Lastline Enterprise On-Premises Release Notes

Version 7.10

New features

  • Capture and analyze web content on the wire
  • File downloads log in Portal
  • Network events map
  • New sensor registration
  • Support for sending syslog notifications over TCP
  • Display parsed network traffic in analysis reports
  • Broader hardware support for the inline Sensor
  • Configurable blocking interval for inline Sensor
  • Email Analysis improvements
  • Support for installing a sensor without sniffing interfaces
  • Support custom SSL certificates for standby manager UI

Capture and analyze web content on the wire

The Lastline Sensor is now able to capture web content transiting in the protected network and to submit it for in-depth analysis. This functionality is currently off by default on sensors, and can be enabled by toggling the "Enable on-the-wire webpage inspection" setting in the appliance configuration. We will be enabling the feature by default in a future release.

Information on analyzed web content is available in the URLs view of the portal. If suspicious content is detected by this analysis, a network event will be generated. These network events may also lead to notification if notifications are configured for network trigger type "Suspicious URL". The notification format for syslog, Streaming and Generic HTTP notifications has been extended to include this new type of detection. The integration guides for these notification formats have been updated to reflect the new message type. With this release, the notification format version is increased to 7.10.

File downloads log in Portal

The Lastline Portal now includes information on all files of supported file types extracted from traffic in the protected network. This information is available in the new Downloads/Logs view.

As in previous versions, only files that were submitted for in-depth analysis to the Lastline API are included in the Downloads/All view of the Lastline Portal.

Network events map

The network events view of the Lastline Portal now includes a world map with the geolocated positions of potentially malicious servers involved in the loaded events.

Dots in this map are colored based on the maximum impact of events with that location, and scaled based on the number of hosts involved in events involving that location. Clicking on the dots can be used to view further details and to filter the events on the map and in the network events table below.

New Sensor registration

With Sensor version 713, the way Sensor appliances are registered with our backend is being improved. This will prevent Sensors from being misconfigured to use incorrect Sensor licenses or Sensor licenses that are already in use. The Sensor installation manual has been updated to reflect this change.

When re-installing or replacing a Sensor, end users will now need to first deregister the old Sensor so the Sensor license is available for re-use in the new installation. For this, an option to deregister a Sensor is now available in the appliance status page of a registered Sensor.

Support for sending syslog notifications over TCP

When configuring a syslog (SIEM) notification configuration, users can now select to use TCP or UDP transport protocol.

Display parsed network traffic in analysis reports

The network traffic captured during the analysis of an artifact is now displayed in parsed and browsable form when viewing the analysis report in the Lastline Portal.

Broader hardware support for the inline Sensor

The Sensor no longer requires NIC hardware supporting accelerated packet capture in order to deploy in inline mode, simplifying e.g. VM-based inline deployment.

Configurable blocking interval for inline Sensor

The appliance configuration UI for inline Sensors now supports configuring for how long blocking will last. This is controlled by the "block interval" setting, which becomes available only for Sensors in "inline deployment".

Email Analysis improvements

The logging of the email analysis component on the sensor has been improved. In particular:

  • Log to the on-sensor email log (and optionally to syslog) when an incoming email via SMTP is rejected.
  • Log to the on-sensor email log (and optionally to syslog) when an email is forwarded without analysis because of loss of connectivity between the sensor and the manager/backend.

Support for installing a Sensor without sniffing interfaces

It is now possible to install a Sensor without sniffing interfaces, or to select no sniffing interfaces during the execution of lastline_register. In such case, the Sensor can be used for dedicated email analysis.

Support custom SSL certificates for standby manager UI

In high availability mode, the standy Manager offers a web UI that can be used to trigger take-over. We now support installing a custom SSL certificate on the standby manager to be used both before and after take-over, ensuring that connections to the standby manager's UI are secure. Please note that to ensure a seamless take-over transition, the same custom certificate should be used for both active and standby Manager hosts.

For more information, refer to the updated installation manual

Bug fixes and improvements

  • Fix a bug that could lead to some email notifications not being sent if the customer configured a whitelisted IP while leaving the host name field empty.
  • The timestamp of syslog messages is now correctly influenced by the timezone selected in the notification configuration, instead of being always UTC.
  • Fix a visual glitch that would sometimes affect our line and bar graphs
  • Fix a visual glitch in the analysis subjects overview graph
  • Fix a logic problem on the Sensor that lead to broken sniffer configuration when operating on appliances with at least 48 cores.
  • Fix the monitoring metric "Mail analysis pending", which would always show 0.
  • Manager and Engine appliances now report errors more promptly. Previously, it could take up to 10 minutes for an error state detected on the appliance to be reflected in the appliance's status as show in the Lastline UI. Sensor appliances will benefit from the same improvement in the next release.
  • Fix the Knowledgebase Configuration to fetch results from the Lastline Analysis host that is referenced in the list of hosts to be reachable according to the documentation.

Deprecation of API methods

The following deprecated methods of the legacy API are being removed in this version:

  • list_threat_classes
  • list_threats
  • query_entry_info

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 714
  • Lastline Engine version 714
  • Lastline Sensor version 713.3
  • Lastline All-in-one (pinbox) version 714
7.9.1 7.11