Lastline Analyst and Detonator On-Premises Release Notes

Version 7.5

New features

  • Support for Single-Sign-On using SAML2
  • Remember display settings of tables in portal
  • Notification format updated for Syslog, HTTP and email notifications
  • Streaming notification API
  • Lastline Knowledge Base access from portal
  • Improved analysis via Intel VT-x hypervisor support
  • Bug fixes and improvements

Support for Single-Sign-On using SAML2

A Lastline Analyst appliance can now be configured to allow log in to the web portal using the SAML 2.0 Single Sign On protocol.

Once an administrator has configured an Identity Provider, users can choose to log in as usual by providing a username and password to the Lastline Analyst Portal, or to log in using Single Sign On through the configured Identity Provider.

Information on how to configure SAML2-based Single Sign On is available in the integration guide

Remember display settings of tables in portal

The Lastline portal now remembers a number of display options that a user can select for key tables in the interface. This includes:

  • Which columns are shown or hidden
  • Relative width of columns
  • Sort order
  • Number of rows to display per page

The settings are stored in the browser's local storage, so that they persist across user sessions. A user can reset a table to its default display options by selecting the "Reset table" option in the hamburger menu of the table.

Notification format updated for Syslog, HTTP and email notifications

With this release, the Syslog notification format is updated to 7.5. Details about the contents of our Syslog notifications in CEF and LEEF formats can be found in the updated integration guide.

Likewise, the generic HTTP notification format is updated to 7.5. Details about the contents of our HTTP notifications can be found in the updated integration guide.

Changes in version 7.5 include:

  • Improve the format of notifications for audit events. All notifications for audit events are now of type audit-event. The specific type of action is now contained in a new "audit action type" field.

Streaming notification API

This release introduces a new way to receive a stream of notifications from a Lastline installation. Users can now create a streaming notification configuration. As a result, they will receive a URL that they can visit to obtain a stream of notifications in JSON format identical to the messages sent out in Lastline's generic HTTP notifications.

Usage of this API is described in the integration guide, and a sample client for consuming the notification stream is available as part of the sample PAPI client distribution in file scripts/streaming_api_client.py.

Lastline Knowledge Base access from portal

The intelligence search interface opens up the access to the Lastline Knowledge Base (LLKB) — a massive repository of malware behaviors. LLKB enables security professionals to quickly dig deep into historical breaches, related domains or IP addresses, associated indicators of compromise (IOCs) as well as strings and other artifacts generated in memory for forensics. LLKB can be used by Incident Response (IR) and Security Operations Center (SOC) teams to drastically improve escalation accuracy, rapid containment, effective countermeasures and future protections.

For a given search, the system provides:

  • Analytical results split into multiple facets for a better threat assesment (e.g. Lastline classification, Anti-virus labels, threat vector type, visibility across market sectors).

  • Pointers to related analysis reports offering a rich set of details, allowing the user to proceed with a deeper analysis.

The system can be accessed from the dedicated intelligence tab and navigation is also supported from the analysis reports by simply clicking the intelligence icons attached to the report elements. Usage of the system is described in the Portal Guide. Note that users will gain access to the public reports analyzed in the Lastline cloud, as well as analysis reports for samples shared by the user and uploaded to the Lastline backend.

Improved analysis via Intel VT-x hypervisor support

The analysis engine now makes use of more features provided the Intel VT-x hypervisor technology. The system leverages a hybrid model, combining the performance of virtualization with deep analysis capabilities provided by Full-System Emulation, to allow even more advanced and flexible detections.

Support for the Intel VT-x technology is a requirement for upgrading appliances, and it is available on all systems that meet the Lastline hardware requirements. Systems running an unsupported platform will not be able to upgrade to this release.

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • add_submission_to_history

Furthermore, the following deprecated methods of the legacy API are being removed in this version:

  • query_account_details
  • query_accounts
  • delete_account
  • update_account

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On Premise:

  • Lastline Analyst version 706
7.4 7.5.1