Lastline Defender and Analyst Hosted Release Notes

Version 7.11

New features

  • Provide information on blocked email content in API, UI and notifications
  • New account permissions UI and APIs
  • Support for MPLS-encapsulated traffic
  • Preserve time range selection across views
  • Additional appliance metrics for system load
  • Extraction of links from PDF artifacts
  • Email analysis improvements
  • Bug fixes and improvements

Provide information on blocked email content in API, UI and notifications

When deployed in inline MTA mode, Lastline Sensors can be configured to block malicious email content, or to insert warnings in such emails about their contents. With this version, we are providing information on which action was taken on each mail, attachment and URL in the API, UI as well as notifications. Specifically:

  • The Lastline API methods for accessing mail detection information have been extended to return additional fields "mail_action" and "message_action". Furthermore, they now provide a "blocked" filter. Refer to the updated API documentation for details.

  • The Lastline Portal's mail tab has been extended to display the above information and to support the "blocked" filter, to e.g. be able to view all malicious attachments that have/have not been blocked by Lastline.

  • Notifications sent out about malicious mail attachments or URLs over email, syslog, HTTP POST and streaming API have been extended to include this new information. For this, the notification format version is updated to 7.6. In syslog CEF and LEEF formats, the "act" field is now used to convey which action was taken on the mail. For details, refer to the updated integration guides for syslog, HTTP POST and Streaming API integrations.

New account permissions UI and APIs

The interface for managing permissions of accounts on the Lastline portal has been completely redesigned. Management of permissions in the portal is accessed by selecting the "edit" option on an account in the accounts management page

The new interface provides more information on what permissions do and should make it easier for administrators to manage user permissions.

This release also introduces two new permissions that provide finer-grained control of appliance-related functionality.

  • can view appliances: Ability to view information about appliances

  • can manage appliances: Ability to perform all actions needed to manage an appliance

Support for MPLS-encapsulated traffic

The Sensor now supports processing of MPLS-encapsulated traffic, in addition to the existing VLAN encapsulation support. Only one of the two encapsulation technologies can be active at any given time. Regardless of which encapsulation type is active, the Sensor processes unencapsulated IP traffic at all times.

Preserve time range selection across views

The portal has been improved to preserve time range selection across views. This means that the relative or absolute time range selected when viewing one page will be preserved when navigating throughout the portal.

Additional appliance metrics for system load

This release adds a new metrics page that displays metrics about system load, and in particular IO load metrics such as IO utilization and disk read and write speeds. The new load metrics page is accessible under the metrics dropdown of the Appliances tab.

Extraction of links from PDF artifacts

Links included in PDF artifacts submitted for analysis are now extracted, included in the generated analysis report, and displayed in the analysis report UI. Please refer to the Analyst API documentation for more details.

Email analysis improvements

  • Improve performance and robustness of email parsing
  • Support saving the email trace log in JSON format on the Sensor disk
  • Support logging all attachments and URLs in the Sensor logs
  • Support configuration of hostname used in SMTP communication

Bug fixes and improvements

  • Improved document macro analysis
  • When the IDS component on the Sensor fails to parse a customer- provided rule, the web UI now indicates the exact reason in the monitoring logs
  • Robustness improvements when logging URLs and processing signature hits on the Sensor
  • Better support for accelerated packet capture on machines with a lot of memory
  • Changes to account permissions are now included in the audit log

Deprecation of API methods

The following deprecated methods of the legacy API are being removed in this version:

  • set_account_permission
  • query_account_permissions

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 708
7.10 7.12