Release Notes: QRadar SOAR App, TI Lookup Free Access, and 2,900+ New Detection Rules

Release Notes: QRadar SOAR App, TI Lookup Free Access, and 2,900+ New Detection Rules

/in

July brought powerful new updates to help your SOC catch threats faster, reduce manual effort, and make more confident decisions, right inside your existing workflows. From fresh integrations to better detection coverage, these changes are built to support your team every step of the way. 

In this update: 

  • New IBM QRadar SOAR integration to automate investigations and speed up response 
  • Launch of a free TI Lookup plan, giving all users access to live attack data from 15K SOCs 
  • New Debian ARM VM for analyzing malware targeting IoT and embedded systems 
  • Expanded detection with 163 new behavior signatures13 YARA rules, and 2,772 Suricata rules 

Keep reading to explore what’s new and how these updates can improve your daily workflows and threat visibility. 

Product Updates 

IBM QRadar SOAR Integration: Faster, Smarter Incident Response 

We’ve officially launched the ANY.RUN app for IBM QRadar SOAR, helping SOC teams move faster, reduce manual effort, and make smarter decisions without leaving their existing workflows. 

ANY.RUN app for IBM QRadar SOAR 

With this integration, analysts can detonate suspicious files and URLs in ANY.RUN’s interactive sandbox directly from QRadar SOAR, and get verdicts, behavioral logs, and IOCs pushed back into the incident automatically. This not only speeds up triage, but also cuts Mean Time to Respond (MTTR) and reduces the risk of missing stealthy threats. 

You can also enrich key indicators using ANY.RUN’s Threat Intelligence Lookup, pulling in fresh, real-world threat context from live malware samples observed across 15,000+ organizations. 

ANY.RUN playbook library  

What Your Team Gains: Business and Operational Impact 

The new IBM QRadar SOAR integration delivers real performance and value across your SOC. By combining automated sandbox detonation with live threat intelligence enrichment, ANY.RUN helps security teams reduce alert fatigue, move faster, and make better-informed decisions. 

  • Lower workload and faster response: Automation cuts down manual triage and enrichment, letting analysts focus on critical threats, not routine tasks. 
  • Improved efficiency across tiers: Tier 1 and Tier 2 analysts benefit from streamlined investigation and escalation, while senior staff gain the bandwidth to focus on strategy and tuning. 
  • Smarter decisions, better processes: Sandbox reports and TI Lookup insights feed directly into playbooks and detection rules, driving continuous improvement. 
  • Early visibility into stealthy threats: Real-time behavioral data exposes multi-stage and evasive attacks that traditional tools often miss. 
  • Stronger ROI from existing tools: The integration adds powerful behavioral context to your SOAR workflows, without requiring new infrastructure or steep learning curves. 

How to Get Started 

Getting started is easy, just install the ANY.RUN app from IBM App Exchange and connect your account using an API key. You can enable sandbox analysis, Threat Intelligence Lookup, or both, depending on your workflow.  

Threat Intelligence Lookup Gets a Free Plan and More Power for Premium 

This July, we made accessing high-quality threat intelligence easier than ever. ANY.RUN’s Threat Intelligence Lookup (TI Lookup) now includes a Free plan, giving every analyst and SOC team access to real-time, actionable data from millions of sandboxed malware sessions. 

“Threat Intelligence in ANY.RUN continues to evolve — not only by adding more features, but by making the right ones easier to use.” 
— Aleksey Lapshin, CEO at ANY.RUN 

TI Lookup provides access to an extensive database of the latest IOCs, IOBs, and IOAs 

We’ve simplified access to ANY.RUN’s threat intelligence ecosystem with a cleaner, faster entry point. With the Free plan, you can now explore Public SamplesTTPsSuricata rules, and malware trends without cost or complexity. 

Users can perform unlimited searches using core indicators like file hashes, URLs, domains, IPs, Suricata IDs, and MITRE ATT&CK techniques, and combine them using the AND operator for refined threat queries. 

What You Can Achieve with TI Lookup Free 

The essential features in the free tier help SOC teams address real-world challenges: 

  • Enrich threat investigations: Gain extensive context by linking existing artifacts to real-world attacks observed in the wild. 
  • Reduce response time (MTTR): Analyze threat behavior, objectives, and targets directly from sandbox sessions to support fast, informed decisions. 
  • Strengthen proactive defense: Gather intel on emerging threats early, before they escalate, using real-time data. 
  • Grow your team’s expertise: Help SOC analysts learn from real-world malware by exploring TTPs through the interactive MITRE ATT&CK matrix. 
  • Develop SIEM, IDS/IPS, or EDR rules: Use collected intelligence to fine-tune detection rules and boost your organization’s overall defense. 

You can view up to 20 recent sandbox sessions per query, giving you insight into how threats evolve and behave across multiple industries and regions. 

All you need to do to get started is sign up or log into your ANY.RUN account, and you’re in. 

Get instant threat context with TI Lookup
Act faster. Slash MTTR. Stop breaches early 



Try now. It’s free!


Go Beyond the Basics with TI Lookup Premium 

The Free plan gives your team a powerful starting point, but with TI Lookup Premium, you gain the scale, depth, and automation needed for enterprise-grade investigations. Premium unlocks three times more threat data, advanced search capabilities, and access to exclusive features like private search, YARA rule matching, alert subscriptions, and API integration

  Free  Premium 
Requests  Unlimited number of basic requests   Advanced requests (100/500/5K/25K) 
Search operators  AND  AND, OR, NOT 
Search parameters  11   44 
Links to analysis sessions  Up to 20 most recent  All available 
Interface  Limited (only analyses)  Full (all threat data + analyses) 
Integration  –  API and SDK (Python package) 
YARA Search  – 
Private search  – 
TI Reports  – 
Search Updates  – 

Whether you’re triaging alerts, threat hunting, or building detection rules, Premium gives you full control over your threat intelligence workflows, so your SOC stays ahead of threats, not just reacts to them. 

Reach out to us for trial access to TI Lookup Premium for your SOC team.

Debian Sandbox for ARM Malware Detection and Analysis 

To help SOC teams stay ahead of evolving threats, ANY.RUN now supports Linux Debian 12.2 64-bit (ARM) in our Interactive Sandbox. This new environment enables deep analysis of malware targeting ARM-based systems, commonly found in IoT devices, embedded infrastructure, and lightweight servers. 

Select Debian (ARM) from the available OS options 

ARM-based malware is becoming a serious concern across industries. These attacks often target underprotected systems to establish botnets, steal resources, or maintain unauthorized access, making early detection critical. 

With the new Debian (ARM) VM, analysts can: 

  • Engage directly with ARM-based malware in a live, isolated environment to trigger and observe hidden behaviors 
  • Uncover advanced tactics like persistence, evasion, and privilege escalation with process-level visibility 
  • Trace execution paths in real time, from dropped files to command-line activity 
  • Correlate behaviors with known TTPs using integrated MITRE ATT&CK mapping for threat classification 

The new ARM VM is available to Enterprise users. Simply open a new analysis and select Linux Debian 12.2 (ARM, 64-bit) from the OS list to get started. 

What this update brings to your SOC: 

  • Faster analysis: Accelerate triage, incident response, and threat hunting with a dedicated ARM environment that delivers instant behavioral insights. 
  • Reduced platform costs: Analyze ARM-based threats alongside Windows, Android, and Linux samples, all within the same sandbox platform. 
  • Smarter incident escalation: Collect rich, actionable data during Tier 1 analysis to support better handoffs to Tier 2 teams. 
  • Stronger analyst expertise: Empower your team to investigate real-world ARM malware, improving skillsets through hands-on, safe analysis. 

Integrate ANY.RUN’s Interactive Sandbox in your SOC
Automate threat analysis, cut MTTD, & boost detection rate 



Contact us


Threat Coverage Update 

In July, our team expanded detection capabilities significantly to help SOCs stay ahead of evolving threats: 

  • 163 new signatures were added to strengthen detection across malware families and techniques. 
  • 13 new YARA rules went live in production, boosting accuracy and enabling deeper hunting capabilities. 
  • 2,772 new Suricata rules were deployed, ensuring better coverage for network-based attacks. 

These updates mean analysts get faster, more confident verdicts in the sandbox and can enrich SIEM, SOAR, and IDS workflows with fresh, actionable IOCs. 

New Behavior Signatures 

In July, we added a new set of behavior signatures to help SOC teams detect stealthy, obfuscated, and persistent techniques earlier in the attack chain. These signatures are triggered by actions, not static indicators, giving your analysts deeper visibility and faster context during investigations. 

Malware Families 

Obfuscation & Evasion Techniques 

Persistence Techniques 

Recon & Credential Access 

File/Registry/OS Abuse 

Payload Delivery 

Other 

  • BART: Loader activity observed in stealthy malware campaigns 
  • susp-lnk: Flags suspicious .lnk shortcut behavior often used for initial access 
  • susp-clipboard: Detects suspicious clipboard manipulation commonly used in credential theft or staged payload delivery 

YARA Rule Updates 

In July, we released 13 new YARA rules into production to help analysts detect threats faster, improve hunting accuracy, and cover a wider range of malware families and evasion tactics. 

Some key additions: 

  • BLACKMATTER: Detects ransomware operations linked to critical infrastructure attacks. 
  • LOCKBIT4: Tracks the latest variant of this widely distributed ransomware family. 
  • nightspire:Identifies this stealthy stealer observed in recent targeted campaigns. 
  • sinobi: Detects an infostealer family using Telegram for data exfiltration. 
  • cryptolocker: Covers one of the earliest forms of ransomware still resurfacing in modified campaigns. 

New Suricata Rules 

We’ve also added 2772 targeted Suricata rules to help SOC teams catch stealthy data exfiltration attempts and phishing campaigns more reliably. Here are a few hihglights: 

These new rules enhance detection for modern phishing and exfiltration tactics and are automatically applied in your ANY.RUN sessions. 

About ANY.RUN 

ANY.RUN supports over 15,000 organizations across banking, manufacturing, telecom, healthcare, retail, and tech, helping them build faster, smarter, and more resilient cybersecurity operations. 

Our cloud-based Interactive Sandbox enables teams to safely analyze threats targeting Windows, Linux, and Android systems in under 40 seconds; no complex infrastructure required. Paired with TI LookupYARA Search, and Threat Feeds, ANY.RUN empowers security teams to accelerate investigations, reduce risk, and boost SOC efficiency. 

Start your 14-day trial and take full control of threat analysis 

The post Release Notes: QRadar SOAR App, TI Lookup Free Access, and 2,900+ New Detection Rules appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More