Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Lastline provides you with sophisticated malware detection, malware analysis, and more. You can submit resources, such as windows executables, Android applications (APKs), documents, and URLs for malware analysis and obtain their results. Windows executables and Android applications are analyzed by running them in a sandbox. URLs are analyzed by visiting them with a special, instrumented browser.

This document provides information about the Lastline connector, which facilitates automated interactions, with a Lastline server using FortiSOAR™ playbooks. Add the Lastline connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from Lastline for files and URLs.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Lastline Versions: 2.0 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Lastline server to which you will connect and perform the automated operations and credentials to access that server.
  • You must have the User key for the Lastline server.
  • If you use the FortiSOAR™ UI to install the Lastline connector for the first time, by browsing and selecting the lastline.tgz file then you must install the validators ==0.12.0 package. If you use yum install cyops-connector-lastline command to install the Lastline connector, the validators ==0.12.0 package is installed by default.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Lastline connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL Server URL of the Lastline sandbox server.
API Key Lastline Analyst API key.
API Token Lastline Analyst API token used to access the Lastline server.
Verify SSL Specifies whether an SSL certificate will be required for the connection between the Lastline connector and Lastline server.
By default, this option is set as true.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks:

  • Submit File: Submits a file to the Lastline server for analysis.
  • Submit URL: Submits a URL to the Lastline server for analysis.
  • Get Report: Retrieves a report from the Lastline server for the files or URLs that you had submitted to the Lastline server for analysis. Reports are retrieved based on the task_uuid of the sample.
  • Check Filehash is Blocked: Determines whether or not the filehash is blocked, i.e., blacklisted by Lastline.
  • Search Result using Filehash: Searches for a report based on the specified filehash.

operation: Submit File

Input parameters

Note: Using this operation, you submit files that are available in the FortiSOAR™ Attachments module to the Lastline server.

The Lastline server supports the uploading of the following file types to the Lastline server for analysis:

  • PE (executables)
  • ZIP
  • Java applets
  • PDF
  • MS Office documents
  • APK applications
  • HTML
  • JavaScript files

 

Note: The maximum file size supported is 10MB.

 

Parameter Description
FileIRI Use the FortiSOAR™ File IRI to submit files directly from the FortiSOAR™ Attachments module to the Lastline server.
In the playbook, this defaults to the {{vars.file_iri}} value.

 

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The JSON output contains the task_uuid for the submitted sample. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted file.

Following image displays a sample output:

 

Sample output of the Submit File operation

 

operation: Submit URL

Input parameters

 

Parameter Description
Detonate URL URL that you want to submit to the Lastline server for scanning and analyzing.

 

Output

The JSON output contains the task_uuid for the submitted URL. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted URL.

Following image displays a sample output:

Sample output of the Submit URL operation

operation: Get Report

Input parameters

 

Parameter Description
task_uuid task_uuid for a previously submitted file or URL for which you want to retrieve a report from the Lastline server.

 

Output

The JSON output contains the report retrieved from Lastline for the previously submitted files or URLs. You can use the report details to determine the reputation of the previously submitted files or URLs. A link to the report is also displayed in the output, which you can use for retrieving the report in the future.

Following image displays a sample output:

 

Sample output of the Get Report operation

 

operation: Check Filehash is Blocked

Input parameters

 

Parameter Description
Filehash Type Select the filehash type from the md5, sha1, or sha256 options.
Filehash Filehash value for which you want to retrieve the block status.

 

Output

The JSON output contains the report retrieved from Lastline for the specified filehash. You can use this report to determine whether or not the filehash is blocked.

Following image displays a sample output:

Sample output of the Check Filehash is Blocked operation

operation: Search Result using Filehash

Input parameters

 

Parameter Description
Filehash Type Select the filehash type from the md5, sha1, or sha256 options.
Filehash Filehash value based on which you want to search for a report from Lastline.

 

Output

The json output contains the report retrieved from Lastline for the specified filehash.

Following image displays a sample output:

Sample output of the Search Result using Filehash operation

 

Included playbooks

The Sample-Lastline-1.0.1 playbook collection comes bundled with the Lastline connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Lastline connector.

  • Submit File to Lastline
  • Submit URL to Lastline
  • Get Report for Submitted Sample
  • Check Filehash is Blocked
  • Search Report using Filehash

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Lastline provides you with sophisticated malware detection, malware analysis, and more. You can submit resources, such as windows executables, Android applications (APKs), documents, and URLs for malware analysis and obtain their results. Windows executables and Android applications are analyzed by running them in a sandbox. URLs are analyzed by visiting them with a special, instrumented browser.

This document provides information about the Lastline connector, which facilitates automated interactions, with a Lastline server using FortiSOAR™ playbooks. Add the Lastline connector as a step in FortiSOAR™ playbooks and perform automated operations, such as scanning and analyzing suspicious files and URLs and retrieving reports from Lastline for files and URLs.

 

Version information

Connector Version: 1.0.0

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with Lastline Versions: 2.0 and later

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Lastline connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL Server URL of the Lastline sandbox server.
API Key Lastline Analyst API key.
API Token Lastline Analyst API token used to access the Lastline server.
Verify SSL Specifies whether an SSL certificate will be required for the connection between the Lastline connector and Lastline server.
By default, this option is set as true.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks:

operation: Submit File

Input parameters

Note: Using this operation, you submit files that are available in the FortiSOAR™ Attachments module to the Lastline server.

The Lastline server supports the uploading of the following file types to the Lastline server for analysis:

 

Note: The maximum file size supported is 10MB.

 

Parameter Description
FileIRI Use the FortiSOAR™ File IRI to submit files directly from the FortiSOAR™ Attachments module to the Lastline server.
In the playbook, this defaults to the {{vars.file_iri}} value.

 

Output

A customized JSON output that is formatted for easy reference is the output for all the operations.

The JSON output contains the task_uuid for the submitted sample. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted file.

Following image displays a sample output:

 

Sample output of the Submit File operation

 

operation: Submit URL

Input parameters

 

Parameter Description
Detonate URL URL that you want to submit to the Lastline server for scanning and analyzing.

 

Output

The JSON output contains the task_uuid for the submitted URL. You can use this task_uuid in subsequent queries to retrieve reports from the Lastline server for the submitted URL.

Following image displays a sample output:

Sample output of the Submit URL operation

operation: Get Report

Input parameters

 

Parameter Description
task_uuid task_uuid for a previously submitted file or URL for which you want to retrieve a report from the Lastline server.

 

Output

The JSON output contains the report retrieved from Lastline for the previously submitted files or URLs. You can use the report details to determine the reputation of the previously submitted files or URLs. A link to the report is also displayed in the output, which you can use for retrieving the report in the future.

Following image displays a sample output:

 

Sample output of the Get Report operation

 

operation: Check Filehash is Blocked

Input parameters

 

Parameter Description
Filehash Type Select the filehash type from the md5, sha1, or sha256 options.
Filehash Filehash value for which you want to retrieve the block status.

 

Output

The JSON output contains the report retrieved from Lastline for the specified filehash. You can use this report to determine whether or not the filehash is blocked.

Following image displays a sample output:

Sample output of the Check Filehash is Blocked operation

operation: Search Result using Filehash

Input parameters

 

Parameter Description
Filehash Type Select the filehash type from the md5, sha1, or sha256 options.
Filehash Filehash value based on which you want to search for a report from Lastline.

 

Output

The json output contains the report retrieved from Lastline for the specified filehash.

Following image displays a sample output:

Sample output of the Search Result using Filehash operation

 

Included playbooks

The Sample-Lastline-1.0.1 playbook collection comes bundled with the Lastline connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Lastline connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.