Lastline provides you with sophisticated malware detection, malware analysis, and more. You can submit resources, such as windows executables, Android applications (APKs), documents, and URLs for malware analysis and obtain their results. Windows executables and Android applications are analyzed by running them in a sandbox. URLs are analyzed by visiting them with a special, instrumented browser.
This document provides information about the Lastline connector, which facilitates automated interactions, with a Lastline server using FortiSOAR™ playbooks. Add the Lastline connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from Lastline for files and URLs.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Lastline Versions: 2.0 and later
For the procedure to install a connector, click here.
lastline.tgz
file then you must install the validators ==0.12.0
package. If you use yum install cyops-connector-lastline
command to install the Lastline connector, the validators ==0.12.0
package is installed by default.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Lastline connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | Server URL of the Lastline sandbox server. |
API Key | Lastline Analyst API key. |
API Token | Lastline Analyst API token used to access the Lastline server. |
Verify SSL | Specifies whether an SSL certificate will be required for the connection between the Lastline connector and Lastline server. By default, this option is set as true . |
The following automated operations can be included in playbooks:
Note: Using this operation, you submit files that are available in the FortiSOAR™ Attachments
module to the Lastline server.
The Lastline server supports the uploading of the following file types to the Lastline server for analysis:
Note: The maximum file size supported is 10MB.
Parameter | Description |
---|---|
FileIRI | Use the FortiSOAR™ File IRI to submit files directly from the FortiSOAR™ Attachments module to the Lastline server.In the playbook, this defaults to the {{vars.file_iri}} value. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains the task_uuid for the submitted sample. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted file.
Following image displays a sample output:
Parameter | Description |
---|---|
Detonate URL | URL that you want to submit to the Lastline server for scanning and analyzing. |
The JSON output contains the task_uuid for the submitted URL. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted URL.
Following image displays a sample output:
Parameter | Description |
---|---|
task_uuid | task_uuid for a previously submitted file or URL for which you want to retrieve a report from the Lastline server. |
The JSON output contains the report retrieved from Lastline for the previously submitted files or URLs. You can use the report details to determine the reputation of the previously submitted files or URLs. A link to the report is also displayed in the output, which you can use for retrieving the report in the future.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash Type | Select the filehash type from the md5, sha1, or sha256 options. |
Filehash | Filehash value for which you want to retrieve the block status. |
The JSON output contains the report retrieved from Lastline for the specified filehash. You can use this report to determine whether or not the filehash is blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash Type | Select the filehash type from the md5, sha1, or sha256 options. |
Filehash | Filehash value based on which you want to search for a report from Lastline. |
The json output contains the report retrieved from Lastline for the specified filehash.
Following image displays a sample output:
The Sample-Lastline-1.0.1
playbook collection comes bundled with the Lastline connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Lastline connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Lastline provides you with sophisticated malware detection, malware analysis, and more. You can submit resources, such as windows executables, Android applications (APKs), documents, and URLs for malware analysis and obtain their results. Windows executables and Android applications are analyzed by running them in a sandbox. URLs are analyzed by visiting them with a special, instrumented browser.
This document provides information about the Lastline connector, which facilitates automated interactions, with a Lastline server using FortiSOAR™ playbooks. Add the Lastline connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from Lastline for files and URLs.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Lastline Versions: 2.0 and later
For the procedure to install a connector, click here.
lastline.tgz
file then you must install the validators ==0.12.0
package. If you use yum install cyops-connector-lastline
command to install the Lastline connector, the validators ==0.12.0
package is installed by default.For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Lastline connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | Server URL of the Lastline sandbox server. |
API Key | Lastline Analyst API key. |
API Token | Lastline Analyst API token used to access the Lastline server. |
Verify SSL | Specifies whether an SSL certificate will be required for the connection between the Lastline connector and Lastline server. By default, this option is set as true . |
The following automated operations can be included in playbooks:
Note: Using this operation, you submit files that are available in the FortiSOAR™ Attachments
module to the Lastline server.
The Lastline server supports the uploading of the following file types to the Lastline server for analysis:
Note: The maximum file size supported is 10MB.
Parameter | Description |
---|---|
FileIRI | Use the FortiSOAR™ File IRI to submit files directly from the FortiSOAR™ Attachments module to the Lastline server.In the playbook, this defaults to the {{vars.file_iri}} value. |
A customized JSON output that is formatted for easy reference is the output for all the operations.
The JSON output contains the task_uuid for the submitted sample. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted file.
Following image displays a sample output:
Parameter | Description |
---|---|
Detonate URL | URL that you want to submit to the Lastline server for scanning and analyzing. |
The JSON output contains the task_uuid for the submitted URL. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted URL.
Following image displays a sample output:
Parameter | Description |
---|---|
task_uuid | task_uuid for a previously submitted file or URL for which you want to retrieve a report from the Lastline server. |
The JSON output contains the report retrieved from Lastline for the previously submitted files or URLs. You can use the report details to determine the reputation of the previously submitted files or URLs. A link to the report is also displayed in the output, which you can use for retrieving the report in the future.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash Type | Select the filehash type from the md5, sha1, or sha256 options. |
Filehash | Filehash value for which you want to retrieve the block status. |
The JSON output contains the report retrieved from Lastline for the specified filehash. You can use this report to determine whether or not the filehash is blocked.
Following image displays a sample output:
Parameter | Description |
---|---|
Filehash Type | Select the filehash type from the md5, sha1, or sha256 options. |
Filehash | Filehash value based on which you want to search for a report from Lastline. |
The json output contains the report retrieved from Lastline for the specified filehash.
Following image displays a sample output:
The Sample-Lastline-1.0.1
playbook collection comes bundled with the Lastline connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Lastline connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.