Detonate File - Lastline v2

Detonates a file using the Lastline sandbox.

Lastline supports the following File Types: EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

  • Set

Commands

  • lastline-get-report
  • lastline-check-status
  • lastline-upload-file

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
FileThe file to detonate. The file is taken from the context.NoneFileOptional
IntervalThe polling frequency. How often the polling command should run (in minutes).1-Optional
TimeoutThe amount of time to wait before a timeout occurs (in minutes).15-Optional

Playbook Outputs


PathDescriptionType
DBotScore.TypeThe type of the indicator (only in case of report type=json).string
InfoFile.EntryIDThe EntryID of the report file.string
DBotScore.VendorThe vendor used to calculate the score (only in case of report type=json).string
IP.AddressThe IP addresses's relevant to the sample.string
DBotScore.ScoreThe actual score (only in case of report type=json).number
DBotScore.IndicatorThe indicator that was tested (only in case of report type=json).string
InfoFile.ExtensionThe extension of the report file.string
InfoFile.NameThe name of the report file.string
InfoFile.InfoThe info of the report file.string
InfoFile.SizeThe size of the report file.number
InfoFile.TypeThe type of the report file.string
URL.DataThe list of malicious URLs identified by Lastline analysis.string
URL.Malicious.VendorThe vendor that made the decision that the URL is malicious.string
URL.Malicious.DescriptionThe reason the vendor made the decision that the URL is malicious.string
URL.Malicious.ScoreThe score from the vendor that decided the URL is malicious.number
File.MD5The bad MD5 hash of the file.string
File.SHA1The bad SHA1 hash of the file.string
File.SHA256The bad SHA256 hash of the file.string
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
File.Malicious.ScoreThe score from the vendor that made the decision that the file is malicious.number
Lastline.Submission.StatusThe status of the submission.string
Lastline.Submission.DNSqueriesThe list of DNS queries done by the analysis subject.string
Lastline.Submission.NetworkConnectionsThe list of network connections done by the analysis subject.string
Lastline.Submission.DownloadedFilesThe list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.string
Lastline.Submission.UUIDThe task UUID of submitted sample.number
Lastline.Submission.YaraSignatures.nameThe Yara signature's name.string
Lastline.Submission.YaraSignatures.scoreThe score according to the yara signatures. Must be from 0 to 100.number
Lastline.Submission.Process.argumentsThe argument of the process.string
Lastline.Submission.Process.process_idThe process ID.string
Lastline.Submission.Process.executable.abs_pathThe absolute path of the executable of the process.string
Lastline.Submission.Process.executable.filenameThe filename of the executable.string
Lastline.Submission.Process.executable.yara_signature_hitsThe Yara signature of the executable of the process.string
Lastline.Submission.Process.executable.ext_infoThe executable info of the process.string
Lastline.Submission.YaraSignatures.internalWhether the signature is only for internal usage.boolean
FileThe file object.unknown
File.MaliciousThe file's malicious object.unknown
DBotScoreThe DBot score object.unknown
Lastline.SubmissionThe Lastline submission object.unknown

Playbook Image


Detonate_File_Lastline_v2