Lastline Enterprise On-Premises Release Notes

Version 6.4

Changes

  • Email analysis improvements
  • IDS improvements
  • Expose Indicators of Compromise (IOC)
  • Improved display of traffic capture for network events
  • Fix redirect after SSO login

Email analysis improvements

  • Increased performance: this version significantly increases the number of emails per hours that a Sensor can process (the actual rate depends on the hardware and the type of email traffic).
  • Support for SSL/TLS and STARTTLS for SMTP (both sending and receiving).
  • Increased robustness during email processing/delivery.

For in-line MTA mode:

  • Better handling of nexthop server errors, including the generation of Delivery Failure Notification messages. Notifications can be sent to the original sender of the email and/or a configured email address.
  • Ability to customize the email subject tag added when suspicious/malicious content is found.
  • Ability to customize the text used to replace blocked URLs.
  • Note: the format of the text added to the body of email messages has changed as compare to previous versions.
  • Ability to configure a separate next-hop for email bounces.
  • Increased robustness in case the next-hop sever closes the connection during email delivery.

IDS improvements

  • Fix for a problem that allowed IDS signature events to indicate blocking via TCP RSTs when blocking is actually disabled.
  • Performance and robustness enhancements.
  • Expanded file support: the Sensor now extracts Mach-O and Microsoft .cab archives from network traffic for processing.

Expose Indicators of Compromise (IOC)

The analysis platform now supports extracting Indicators of Compromise (IOCs) from analysis runs in the Lastline sandbox. This allows the integration of host-based tools supporting IOCs in STIX format, and to verify network events on a potentially compromised machine.

Improved display of traffic capture for network events

Display of captured traffic has been improved. Contacted URLs are now displayed in the table listing captured flows. Furthermore, it is possible to filter the table to search for flows that involved a selected URL. This makes exploring the traffic captures events involving many network flows more convenient.

Fix redirect after SSO login

This release fixes a bug affecting installations that were making use of SAML Single Sign On. When logging in through SSO, users are now redirected to the correct page.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use on-premise:

  • Lastline Manager version 607
  • Lastline Engine version 607
  • Lastline Sensor version 609.3
  • Lastline All-in-one (pinbox) version 607

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_pcaps
  • get_pcaps

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

6.3.1 7.0