Lastline Defender and Analyst Hosted Release Notes

Version 7.16

New features

  • Capture and analyze web content on the wire
  • File downloads log in Portal
  • Network events map
  • New sensor registration
  • Support for sending syslog notifications over TCP
  • Display parsed network traffic in analysis reports
  • Broader hardware support for the inline Sensor
  • Configurable blocking interval for inline Sensor
  • Support SHA256 in submissions and queries to Analyst API
  • Beta Release: Analysis on Microsoft Windows 10
  • Email Analysis improvements
  • Support for installing a sensor without sniffing interfaces

Capture and analyze web content on the wire

The Lastline Sensor is now able to capture web content transiting in the protected network and to submit it for in-depth analysis. This functionality is currently off by default on sensors, and can be enabled by toggling the "Enable on-the-wire webpage inspection" setting in the appliance configuration. We will be enabling the feature by default in a future release.

Information on analyzed web content is available in the URLs view of the portal. If suspicious content is detected by this analysis, a network event will be generated. These network events may also lead to notification if notifications are configured for network trigger type "Suspicious URL". The notification format for syslog, Streaming and Generic HTTP notifications has been extended to include this new type of detection. The integration guides for these notification formats have been updated to reflect the new message type. With this release, the notification format version is increased to 7.10.

File downloads log in Portal

The Lastline Portal now includes information on all files of supported file types extracted from traffic in the protected network. This information is available in the new Downloads/Logs view.

As in previous versions, only files that were submitted for in-depth analysis to the Lastline API are included in the Downloads/All view of the Lastline Portal.

Network events map

The network events view of the Lastline Portal now includes a world map with the geolocated positions of potentially malicious servers involved in the loaded events.

Dots in this map are colored based on the maximum impact of events with that location, and scaled based on the number of hosts involved in events involving that location. Clicking on the dots can be used to view further details and to filter the events on the map and in the network events table below.

New Sensor registration

With Sensor version 713, the way Sensor appliances are registered with our backend is being improved. This will prevent Sensors from being misconfigured to use incorrect Sensor licenses or Sensor licenses that are already in use. The Sensor installation manual has been updated to reflect this change.

When re-installing or replacing a Sensor, end users will now need to first deregister the old Sensor so the Sensor license is available for re-use in the new installation. For this, an option to deregister a Sensor is now available in the appliance status page of a registered Sensor.

Support for sending syslog notifications over TCP

When configuring a syslog (SIEM) notification configuration, users can now select to use TCP or UDP transport protocol.

Display parsed network traffic in analysis reports

The network traffic captured during the analysis of an artifact is now displayed in parsed and browsable form when viewing the analysis report in the Lastline Portal.

Broader hardware support for the inline Sensor

The Sensor no longer requires NIC hardware supporting accelerated packet capture in order to deploy in inline mode, simplifying e.g. VM-based inline deployment.

Configurable blocking interval for inline Sensor

The appliance configuration UI for inline Sensors now supports configuring for how long blocking will last. This is controlled by the "block interval" setting, which becomes available only for Sensors in "inline deployment".

Support SHA256 in submissions and queries to Analyst API

The Lastline Analyst API now supports using the SHA256 hash of a file when submitting files for analysis or querying for existing analysis results. Furthermore, functions returning submission metadata will include the SHA256 of the submitted file (if this information is available).

Beta Release: Analysis on Microsoft Windows 10

With this release, Lastline has begun the beta deployment of analysis on Microsoft Windows 10. This means that some of the artifacts will have Windows 10 reports in addition to reports generated from Windows XP and Windows 7. Currently submission of artifacts to be analyzed under Windows 10 is limited, however we will be expanding and opening that capability to additional users over the next few months.

Email Analysis improvements

The logging of the email analysis component on the sensor has been improved. In particular:

  • Log to the on-sensor email log (and optionally to syslog) when an incoming email via SMTP is rejected.
  • Log to the on-sensor email log (and optionally to syslog) when an email is forwarded without analysis because of loss of connectivity between the sensor and the manager/backend.

Support for installing a Sensor without sniffing interfaces

It is now possible to install a Sensor without sniffing interfaces, or to select no sniffing interfaces during the execution of lastline_register. In such case, the Sensor can be used for dedicated email analysis.

Bug fixes and improvements

  • Fix a bug that could lead to some email notifications not being sent if the customer configured a whitelisted IP while leaving the host name field empty.
  • The timestamp of syslog messages is now correctly influenced by the timezone selected in the notification configuration, instead of being always UTC.
  • The downloads page now includes the overall release numbers (such as Hosted release 7.16) in addition to the appliance version numbers.
  • Fix a visual glitch that would sometimes affect our line and bar graphs
  • Fix a visual glitch in the analysis subjects overview graph
  • Fix UI performance issue when using malware filter
  • Fix a logic problem on the Sensor that lead to broken sniffer configuration when operating on appliances with at least 48 cores.
  • Fix the monitoring metric "Mail analysis pending", which would always show 0.

Deprecation of API methods

The following deprecated methods of the legacy API are being removed in this version:

  • list_threat_classes
  • list_threats
  • query_entry_info

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 713
7.15 7.17