Lastline Defender and Analyst Hosted Release Notes

Version 7.10

New features

  • Streaming notification API
  • Support for including PCAPs in Syslog and HTTP notifications
  • Bug fixes and improvements

Streaming notification API

This release introduces a new way to receive a stream of notifications from a Lastline installation. Users can now create a streaming notification configuration. As a result, they will receive a URL that they can visit to obtain a stream of notifications in JSON format identical to the messages sent out in Lastline's generic HTTP notifications.

Usage of this API is described in the integration guide, and a sample client for consuming the notification stream is available as part of the sample PAPI client distribution in file scripts/streaming_api_client.py.

Support for including PCAPs in Syslog and HTTP notifications

Lastline notifications for detected network events have been extended to support including the raw traffic captured on the network (PCAPs) as part of the notification message. This functionality is available for notifications in the following formats:

  • Syslog notification in SIEM LEEF format (but not in CEF format)
  • Generic HTTP notification
  • Streaming API notification

In all three cases, the traffic captures are included in PCAP format, and are truncated to a maximum length (currently 8k) and then base64-encoded before being included in the notification. In addition to the raw pcap body, metadata about the traffic is also included. Each notification message will include information about a single traffic capture. If multiple traffic captures are included in a network event, multiple notifications will be sent.

The inclusion of PCAPs in notification messages is controlled by a new option in the notification configuration, which is disabled by default. Therefore, existing notification configurations are unaffected by this change, and users will need to explicitly enable this option to make use of it for their existing notification configurations. Because a new notification message is sent for each PCAP, enabling this option may lead to a significant increase in the number of notifications that are sent out.

Bug fixes and improvements

  • Robustness improvements when configuring the Sensor into inline mode.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 707
7.9 7.11