration-with-anyrun-sandbox&amp;utm_term=220126&amp;utm_content=linktotifeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">TI Feeds<\/a><strong>:&nbsp;<\/strong>Continuous delivery of fresh,&nbsp;confirmed-malicious&nbsp;network indicators in STIX\/TAXII format.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-enterprise-plan\/\" target=\"_blank\" rel=\"noreferrer noopener\">Enterprise-grade workflows<\/a>: API, SDK, SSO, teamwork tools, and privacy-focused private analysis modes for large SOCs and MSSPs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>ANY.RUN helps analysts work faster, strengthen decisions, and investigate advanced threats with clarity and confidence.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">FAQ<\/h2>\n\n\n\n<div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1769057495035\"><strong class=\"schema-faq-question\"><strong>Do analysts have to download samples before sending them to the sandbox?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">No. The integration sends files\/URLs directly from the MISP event to ANY.RUN. Everything stays in the same workflow.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1769057537404\"><strong class=\"schema-faq-question\"><strong>How does Automated Interactivity help?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">Some malware\u00a0won\u2019t\u00a0run until it sees something that looks like\u00a0a real human\u00a0action, opening a document, clicking a dialog, waiting a few seconds, or browsing a link. Automated Interactivity performs those actions, helping expose behavior that static tools or non-interactive sandboxes never trigger.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1769057558721\"><strong class=\"schema-faq-question\"><strong>Does this integration help reduce MTTR?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">Yes. Analysts can confirm or dismiss alerts faster because they work with real execution evidence, not just metadata. This speeds up triage, shortens response cycles, and lowers the number of cases that require escalation.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1769057578212\"><strong class=\"schema-faq-question\"><strong>Can MSSPs use this to improve their SLAs?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">Yes. Faster verdicts, better evidence, and fewer manual steps mean MSSPs can return higher-quality reports to customers and stay within SLA targets without increasing team size.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1769057604912\"><strong class=\"schema-faq-question\"><strong>Is there any cost to\u00a0enabling\u00a0the MISP integration?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">The MISP modules are built into the platform and can be enabled without custom development. However, running analyses still\u00a0requires\u00a0an active ANY.RUN subscription. Once the account is connected, the integration can be used right away.\u00a0<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1769057630245\"><strong class=\"schema-faq-question\"><strong>How do TI Feeds fit into this workflow?<\/strong>\u00a0<\/strong> <p class=\"schema-faq-answer\">TI Feeds bring fresh, confirmed-malicious indicators into MISP through STIX\/TAXII. They complement sandbox analysis by improving correlation and early detection.\u00a0<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>Most SOC teams are overloaded with routine work.&nbsp;Tier 1 &amp; 2 analysts spend too much time&nbsp;validating&nbsp;alerts, moving samples between tools, and chasing missing context. When integrations are weak, investigations slow down,&nbsp;MTTR grows, and SLAs suffer delays. That directly increases operational risk and cost for the business.&nbsp;&nbsp; ANY.RUN has already helped teams close part of this [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":17898,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[81],"tags":[57,10,54,55,56],"class_list":["post-17894","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-integrations-connectors","tag-anyrun","tag-cybersecurity","tag-features","tag-release","tag-update"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>ANY.RUN x MISP: Faster Triage with Behavior Evidence<\/title>\n<meta name=\"description\" content=\"ANY.RUN\u2019s integration with MISP delivers real behavior, fast verdicts and ATT&amp;CK mapping to strengthen triage, reduce MTTR, and support MSSP.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"ANY.RUN Sandbox\u00a0&amp;\u00a0MISP Integration: Confirm Alerts Faster,\u00a0Stop\u00a0Incidents Early\u00a0\",\"datePublished\":\"2026-01-22T08:12:40+00:00\",\"dateModified\":\"2026-01-26T11:10:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/\"},\"wordCount\":1164,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"features\",\"release\",\"update\"],\"articleSection\":[\"Integrations &amp; connectors\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#respond\"]}]},{\"@type\":[\"WebPage\",\"FAQPage\"],\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/\",\"name\":\"ANY.RUN x MISP: Faster Triage with Behavior Evidence\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2026-01-22T08:12:40+00:00\",\"dateModified\":\"2026-01-26T11:10:52+00:00\",\"description\":\"ANY.RUN\u2019s integration with MISP delivers real behavior, fast verdicts and ATT&CK mapping to strengthen triage, reduce MTTR, and support MSSP.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#breadcrumb\"},\"mainEntity\":[{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057495035\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057537404\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057558721\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057578212\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057604912\"},{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057630245\"}],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Integrations &amp; connectors\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/integrations-connectors\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"ANY.RUN Sandbox\u00a0&amp;\u00a0MISP Integration: Confirm Alerts Faster,\u00a0Stop\u00a0Incidents Early\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057495035\",\"position\":1,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057495035\",\"name\":\"Do analysts have to download samples before sending them to the sandbox?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No. The integration sends files\/URLs directly from the MISP event to ANY.RUN. Everything stays in the same workflow.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057537404\",\"position\":2,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057537404\",\"name\":\"How does Automated Interactivity help?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Some malware\u00a0won\u2019t\u00a0run until it sees something that looks like\u00a0a real human\u00a0action, opening a document, clicking a dialog, waiting a few seconds, or browsing a link. Automated Interactivity performs those actions, helping expose behavior that static tools or non-interactive sandboxes never trigger.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057558721\",\"position\":3,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057558721\",\"name\":\"Does this integration help reduce MTTR?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. Analysts can confirm or dismiss alerts faster because they work with real execution evidence, not just metadata. This speeds up triage, shortens response cycles, and lowers the number of cases that require escalation.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057578212\",\"position\":4,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057578212\",\"name\":\"Can MSSPs use this to improve their SLAs?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. Faster verdicts, better evidence, and fewer manual steps mean MSSPs can return higher-quality reports to customers and stay within SLA targets without increasing team size.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057604912\",\"position\":5,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057604912\",\"name\":\"Is there any cost to\u00a0enabling\u00a0the MISP integration?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"The MISP modules are built into the platform and can be enabled without custom development. However, running analyses still\u00a0requires\u00a0an active ANY.RUN subscription. Once the account is connected, the integration can be used right away.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"},{\"@type\":\"Question\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057630245\",\"position\":6,\"url\":\"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057630245\",\"name\":\"How do TI Feeds fit into this workflow?\u00a0\",\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"TI Feeds bring fresh, confirmed-malicious indicators into MISP through STIX\/TAXII. They complement sandbox analysis by improving correlation and early detection.\u00a0\",\"inLanguage\":\"en-US\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ANY.RUN x MISP: Faster Triage with Behavior Evidence","description":"ANY.RUN\u2019s integration with MISP delivers real behavior, fast verdicts and ATT&CK mapping to strengthen triage, reduce MTTR, and support MSSP.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"ANY.RUN Sandbox\u00a0&amp;\u00a0MISP Integration: Confirm Alerts Faster,\u00a0Stop\u00a0Incidents Early\u00a0","datePublished":"2026-01-22T08:12:40+00:00","dateModified":"2026-01-26T11:10:52+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/"},"wordCount":1164,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","features","release","update"],"articleSection":["Integrations &amp; connectors"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#respond"]}]},{"@type":["WebPage","FAQPage"],"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/","url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/","name":"ANY.RUN x MISP: Faster Triage with Behavior Evidence","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2026-01-22T08:12:40+00:00","dateModified":"2026-01-26T11:10:52+00:00","description":"ANY.RUN\u2019s integration with MISP delivers real behavior, fast verdicts and ATT&CK mapping to strengthen triage, reduce MTTR, and support MSSP.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#breadcrumb"},"mainEntity":[{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057495035"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057537404"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057558721"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057578212"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057604912"},{"@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057630245"}],"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Integrations &amp; connectors","item":"https:\/\/any.run\/cybersecurity-blog\/category\/integrations-connectors\/"},{"@type":"ListItem","position":3,"name":"ANY.RUN Sandbox\u00a0&amp;\u00a0MISP Integration: Confirm Alerts Faster,\u00a0Stop\u00a0Incidents Early\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057495035","position":1,"url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057495035","name":"Do analysts have to download samples before sending them to the sandbox?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"No. The integration sends files\/URLs directly from the MISP event to ANY.RUN. Everything stays in the same workflow.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057537404","position":2,"url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057537404","name":"How does Automated Interactivity help?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Some malware\u00a0won\u2019t\u00a0run until it sees something that looks like\u00a0a real human\u00a0action, opening a document, clicking a dialog, waiting a few seconds, or browsing a link. Automated Interactivity performs those actions, helping expose behavior that static tools or non-interactive sandboxes never trigger.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057558721","position":3,"url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057558721","name":"Does this integration help reduce MTTR?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Yes. Analysts can confirm or dismiss alerts faster because they work with real execution evidence, not just metadata. This speeds up triage, shortens response cycles, and lowers the number of cases that require escalation.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057578212","position":4,"url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057578212","name":"Can MSSPs use this to improve their SLAs?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"Yes. Faster verdicts, better evidence, and fewer manual steps mean MSSPs can return higher-quality reports to customers and stay within SLA targets without increasing team size.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057604912","position":5,"url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057604912","name":"Is there any cost to\u00a0enabling\u00a0the MISP integration?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"The MISP modules are built into the platform and can be enabled without custom development. However, running analyses still\u00a0requires\u00a0an active ANY.RUN subscription. Once the account is connected, the integration can be used right away.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"},{"@type":"Question","@id":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057630245","position":6,"url":"https:\/\/any.run\/cybersecurity-blog\/anyrun-sandbox-misp-integration\/#faq-question-1769057630245","name":"How do TI Feeds fit into this workflow?\u00a0","answerCount":1,"acceptedAnswer":{"@type":"Answer","text":"TI Feeds bring fresh, confirmed-malicious indicators into MISP through STIX\/TAXII. They complement sandbox analysis by improving correlation and early detection.\u00a0","inLanguage":"en-US"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17894"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=17894"}],"version-history":[{"count":45,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17894\/revisions"}],"predecessor-version":[{"id":18023,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/17894\/revisions\/18023"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/17898"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=17894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=17894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=17894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}