Lastline Analyst and Detonator On-Premises Release Notes

Version 7.16

New features

  • Knowledge Base Alerting service
  • Improved appliance selection
  • Improved visual consistency of Lastline Portal
  • Flexible export of blacklisted IoCs in intelligence tab
  • Display DNS resolution timeline in intelligence tab
  • Explicit proxy performance improvements
  • Support shifting the selected time range with one click
  • Show warning when downloading analyzed file
  • Ability to configure Engine appliances as HA
  • File analysis improvements
  • URL analysis improvements
  • Traffic sniffing improvements
  • Bug fixes and improvements

Knowledge Base Alerting service

Users with a Knowledge Base license now have access to a new alerting service under the Knowledgebase interface of the Lastline Enterprise Portal Intelligence Page. With this version, licensed users can create matching rules to match on Lastline analysis results while they are being indexed within the Knowledge Base. Rules are based on the same language as queries, offering the same rich set of terms, with the additional support of regular expressions.

The alerting service enriches the capabilities of the Knowledge Base with the support of new use cases. With alerting, users can monitor for company assets (e.g. domains, mail addresses, clients) and understand if their company is being targeted by recent threats. Users can also generate feeds of samples satisfying certain criteria or exhibiting specific IoCs (e.g. hunting for samples using bit coin wallets).

Users can directly access rule matches from the Lastline Enterprise Portal. For proactive notification, users can also configure different types of notifications to automatically receive these matches (e.g. email notification, syslog notification).

The alerting service, the creation of matching rules, the access to matches from the portal, or the configuration of notification based on matches are described in details within the Lastline Portal Guide.

This improvement was tracked internally with tickets FEAT-1414 and FEAT-1735.

Improved appliance selection

This release improves the modal dialog that is used when selecting multiple appliances in the Appliance monitoring logs and Appliance metrics views. The existing selection dialog could be cumbersome to use for customers with many appliances. The appliance selection dialog now includes options to clear the selection, as well as select all appliances of a given type.

This improvement was tracked internally as USER-2568.

Improved visual consistency of Lastline Portal

In this release we have made a number of small changes that improve the visual consistency of the Lastline Portal, by improving conformance with our visual style guide. These improvements include:

  • more consistent use of icons for remove vs delete operations
  • fix missing titles for links that open in new tab
  • more consistent display of icons within links
  • more consistent options for closing modal dialogs

This improvement was tracked internally as USER-2502.

Flexible export of blacklisted IoCs in intelligence tab

When accessing the domains and IPs resulting from a search in the Intelligence Page, the Network IoCs tab now offers users the choice to select the entries to be exported for blacklisting. Recommended entries to be exported are selected by default.

This feature was tracked as FEAT-2030

Display DNS resolution timeline in intelligence tab

When performing a search for IPs or domains contacted during analysis in the Intelligence Page, the DNS tab will now display a timeline of the DNS resolutions related to the query terms that Lastline observed during analysis. This timeline also provides some additional information about the IPs and domains involved. This feature was tracked as FEAT-1740

Support shifting the selected time range with one click

The time range selection widget used throughout the Lastline Portal now supports shifting to the previous or following interval with a single click on the < and > buttons. Using these buttons shifts the selected interval while preserving the number of days that are selected. This feature was tracked as FEAT-2083.

Show warning when downloading analyzed file

Portal will now show a warning the first time a user attempts to download a file that was submitted from analysis. The warning will advise the user that file is potentially malicious and should be handled with care.

This improvement was tracked as FEAT-2022.

Ability to configure Engine appliances as HA

In certain deployment scenarios it can be useful to disable a subset of Engine appliances from processing analysis tasks. For this purpose, the system provides a utility for marking individual Engine appliances as inactive, meaning that they will not be assigned any work.

For this purpose, this release includes the lastline_configure_engine_availability tool can be used to obtain a list of Engine appliances, to mark them as inactive, and to re-enable appliances that have been previously disabled. For detailed steps on how to configure an Engine, refer to the installation manual.

This improvement was tracked as FEAT-1584.

File analysis improvements

  • MALS-2307: accept Nuget archives in Analyst API.
  • MALS-2254 MALS-2273: improved analysis environment selection for XPS submissions.
  • LLFILE-367: accept PCAP-ng files in Analyst API.
  • MALS-2274 MALS-2196: more aggressively use static document features to determine the analysis environment used for dynamic analysis.

We have made enhancements to the detection of

  • LLADOC-458 exploits using SOAP Moniker in Microsoft Office documents.
  • LLADOC-450 LLADOC-451 LLADOC-454 exploits using external commands, external OLE data, or DDE Links in Microsoft Office documents.
  • LLADOC-457 LNK files embedded in Microsoft Office documents.
  • LLADOC-453 encrypted documents embedded in documents or emails.
  • LLADOC-336 compressed streams embedded in Hangul documents.
  • LLADOC-459 evasive code using mouse movement.
  • LLADOC-462 position independent shellcode.
  • LLADOC-463 suspicious OLE objects embedded in RTF documents.
  • LLADOC-464 encoded commands embedded in Powerpoint presentations.
  • LLAM-3046 LLAM-3014 sleep-based evasions.
  • SIGLOGSCAN-205 x86 shellcode embedded in legitimate tools.
  • LLADOC-469 malicious DDE commands embedded in Microsoft Office documents.

and improved the reliability of

  • LLAM-2978 LLAM-2981 LLAM-2997 extracting process snapshot metadata and cover more memory regions.
  • LLAM-3030 tracking behavior spawned from MSI packages.
  • LLADOC-467 extracting non-ASCII code snippets from PDF documents.
  • MALS-2324 identifying email messages in RFC2822 format.
  • LLFILE-381 analyzing OLE streams embedded in Microsoft Office documents.

URL analysis improvements

  • LLWEB-1777: improve whitelisting of newly spawned benign processes observed during a URL analysis.

Bug fixes and improvements

  • MALS-2299: more robust handling of hash-lookups with MD5 collisions.
  • MALS-2280: improved handling of Analyst API get_completed for returning completion information for partially completed seconds.
  • MALS-2298: more robust handling of corrupted archives in Analyst API.
  • MALS-2320: better handling of large archives in Analyst API.
  • MALS-1947: better validation of report_uuid in calls to Analyst API.
  • MALS-2345 MALS-2280 MALS-2309: improve handling of queries for completion information in the Analyst API using long time windows.
  • LLADOC-461: better extraction of long strings in Analyst API results (e.g., subject command line or Microsoft Office macro code).
  • MALS-2338: support optimized API call for retrieving UTC timestamp.
  • MALS-2326: more flexible support of sessions in Analyst API - allow using latest API clients against server versions that do not support sessions.
  • CC-1953: lastline_register/lastline_test_appliances: no longer use OPTIONS method for testing connectivity to a proxy server
  • USER-2476: allow non-administrator accounts with the "can view appliances" permission to view appliance configuration
  • USER-2517/USER-2520: fix issue that caused link to child tasks to not be shown in some analysis reports
  • CC-1970/CC-2015: improve error reporting during appliance installation
  • CC-2026: diagnostic checks: support case where multiple virtual drives are defined on an LSI RAID controller
  • FEAT-1872: Support for management interface different from eth0

Deprecation of API methods

All methods of the legacy API (/ll_api/ll_api) are now deprecated. The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Analyst On-Premises and Lastline Detonator On-Premises:

  • Lastline Analyst version 800.4

and for Lastline Detonator On-Premises:

  • Lastline Manager version 800.4
  • Lastline Engine version 800.4

Released sandbox images versions

With this release, the sandbox images version is updated to 2017-07-17-01.

Distribution Upgrade

As of this version, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base

7.15.1 7.16.1