Detonate URL - Lastline

Detonates a URL using the Lastline Sandbox integration.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • GenericPolling

Integrations

This playbook does not use any integrations.

Scripts

This playbook does not use any scripts.

Commands

  • lastline-get-report
  • lastline-upload-url
  • lastline-check-status

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
URLThe URL to detonate.DataURLOptional
IntervalThe polling frequency. How often the polling command should run (in minutes).1-Optional
TimeoutHow much time to wait before a timeout occurs (in minutes).15-Optional

Playbook Outputs


PathDescriptionType
File.SizeThe file size (only in case of report type=json).number
DBotScore.IndicatorThe indicator that was tested (only in case of report type=json).string
DBotScore.VendorThe vendor used to calculate the score (only in case of report type=json).string
DBotScore.ScoreThe actual score (only in case of report type=json).number
IP.AddressThe IP addresses relevant to the sample.string
DBotScore.TypeThe type of the indicator (only in case of report type=json).string
File.NameThe filename (only in case of report type=json).string
File.TypeThe file type. For example, "PE" (only in case of report type=json).string
File.MD5The MD5 hash of the file (only in case of report type=json).string
File.SHA1The SHA1 hash of the file (only in case of report type=json).string
File.SHA256The SHA256 hash of the file (only in case of report type=json).string
File.EntryIDThe entry ID of the sample.string
File.Malicious.VendorThe vendor that made the decision that the file is malicious.string
File.Malicious.DescriptionThe reason for the vendor to make the decision that the file is malicious.string
URL.DataThe list of malicious URLs identified by Lastline analysis.string
URL.Malicious.VendorThe vendor that made the decision that the URL is malicious.string
URL.Malicious.DescriptionThe reason for the vendor to make the decision that the URL is malicious.string
URL.Malicious.ScoreThe score from the vendor for the malicious URL.number
File.Malicious.ScoreThe score from the vendor for the malicious file.number
Lastline.Submission.StatusThe status of the submission.string
Lastline.Submission.DNSqueriesThe list of DNS queries done by the analysis subject.string
Lastline.Submission.NetworkConnectionsThe list of network connections done by the analysis subject.string
Lastline.Submission.DownloadedFilesThe list of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.string
Lastline.Submission.UUIDThe ID of the submission.string
Lastline.Submission.YaraSignatures.nameThe Yara signatures name.string
Lastline.Submission.YaraSignatures.scoreThe score according to the Yara signatures. The value must be between 0 to 100.number
Lastline.Submission.Process.argumentsThe argument of the process.string
Lastline.Submission.YaraSignatures.internalWhether the signature is only for internal usage. True if yes.boolean
Lastline.Submission.Process.process_idThe process ID.string
Lastline.Submission.Process.executable.abs_pathThe absolute path of the executable of the process.string
Lastline.Submission.Process.executable.filenameThe filename of the executable.string
Lastline.Submission.Process.executable.yara_signature_hitsThe Yara signature of the executable of the process.string
URLThe URL object.unknown
URL.MaliciousThe URL malicious object.unknown
DBotScoreThe DBot score object.unknown
Lastline.SubmissionThe Lastline submission object.unknown

Playbook Image


Detonate_URL_Lastline