Version 6.10
New features
- Notifications for appliance status
- Improved Flash analysis
- Document structure display
- Notification extensions
- Whitelist support in downloads view
- IDS and email analysis improvements
Notifications for appliance status
Users can now configure their Lastline installation to deliver notifications of appliance status by email, syslog/SIEM or generic HTTP POST. For this, the existing email notification, syslog/SIEM integration and generic HTTP integrations have been extended to support new notification types. Depending on configuration, users may receive notifications:
- Whenever an information message, warning or error is logged, as displayed in the appliance monitoring logs
- Whenever an appliance's status is reporting a warning or error
- Whenever an appliance checks in, or fails to check in and is therefore considered to have gone offline
- Whenever a configuration action on an appliance fails, as displayed in the appliance action logs
This should allow users to receive notifications for in situations where the Lastline Portal is reporting a warning or error for an appliance.
Note that existing notification configurations will not be automatically modified to enable appliance status notifications. Users with existing notification configuration will need to extend them by adding the new triggers for appliance status notifications to the existing configurations.
Improved Flash analysis
We now support sending Flash files for in-depth analysis in our analysis engine via both the UI and the analysis API. The results of the analysis include dynamic properties, such as the call graph obtained by running the sample and the strings found during the analysis, as well as structural, static properties such as the file's tags.
Document structure display
The UI for displaying document analysis results now includes a "Structure" tab that displays structural properties of a file, such as its data streams, macros and its textual content.
Notification Extensions
Syslog/SIEM notifications have been extended to include additional information about the file involved in a suspicious file download or mail attachment detection:
- The specific file type (magic string) and higher level category (e.g. Executable, Document, etc, as displayed in Lastline Portal)
- sha1 hash (in addition to md5)
Furthermore, email notifications for suspicious mail attachments have been extended with additional information:
- email message identifier
- email message subject
- email message send time
Finally, syslog/SIEM notifications have been extended to include an impact field (0-100) as displayed in the Lastline Portal.
In additon, two issues have been fixed affecting the subject of email notifications:
- excessively long sender or receiver fields are now being truncated
- subject is being correctly encoded in the presence of non-ASCII characters
Whitelist support in downloads view
The downloads tab of the Lastline Portal now takes into account a user's whitelist settings for ignoring hosts within the monitored network that are not of interest. This whitelist behavior is consistent with the existing whitelist functionality in the Console and Events tabs, and can be configured in "display settings".
IDS and email analysis improvements
- Robustness fixes for file processing
Deprecation of API methods
The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:
- query_download_stats
The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances:
- Lastline Sensor version 610.2