Lastline Enterprise On-Premises Release Notes

Version 7.5

New features

  • Remember display settings of tables in portal
  • Endpoint events view in portal
  • Improved display of evidence for detections in portal
  • Global search tab in portal
  • View detection data for all licenses in portal
  • Improved mail tab showing suspicious URLs found in emails
  • Improved syslog, HTTP and email notifications for suspicious emails
  • Notification format updated for Syslog, HTTP and email notifications
  • Display TLS exchanges in captured traffic
  • Streaming notification API
  • Support for including PCAPs in Syslog and HTTP notifications
  • Improvements to SAML2 Single-Sign-On support
  • Lastline Knowledge Base access from portal
  • Improved analysis via Intel VT-x hypervisor support

Remember display settings of tables in portal

The Lastline portal now remembers a number of display options that a user can select for key tables in the interface. This includes:

  • Which columns are shown or hidden
  • Relative width of columns
  • Sort order
  • Number of rows to display per page

The settings are stored in the browser's local storage, so that they persist across user sessions. A user can reset a table to its default display options by selecting the "Reset table" option in the hamburger menu of the table.

Endpoint events view in portal

A new endpoint events view displays information on events detected on the endpoint. Currently, this is limited to verification of IoCs (Indicators of Compromise) obtained through the integration with Tanium IoC Detect, or pushed to the Lastline API.

Improved display of evidence for detections in portal

All of the evidence collected by Lastline for an incident detected on a protected network is now presented together, to allow end users to immediately view this evidence and have more information to evaluate the impact of the incident.

This information is available in three places in the Lastline Portal:

  • In the "Infected host" view that shows all information about a host on the network. This is in the "Evidence" section near the top of this page. Each piece of evidence will provide a link to a specific network event that includes that evidence, so the user can immediately find a concrete example of what was detected, even for hosts that have many network events. This link is found in the "Reference" column of the table.

  • In the "Incident" page showing details about a single Incident. This is in the "Evidence" section near the top of this page. Each piece of evidence will provide a link to a specific network event that includes that evidence, so the user can immediately find a concrete example of what was detected, even for incidents that have many network events. This link is found in the "Reference" column of the table.

  • In the Event page showing details about a single event on the network. This is in the "Event Evidence" section of this page. This replaces the "Malicious Activity" section of the interface, and presents all different types of evidence for a network event in a consistent way.

For detections performed before the release of this version, only a subset of the above information may be available.

Global search tab in portal

A new top-level "Search" tab has been added to the Lastline Portal for Lastline Enterprise hosted customers.

This new tab provides a unified way to search for specific features such as IP addresses or file hashes across all detection data for a customer's monitored networks. Specifically, search can currently be used to find:

  • IP addresses
  • Domain names
  • File hashes (MD5)
  • Lastline Analyst UUIDs

Search results are returned for these features across different types of data collected by Lastline. For instance, a file hash may be found in an HTTP file download or in a mail attachment detected by a Lastline Sensor.

The types of features that may be searched for as well as the scope of search results will be extended over time to provide more comprehensive search capabilities.

View detection data for all licenses in portal

When viewing detection data, users can now view data across licenses in a single view. This can be done by selecting "All Licenses" and "All Sensors" in the License and Sensor drop down menus, respectively.

This new capability applies to all the relevant tabs of the Lastline Portal:

  • Dashboard
  • Console
  • Events
  • Downloads
  • Mail
  • Search

Improved mail tab showing suspicious URLs found in emails

The Mail tab of the Lastline Portal has undergone a major redesign to display additional information. Specifically, it now includes information on URLs found in emails analyzed on the sensor.

For this, the Mail tab is now divided into a number of different views.

  • Messages: shows individual mail messages that were analyzed, whether because of attachments or URLs that they contain.

  • Unique attachments: shows unique analyzed files that have been found attached to emails

  • All attachments: shows all instances of analyzed files attached to emails

  • Unique URLs: shows unique analyzed URLs that have been found attached to emails

  • All URLs: shows all instances of analyzed URLs attached to emails

Mail URL information will be available in the portal only after upgrading sensors to the version made available in this release.

Improved syslog, HTTP and email notifications for suspicious emails

Notifications sent when a suspicious or malicious email is detected have been extended in two significant ways.

  • Notifications for URLs found in emails: In addition to notifying for suspicious attachments, we can now notify also for suspicious URLs found in an email. Note however that existing notification configurations are not being modified. Users who want to add this type of notification to existing configurations will need to edit the notification configuration for their syslog, HTTP or email notifications to enable the new "Malicious Mail URLs" trigger type.

  • Notifications for suspicious attachments now include a link to a page on the portal providing information about the specific email that raised the alert.

Notification format updated for Syslog, HTTP and email notifications

With this release, the Syslog notification format is updated to 7.5. Details about the contents of our Syslog notifications in CEF and LEEF formats can be found in the updated integration guide.

Likewise, the generic HTTP notification format is updated to 7.5. Details about the contents of our HTTP notifications can be found in the updated integration guide.

Changes in version 7.5 include:

  • Add new email-url notification type, for URLs detected in analyzed emails.

  • Add EventDetailLink/event_detail_link field for email-attachment notification type, providing link to the details of this specific email in the Lastline Portal.

  • Improve the format of notifications for audit events. All notifications for audit events are now of type audit-event. The specific type of action is now contained in a new "audit action type" field.

Display TLS exchanges in captured traffic

When viewing the details of a traffic capture of TLS traffic (such as HTTPS), the portal now displays parsed out information about the TLS exchange, such as the TLS protocol version and the certificate used. This UI feature complements our ability to detect malware that uses the HTTPS protocol based on characteristics of the certificates used in malicious network infrastructure.

Streaming notification API

This release introduces a new way to receive a stream of notifications from a Lastline installation. Users can now create a streaming notification configuration. As a result, they will receive a URL that they can visit to obtain a stream of notifications in JSON format identical to the messages sent out in Lastline's generic HTTP notifications.

Usage of this API is described in the integration guide, and a sample client for consuming the notification stream is available as part of the sample PAPI client distribution in file scripts/streaming_api_client.py.

Support for including PCAPs in Syslog and HTTP notifications

Lastline notifications for detected network events have been extended to support including the raw traffic captured on the network (PCAPs) as part of the notification message. This functionality is available for notifications in the following formats:

  • Syslog notification in SIEM LEEF format (but not in CEF format)
  • Generic HTTP notification
  • Streaming API notification

In all three cases, the traffic captures are included in PCAP format, and are truncated to a maximum length (currently 8k) and then base64-encoded before being included in the notification. In addition to the raw pcap body, metadata about the traffic is also included. Each notification message will include information about a single traffic capture. If multiple traffic captures are included in a network event, multiple notifications will be sent.

The inclusion of PCAPs in notification messages is controlled by a new option in the notification configuration, which is disabled by default. Therefore, existing notification configurations are unaffected by this change, and users will need to explicitly enable this option to make use of it for their existing notification configurations. Because a new notification message is sent for each PCAP, enabling this option may lead to a significant increase in the number of notifications that are sent out.

Improvements to SAML2 Single-Sign-On support

Lastline Entprise's support for Single Sign On based on the SAML 2.0 protocol has been improved for increased compatibility with different "Identity Provider" implementations, including Microsoft ADFS 3.0.

  • Allow a wider variety of authentication methods to be used by the Identity Provider. In previous versions, this was limited to "PasswordProtectedSupport".

  • Support issuer that is not a full URL.

  • Appliance to serve its SAML Service Provider metadata.

The integration guide describing how to configure SAML-based Single-Sign-On has been updated to reflect these changes.

Lastline Knowledge Base access from portal

The intelligence search interface opens up the access to the Lastline Knowledge Base (LLKB) — a massive repository of malware behaviors. LLKB enables security professionals to quickly dig deep into historical breaches, related domains or IP addresses, associated indicators of compromise (IOCs) as well as strings and other artifacts generated in memory for forensics. LLKB can be used by Incident Response (IR) and Security Operations Center (SOC) teams to drastically improve escalation accuracy, rapid containment, effective countermeasures and future protections.

For a given search, the system provides:

  • Analytical results split into multiple facets for a better threat assesment (e.g. Lastline classification, Anti-virus labels, threat vector type, visibility across market sectors).

  • Pointers to related analysis reports offering a rich set of details, allowing the user to proceed with a deeper analysis.

The system can be accessed from the dedicated intelligence tab and navigation is also supported from the analysis reports by simply clicking the intelligence icons attached to the report elements. Usage of the system is described in the Portal Guide. Note that users will gain access to the public reports analyzed in the Lastline cloud, as well as analysis reports for samples shared by the user and uploaded to the Lastline backend.

Improved analysis via Intel VT-x hypervisor support

The analysis engine now makes use of more features provided the Intel VT-x hypervisor technology. The system leverages a hybrid model, combining the performance of virtualization with deep analysis capabilities provided by Full-System Emulation, to allow even more advanced and flexible detections.

Support for the Intel VT-x technology is a requirement for upgrading appliances that are running the Lastline analysis sandbox, such as

  • Lastline Engine, and
  • Lastline All-in-one (pinbox)

appliances. Intel VT-x is available on all systems that meet the Lastline hardware requirements. Appliances running on an unsupported platform will not be able to upgrade to this release.

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • add_submission_to_history

Furthermore, the following deprecated methods of the legacy API are being removed in this version:

  • query_account_details
  • query_accounts
  • delete_account
  • update_account
  • query_event_labels
  • query_incident_labels
  • query_incident_label_description

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On Premise:

  • Lastline Manager version 706
  • Lastline Engine version 706
  • Lastline Sensor version 707.2
  • Lastline All-in-one (pinbox) version 706
7.4 7.5.1