Version 6.9
New features
- Lastline Knowledge Base
- Analysis report timeline
- Additional network and analysis graphs
- Metric graphs improvements
Lastline Knowledge Base
The intelligence search interface opens up the access to the Lastline Knowledge Base (LLKB) — a massive repository of malware behaviors enabling security professionals to quickly dig deep into historical breaches, related domains or IP addresses, associated indicators of compromise (IOCs) as well as strings and other artifacts generated in memory for forensics. LLKB can be used by Incident Response (IR) and Security Operations Center (SOC) teams to drastically improve escalation accuracy, rapid containment, effective countermeasures and future protections.
For a given search, the system provides analytical results to help the user understand the severity and the prevalence of the associated threats. To help in the decision making, the results are presented along multiple facets e.g. Lastline classification, Anti-virus classification, vector type, visibility across market sectors. To support reaction, the system provides a quick access to attributes shared across related threats such as contacted IPs or domains. To proceed with a deeper analysis, the system also provides pointers to related analysis reports offering a rich set of details.
The system can be accessed from the dedicated intelligence tab and navigation is also supported from the analysis reports by simply clicking the intelligence icons attached to the report elements.
Analysis report timeline
Analysis reports for Windows executables as well as Office documents can now be displayed in different formats. In addition to the already existing report format, which displays high level operations performed during analysis grouped by the analysis subject (process) that performed them, a timeline view is now available.
The timeline shows the actions performed by indvidual threads under analysis, in the order they were performed. The view can be filtered by zooming in using the view finder below the graph, or by selecting specific classes of actions to display (such as File, Registry or Process actions).
Additional network and analysis graphs
This version adds additional metric graphs to the Network metrics and Analysis metrics pages.
New network metrics graphs:
- Monitored traffic by application layer protocol
- Monitored traffic by transport layer protocol
New analysis metric graphs:
- Overall analysis load
- Task completion by Engine
Metric graphs improvements
This version makes some improvements and fixes some minor display issues in the metric graphs that were introduced in version 6.8:
- when no data is returned for a graph, provide a message listing which appliance types and configurations should have data for that graph.
- fix incorrect x-axis range
- fix stacked area chart display when data is missing