Lastline Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 2.1.0 |
| Compatible with ThreatQ Versions | >= 4.57.2 |
| Support Tier | ThreatQ Supported |
Introduction
The Lastline operation provides users with the ability to query tasks, query network reputations, submit files, URLs, domains, and retrieve task reports from Lastline.
The operation provides the following actions:
- Submit - submits a file or indicator to Lastline.
- Get Report - retrieves a report for a task from Lastline.
- Get Reputation - retrieves a reputation query for a FQDN or IP Address.
- Query Tasks - submits a sample to Lastline for analysis.
The operation is compatible with the following system objects:
- Files
- Indicators
- FQDN
- IP Address
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Lastline API Host The API Host of your Lastline instance (including /papi). Lastline Username Your Lastline username for the API. Lastline Password Your Lastline password for the API. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Submit | Submits a file or indicator to Lastline. | Indicators, Files | FQDN, Files |
| Get Report | Retrieve a report for a task from Lastline. | Indicators, Files | FQDN, Files |
| Get Reputation | Retrieves a reputation for an FQDN or IP Address. | Indicators | FQDN, IP Address |
| Query Tasks | Queries tasks from Lastline. | Indicators, Files | FQDN, IP Address, Files |
Submit
The Submit action submits a sample to Lastline for analysis.
POST https://<Lastline Host>/analysis/submit_url/<Indicator>
POST https://<Lastline Host>/analysis/submit_file/<File>
Sample Response:
{
"success": 1,
"data": {
"submission_timestamp": "2022-02-17 15:39:13",
"task_uuid": "c6d6aa7a7d050010278daaeef0db406e",
"expires": "2022-02-19 15:39:13"
}
}
Get Report
The Get Report action will retrieve all the reports for the sample, with the only condition being that the sample (in ThreatQ) has an attribute with the name "Lastline Task ID" and the value will be the task ID. For each of these attributes, it will fetch a report correlating to the submission ID. If submission results are found, results will be shown and the full JSON report will be uploaded and related to the sample in ThreatQ
GET https://<Lastline Host>/analysis/get_result
Sample Response:
[
{
"success": 1,
"data": {
"progress": 100,
"completed": 1
}
},
{
"success": 1,
"data": {
"analysis_subject": {
"url": "http://sesverffvar.co.vu"
},
"expires": "2022-01-20 20:34:33",
"last_submission_timestamp": "2022-01-18 20:34:34",
"task_uuid": "14fe86401e9300100937fb7bf3811e81",
"report": {
"uuid": "f4fbdc680e75f1c4dTcI5OCx09w8llULqLhHydVO0nYIz5dEdMozlA",
"format": {
"major_version": 1,
"build_version": 0,
"minor_version": 2,
"name": "ll-web"
},
"analysis": {
"new_functions": [],
"result": {
"analysis_ended": "2022-01-18 20:34:42+0000",
"detector": "1.0.0"
},
"urls_from_documents": [],
"evals": [],
"dropped_files": [],
"writes": [],
"plugins": [],
"applets": {},
"shellcodes": [],
"text_from_documents": [],
"hidden_elements": [],
"artifacts": [],
"network": {
"requests": [
{
"parent_url": "USER_URL",
"task_uuid": null,
"status": 403,
"url": "http://sesverffvar.co.vu/",
"content_sha1": "68e01dd3ef2fe8707210d79a9943d4f26bcbfec3",
"activities": [
{
"version": 4,
"threat_labels": [],
"score": 0,
"is_test": false,
"name": "llweb:errored-request",
"desc": "Info: The initial request failed"
},
{
"version": 1,
"threat_labels": [],
"score": 0,
"is_test": true,
"name": "llweb:screenshot-whitelist-match-phashwl-7-access-forbidden",
"desc": "Info: Page looks similar to Access Forbidden"
}
],
"content_length": 555,
"content_md5": "6ce256529982abdafffa5d0e84890873",
"end": 464,
"filename": null,
"relation_type": 6,
"content_type": "text/html",
"start": 1,
"relation_type_str": "USER",
"error": null,
"ip": "92.242.40.175"
}
]
},
"processes": [],
"resources": [],
"statics": [],
"exploits": [],
"strings": [],
"subject": {}
},
"score": 0,
"activities": [
"Info: The initial request failed"
],
"prefilter_score": 0,
"prefilter_scanners": [],
"analysis_engine_version": 16777216,
"analysis_metadata": [
{
"retention_date": "2022-04-18 20:34:43",
"name": "screenshot_capture.png",
"metadata_type": "screenshot",
"timestamp": 0
},
{
"metadata_type": "traffic_capture",
"name": "traffic.pcap"
},
{
"retention_date": "2022-02-18 20:34:43",
"name": "trace.json",
"metadata_type": "llurl_framework_trace"
}
]
},
"score": 30,
"malicious_activity": [
"Info: The initial request failed"
],
"child_tasks": [
{
"score": 0,
"tag": "network traffic analysis",
"task_uuid": "41779647a0f3001002cb1e02a0d8865c",
"parent_report_uuid": "f4fbdc680e75f1c4dTcI5OCx09w8llULqLhHydVO0nYIz5dEdMozlA"
}
],
"submission": "2022-01-18 20:34:34",
"reports": [
{
"description": "Pcap analysis",
"relevance": 0.0,
"report_versions": [
"ll-pcap"
],
"report_uuid": "a7c2f5d64f0687abcgMf8xWAR5tkKSIMDESQAVdzzF8mM56AotGkjA"
},
{
"description": "Dynamic analysis in instrumented Chrome browser",
"relevance": 0.0,
"report_versions": [
"ll-web"
],
"report_uuid": "f4fbdc680e75f1c4dTcI5OCx09w8llULqLhHydVO0nYIz5dEdMozlA"
}
]
}
}
]
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples |
|---|---|---|---|---|
| response.score | attribute | attribute.name.Resource Data | NA | 30 |
| response.malicious_activity | attribute | attribute.name.Resource Data | NA | Info: The initial request failed |
| response.submission_date | attribute | attribute.name.Resource Data | NA | 2022-01-18 20:34:34 |
Get Reputation
The Get Reputation action will allow you get a reputation query for a FQDN or IP Address.
GET https://<Lastline Host>//knowledgebase/intel_network_reputation
Sample Response:
{
"data": {
"reputations": [
{
"blacklist": [
{
"threat_class": "Malware Distribution",
"threat": "URLhaus blacklisted host",
"first_seen": "2019-05-23 18:55:00",
"comment": "The domain name of the contacted host is known to be involved in suspicious redirection chains. Typically, threat actors inject a JavaScript script on a compromised website, starting the redirection chain and leading its visitors to different threats, such as exploitation attempts, online scams, or cookie stealers. Some of the intermediate steps may collect information on the victim and decide the next step accordingly.",
"last_seen": "2019-06-03 05:32:34",
"threat_impact": 25,
"threat_severity": 80,
"compromised": false
}
],
"entry": "treesguru.com"
}
]
},
"success": 1
}ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples |
|---|---|---|---|---|
| response.threat_name | attribute | attribute.name.Resource Data | NA | URLhaus blacklisted host |
| response.last_seen | attribute | attribute.name.Resource Data | NA | 2019-06-03 05:32:34 |
| response.threat_class | attribute | attribute.name.Resource Data | NA | Malware Distribution |
| response.threat_severity | attribute | attribute.name.Resource Data | NA | 80 |
| response.comment | attribute | attribute.name.Resource Data | NA | No malicious activity found |
| response.threat_impact | attribute | attribute.name.Resource Data | NA | 25 |
| response.compromised | attribute | attribute.name.Resource Data | NA | false |
| response.first_seen | attribute | attribute.name.Resource Data | NA | 2019-05-23 18:55:00 |
Query Tasks
The Query Tasks action submits a sample to Lastline for analysis.
POST https://<Lastline Host>//knowledgebase/<Indicator>
Sample Response:
{
"success": 1,
"data": {
"list_domains": []
}
}
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples |
|---|---|---|---|---|
| response.threat_name | attribute | attribute.name.Resource Data | NA | Locky |
| response.threat_class | attribute | attribute.name.Resource Data | NA | command&control |
| response.threat_severity | attribute | attribute.name.Resource Data | NA | warning |
| response.compromised | attribute | attribute.name.Resource Data | NA | false |
| response.tag | attribute | attribute.name.Resource Data | NA | compromised:quant loader |
Query Tasks Configuration Options
The Query Tasks action provides the following configuration options:
| Parameter | Description |
|---|---|
| AV Filter | Allows you to filter your results by detecting the AV. |
| File Type Filter | Allows you to filter your results by detected file type. |
Change Log
- Version 2.1.0
- Added
Risk Estimateto reports.
- Added
- Version 2.0.0
- Added the ability to:
- Query for Domains and SHA-1 hashes
- Submit Files and URLs
- Get Network Reputation for UPs and Domains.
- Added the ability to:
- Version 1.0.0
- Initial Release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Lastline Operation Guide v2.1.0 | 4.57.2 or Greater |
| Lastline Operation Guide v2.0.0 | 3.6.0 or Greater |