Lastline Enterprise On-Premises Release Notes

Version 7.2

New features

  • Tanium IOC Detect integration
  • Improved Analysis report overview
  • Improved Analysis report timeline
  • Download process snapshots of analyzed processes
  • Additional information in notifications for network events
  • Information on appliance actions in audit log
  • Improved traffic capture display
  • Resizable table columns in portal
  • Support for multiple network interfaces/IP addresses
  • Various improvements to the analysis engine to improve detection effectiveness, performance and robustness.
  • Other fixes and improvements

Tanium IOC Detect integration

Lastline Enterprise can now integrate with Tanium IOC Detect. This integration can be used to verify infections on end hosts that are running Tanium IOC Detect using Indicators of Compromise generated by Lastline, directly from the Lastline Enterprise Portal.

For help using this integration, see the Tanium integration guide available in the Manuals page of the Lastline Portal.

Improved Analysis report overview

The overview displayed for Analysis results has been improved, adding more information to the table displaying detected activities:

  • Display "Severity" value in the 0-100 range to indicate which detected activities are malicious
  • Display icons indicating on which operating systems the activity was detected
  • For activities that support it, provide a direct link to timeline view filtered to display only actions related to that activity.

Improved Analysis report timeline

The timeline view of Analysis reports has been improved in a number of ways:

  • Filter by activity: The timeline view can now be filtered to display only actions relevant for a specific detected activity
  • Stack depth filter: The timeline view can now filter the actions to display based on the depth of the call stack
  • Process and thread views: The timeline view now displays actions on one line for each process, rather than for each thread. When a process is selected, the view switches to displaying one line per thread.
  • Improved Action Table: The table listing actions in the timeline view has been improved to make important information immediately accessible.
  • Improved category selection: The interface for selecting action categories (such as file, registry, process,..) has been improved. Double-clicking on one category will now select only that category. Unselecting the last selected category will now select all categories again.

Download process snapshots of analyzed processes

Download of full-process snapshots in the Lastline process_snapshot format (.LLS file). This snapshot type is generated for all 32-bit or 64-bit processes that are tracked during the analysis. For each process, the process snapshot file contains allocated memory sections/areas mapped during the analysis, as well as metadata describing the placement of these different memory sections within the process memory and how the content/placement changes over time. These snapshots can be loaded into IDA-Pro using a dedicated loader, as described in the API documentation.

Additional information in notifications for network events

Our syslog (SIEM) notifications, generic HTTP notifications and email notifications for network events have been extended with additional information.

Syslog notifications in LEEF format now include:

  • EventUrl: URL of the network event
  • IncidentId: identifier of the incident related to this event
  • IncidentImpact: impact of the incident related to this event
  • IncidentMalware: name of the malware of the incident related to this event
  • IncidentClass: name of the malware family of the incident related to the this event
  • ApplianceName: user-friendly name of sensor appliance (as configured for sensor subkey)

Syslog notifications in CEF format now include:

  • EventUrl: URL of the network event
  • IncidentId: identifier of the incident related to this event
  • IncidentImpact: impact of the incident related to this event

The syslog notification format version that includes these new fields is version 7.2.

Generic HTTP notifications now include:

  • event_url: URL of the network event
  • incident_id: identifier of the incident related to this event
  • incident_impact: impact of the incident related to this event
  • incident_malware: name of the malware of the incident related to this event
  • incident_malware_class: name of the malware family of the incident related to the this event

Email notifications likewise include:

  • Event url information
  • Information about the incident related to this event

Information on appliance actions in audit log

The audit log available in the Lastline Portal and API now includes information on appliance actions triggered through the Portal or API

  • Configuration changes
  • Upgrades
  • Reboot commands

The audit log UI has also been improved to better display audit events with a lot of parameters, such as appliance configuration changes.

Improved traffic capture display

Display of the traffic captured as part of a network event has been improved:

  • Show multiple HTTP Request/Response pairs in HTTP protocol view

  • Permalink to display of individual traffic capture

Resizable table columns in portal

Tables throughout the Lastline Portal have been improved to support drag-and-drop resizing of table columns.

Support for multiple network interfaces/IP addresses

Starting from this version it is possible to configure an appliance with multiple IP addresses over multiple network interfaces and have the appliance services accessible from all of them.

Other fixes and improvements

  • Fix bug that could cause Active Directory integration to stop fetching login events from configured domain controllers

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 702
  • Lastline Engine version 702
  • Lastline Sensor version 702
  • Lastline All-in-one (pinbox) version 702

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • events/query_events
  • incidents/query_incidents
  • malware/query_malware
  • incident_sources/query_incident_sources
  • query_default_key

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

7.1 7.3