Lastline v2

Use the Lastline v2 integration to provide threat analysts and incident response teams with the advanced malware isolation and inspection environment needed to safely execute advanced malware samples, and understand their behavior.

Configure Lastline v2 on Demisto

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Lastline v2.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • Server URL (e.g. https://analysis.lastline.com)
    • API Key for accessing Lastline APIs
    • API Token for accessing Lastline APIs
    • Use system proxy settings
    • Trust any certificate (not secure)
    • Threshold
  4. Click Test to validate the URLs, token, and connection.

Check the reputation of a file


Checks the file reputation of the specified file hashes. Supports MD5, SHA1, and SHA256 hashes.

Base Command

file

Input
Argument NameDescriptionRequired
fileA comma-separated list of file hashes to check. Supports MD5, SHA1, and SHA256 hashes.Required
thresholdThe score threshold that determines if the file is malicious. The default value is "70".Optional
Context Output
PathTypeDescription
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.TypestringThe file type.
File.Malicious.VendorstringThe vendor who determined that the file is malicious.
File.Malicious.DescriptionstringThe reason that the vendor determined that the file is malicious.
File.Malicious.ScorenumberThe score that the vendor gave the malicious file.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe type of indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Lastline.Submission.StatusstringThe status of the submission.
Lastline.Submission.UUIDstringThe task UUID.
Lastline.Submission.SubmissionTimestringThe timestamp in Lastline.
Lastline.Submission.YaraSignatures.namestringYara signature's name.
Lastline.Submission.YaraSignatures.scorenumberThe score according to the Yara signatures (0 to 100).
Lastline.Submission.YaraSignatures.internalbooleanWhether the signature is for internal use only.
Lastline.Submission.DNSqueriesstringA list of DNS queries executed by the analysis subject.
Lastline.Submission.NetworkConnectionsstringA list of network connections executed by the analysis subject.
Lastline.Submission.DownloadedFilesstringA list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.
Lastline.Submission.ProcessUnknownInformation on the Windows process.
Lastline.Submission.Process.argumentsstringThe argument of the process.
Lastline.Submission.Process.executableUnknownThe executable of the process.
Lastline.Submission.Process.executable.abs_pathstringThe absolute path of the executable of the process.
Lastline.Submission.Process.executable.filenamestringThe filename of the executable.
Lastline.Submission.Process.executable.yara_signature_hitsstringThe Yara signature of the executable of the process.
Lastline.Submission.Process.executable.ext_infounknownThe executable information of the process.
Lastline.Submission.Process.process_idstringThe process ID.
Command Example

!file file=03bc132ee4a10f6d656fc21315fc7a65797be69a

Context Example
{
"DBotScore": [
{
"Vendor": "Lastline",
"Indicator": "441666007e579b040967e72c13e5133b",
"Score": 1,
"Type": "File"
}
],
"File": [
{
"Type": "application/zip",
"SHA1": "03bc132ee4a10f6d656fc21315fc7a65797be69a",
"SHA256": "fd977f34a9514ece503fa3ff3976ed3f305a101b3c5ff31a1293a9d0b607dfc1",
"MD5": "441666007e579b040967e72c13e5133b"
}
],
"Lastline": [
{
"Submission": {
"Status": "Completed",
"SubmissionTime": "2020-02-25 06:58:19",
"UUID": "2b9d578d02540010179339d362664f9b"
}
}
]
}
Human Readable Output
Lastline analysis for file: 441666007e579b040967e72c13e5133b

Score: 0

Task UUID: 2b9d578d02540010179339d362664f9b Submission Time: 2020-02-25 06:58:19 |MD5|SHA1|SHA256|Type| |---|---|---|---| | 441666007e579b040967e72c13e5133b | 03bc132ee4a10f6d656fc21315fc7a65797be69a | fd977f34a9514ece503fa3ff3976ed3f305a101b3c5ff31a1293a9d0b607dfc1 | application/zip |

Submit a URL for analysis


Submits a URL for analysis.

Base Command

lastline-upload-url

Input
Argument NameDescriptionRequired
urlThe URL to analyze. For example: https://www.demisto.com.Required
thresholdThe score threshold that determines if the file is malicious. The default value is "70".Optional
Context Output
PathTypeDescription
URL.DatastringA list of malicious URLs identified by the Lastline analysis.
URL.Malicious.VendorstringThe vendor who determined that a URL is malicious.
URL.Malicious.DescriptionstringThe reason that the vendor made the decision.
URL.Malicious.ScorenumberThe score that the malicious URL received from the vendor.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Lastline.Submission.StatusstringThe status of the submission.
Lastline.Submission.UUIDstringThe task UUID.
Lastline.Submission.SubmissionTimestringThe submission timestamp in Lastline.
Lastline.Submission.YaraSignatures.namestringYara signatures name.
Lastline.Submission.YaraSignatures.scorenumberThe score according to the Yara signatures (0 to 100).
Lastline.Submission.YaraSignatures.internalbooleanWhether the signature is for internal usage only.
Lastline.Submission.DNSqueriesstringA list of DNS queries executed by the analysis subject.
Lastline.Submission.NetworkConnectionsstringA list of network connections executed by the analysis subject.
Lastline.Submission.DownloadedFilesstringA list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.
Lastline.Submission.ProcessUnknownInformation on the Windows process.
Lastline.Submission.Process.argumentsstringThe argument of the process.
Lastline.Submission.Process.executableUnknownThe executable of the process.
Lastline.Submission.Process.executable.abs_pathstringThe absolute path of the executable of the process.
Lastline.Submission.Process.executable.yara_signature_hitsstringThe Yara signature of the executable of the process.
Lastline.Submission.Process.executable.ext_infounknownThe executable information of the process.
Lastline.Submission.Process.process_idstringThe process ID.
Command Example

!lastline-upload-url url="https://www.demisto.com" threshold=80

Context Example
{
"URL": {
"Data": "https://www.demisto.com"
},
"DBotScore": {
"Vendor": "Lastline",
"Indicator": "https://www.demisto.com",
"Score": 1,
"Type": "URL"
},
"Lastline": {
"Submission": {
"Status": "Completed",
"SubmissionTime": "2020-02-24 07:05:33",
"UUID": "c62b15a9e3dc00101e9557a0b6a17d3f"
}
}
}
Human Readable Output
Lastline analysis for url: https://www.demisto.com

Score: 0

Task UUID: c62b15a9e3dc00101e9557a0b6a17d3f Submission Time: 2020-02-24 07:05:33 |Data| |---| | https://www.demisto.com |

Upload a file for analysis


Submits a file for analysis.

Base Command

lastline-upload-file

Input
Argument NameDescriptionRequired
EntryIDThe entry ID of the file to upload.Required
thresholdThe score threshold that determines if the file is malicious. The default value is "70".Optional
Context Output
PathTypeDescription
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.TypestringThe file type.
File.Malicious.VendorstringThe vendor who determined that the file is malicious.
File.Malicious.DescriptionstringThe reason that the vendor determined that the file is malicious.
File.Malicious.ScorenumberThe score the malicious file received from the vendor.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Lastline.Submission.StatusstringThe status of the submission.
Lastline.Submission.UUIDstringThe task UUID.
Lastline.Submission.SubmissionTimestringThe submission timestamp in Lastline.
Lastline.Submission.YaraSignatures.namestringYara signatures name.
Lastline.Submission.YaraSignatures.scorenumberThe score according to the Yara signatures (0 to 100).
Lastline.Submission.YaraSignatures.internalbooleanWhether the signature is for internal use only.
Lastline.Submission.DNSqueriesstringA list of DNS queries executed by the analysis subject.
Lastline.Submission.NetworkConnectionsstringA list of network connections executed by the analysis subject.
Lastline.Submission.DownloadedFilesstringA list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.
Lastline.Submission.ProcessUnknownInformation on the Windows process.
Lastline.Submission.Process.argumentsstringThe argument of the process.
Lastline.Submission.Process.executableUnknownThe executable of the process.
Lastline.Submission.Process.executable.abs_pathstringThe absolute path of the executable of the process.
Lastline.Submission.Process.executable.filenamestringThe filename of the executable.
Lastline.Submission.Process.executable.yara_signature_hitsstringThe Yara signature of the executable of the process.
Lastline.Submission.Process.executable.ext_infounknownThe executable information of the process.
Lastline.Submission.Process.process_idstringThe process ID.
Command Example

!lastline-upload-file EntryID=152@374 threshold=40

Context Example
{
"DBotScore": {
"Vendor": "Lastline",
"Indicator": "441666007e579b040967e72c13e5133b",
"Score": 1,
"Type": "File"
},
"File": {
"Type": "application/zip",
"SHA1": "03bc132ee4a10f6d656fc21315fc7a65797be69a",
"SHA256": "fd977f34a9514ece503fa3ff3976ed3f305a101b3c5ff31a1293a9d0b607dfc1",
"MD5": "441666007e579b040967e72c13e5133b"
},
"Lastline": {
"Submission": {
"Status": "Completed",
"SubmissionTime": "2020-02-25 06:58:19",
"UUID": "2b9d578d02540010179339d362664f9b"
}
}
}
Human Readable Output
Lastline analysis for file: 441666007e579b040967e72c13e5133b

Score: 0

Task UUID: 2b9d578d02540010179339d362664f9b Submission Time: 2020-02-25 06:58:19 |MD5|SHA1|SHA256|Type| |---|---|---|---| | 441666007e579b040967e72c13e5133b | 03bc132ee4a10f6d656fc21315fc7a65797be69a | fd977f34a9514ece503fa3ff3976ed3f305a101b3c5ff31a1293a9d0b607dfc1 | application/zip |

Get an analysis report


Returns an analysis report.

Base Command

lastline-get-report

Input
Argument NameDescriptionRequired
uuidThe task UUID of the submitted Lastline analysis.Required
thresholdThe score threshold that determines if the file is malicious. The default value is "70".Optional
Context Output
PathTypeDescription
URL.DatastringA list of malicious URLs identified by the Lastline analysis.
URL.Malicious.VendorstringThe vendor that determined a URL is malicious.
URL.Malicious.DescriptionstringThe reason that the vendor determined that the URL is malicious.
URL.Malicious.ScorenumberThe score that the malicious URL received from the vendor.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.TypestringThe file type.
File.Malicious.VendorstringThe vendor that determined a file is malicious.
File.Malicious.DescriptionstringThe reason that the vendor determined that the file is malicious.
File.Malicious.ScorenumberThe score that the malicious file received from the vendor.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe type of indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Lastline.Submission.StatusstringStatus of the submission.
Lastline.Submission.UUIDstringThe task UUID.
Lastline.Submission.SubmissionTimestringThe timestamp in Lastline.
Lastline.Submission.YaraSignatures.namestringYara signatures name.
Lastline.Submission.YaraSignatures.scorenumberThe score according to the Yara signatures (0 to 100).
Lastline.Submission.YaraSignatures.internalbooleanWhether the signature is for internal use only.
Lastline.Submission.DNSqueriesstringA list of DNS queries executed by the analysis subject.
Lastline.Submission.NetworkConnectionsstringA list of network connections executed by the analysis subject.
Lastline.Submission.DownloadedFilesstringA list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.
Lastline.Submission.ProcessUnknownInformation on the Windows process.
Lastline.Submission.Process.argumentsstringThe argument of the process.
Lastline.Submission.Process.executableUnknownThe executable of the process.
Lastline.Submission.Process.executable.abs_pathstringThe absolute path of the executable of the process.
Lastline.Submission.Process.executable.filenamestringThe filename of the executable.
Lastline.Submission.Process.executable.yara_signature_hitsstringThe Yara signature of the executable of the process.
Lastline.Submission.Process.executable.ext_infounknownThe executable information of the process.
Lastline.Submission.Process.process_idstringThe process ID.
Command Example

!lastline-get-report uuid=b32ed21999be00100eca07d07cb7bf38 threshold=70

Context Example
{
"URL": {
"Data": "https://google.com"
},
"DBotScore": {
"Vendor": "Lastline",
"Indicator": "https://google.com",
"Score": 1,
"Type": "URL"
},
"Lastline": {
"Submission": {
"Status": "Completed",
"SubmissionTime": "2019-12-31 02:40:44",
"UUID": "b32ed21999be00100eca07d07cb7bf38"
}
}
}
Human Readable Output
Lastline analysis for url: https://google.com

Score: 0

Task UUID: b32ed21999be00100eca07d07cb7bf38 Submission Time: 2019-12-31 02:40:44 |Data| |---| | https://google.com |

Get a list of tasks


Returns a list of tasks.

Base Command

lastline-get-task-list

Input
Argument NameDescriptionRequired
beforeReturn tasks before this date (in UTC format %Y-%m-%dT%H:%M:%S). For example, 2018-07-08T12:00:00.Optional
afterReturn tasks after this date (in UTC format %Y-%m-%dT%H:%M:%S). For example, 2018-07-10T12:00:00.Required
Context Output

There is no context output for this command.

Command Example

!lastline-get-task-list after=2020-01-01T00:00:00 before=2020-01-02T00:00:00

Human Readable Output
tasks
UUIDTimeStatus
b32ed21999be00100eca07d07cb7bf382019-12-31T02:40:44Completed
6493c3fa395000101e8ee41181d70b022020-01-01T15:26:35Completed

Get the status of a submission


Checks the status of a submission.

Base Command

lastline-check-status

Input
Argument NameDescriptionRequired
uuidThe task UUID of the submitted Lastline analysis.Required
Context Output
PathTypeDescription
URL.DatastringA list of malicious URLs identified by the lastline analysis.
URL.Malicious.VendorstringThe vendor that determined that a URL is malicious.
URL.Malicious.DescriptionstringThe reason that the vendor determined that the URL is malicious.
URL.Malicious.ScorenumberThe score that the malicious URL received from the vendor.
File.MD5stringThe MD5 hash of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.TypestringThe file type.
File.Malicious.VendorstringThe vendor that determined that the file is malicious.
File.Malicious.DescriptionstringThe reason that the vendor determined that the file is malicious.
File.Malicious.ScorenumberThe score that the malicious file received from the vendor.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe type of indicator.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
Lastline.Submission.StatusstringThe status of the submission.
Lastline.Submission.UUIDstringThe task UUID.
Lastline.Submission.SubmissionTimestringThe timestamp in Lastline.
Lastline.Submission.YaraSignatures.namestringYara signatures name.
Lastline.Submission.YaraSignatures.scorenumberThe score according to the Yara signatures (0 to 100).
Lastline.Submission.YaraSignatures.internalbooleanWhether the signature is for internal use only.
Lastline.Submission.DNSqueriesstringList of DNS queries executed by the analysis subject.
Lastline.Submission.NetworkConnectionsstringA list of network connections executed by the analysis subject.
Lastline.Submission.DownloadedFilesstringA list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.
Lastline.Submission.ProcessUnknownInformation on athe Windows process.
Lastline.Submission.Process.argumentsstringThe argument of the process.
Lastline.Submission.Process.executableUnknownThe executable of the process.
Lastline.Submission.Process.executable.abs_pathstringThe absolute path of the executable of the process.
Lastline.Submission.Process.executable.filenamestringThe filename of the executable.
Lastline.Submission.Process.executable.yara_signature_hitsstringThe Yara signature of the executable of the process.
Lastline.Submission.Process.executable.ext_infounknownThe executable information of the process.
Lastline.Submission.Process.process_idstringThe process ID.
Command Example

!lastline-check-status uuid=b32ed21999be00100eca07d07cb7bf38

Context Example
{
"URL": {
"Data": "https://google.com"
},
"DBotScore": {
"Vendor": "Lastline",
"Indicator": "https://google.com",
"Score": 1,
"Type": "URL"
},
"Lastline": {
"Submission": {
"Status": "Completed",
"SubmissionTime": "2019-12-31 02:40:44",
"UUID": "b32ed21999be00100eca07d07cb7bf38"
}
}
}
Human Readable Output
Lastline analysis for url: https://google.com

Score: 0

Task UUID: b32ed21999be00100eca07d07cb7bf38 Submission Time: 2019-12-31 02:40:44 |Data| |---| | https://google.com |