Lastline Defender and Analyst Hosted Release Notes

Version 7.18

New features

  • Multiple built-in dashboards
  • Support for multiple pairs of interfaces in the inline Sensor
  • Email analysis improvements and bugfixes

Multiple built-in dashboards

The dashboard view that provides Lastline Enterprise customers an overview of their network, has been extended to provide multiple built-in dashboards that focus on different aspects, accessible from a dropdown menu.

  • The overview dashboard is the default view in this tab and is similar to the dashboard that was displayed in previous versions.

  • The network dashboard focuses on network events, infections and network traffic processed.

  • The mail dashboard focuses on mail processing and detection.

  • The files dashboard focuses on analyzed files whether they were captured on the network or found in mail attachments.

Support for multiple pairs of interfaces in the inline Sensor

The Sensor now supports inline deployment using multiple pairs of interfaces. To configure, use lastline_setup's inline_interfaces option and specify a comma-separated list of dash-paired interface names, e.g. "eth2-eth3, eth4-eth5". The old syntax ("eth2, eth3") continues to work when using a single interface pair.

Email analysis improvements and bugfixes

  • In email in-line mode, if the analysis of an artifact is skipped, the fact will be indicated in the X-Lastline header. New values that can be added to this header are:
    • analysis-disabled: the analysis has been explicitly disabled
    • analysis-incomplete=backend-unreachable: the full analysis was not performed because the Lastline backend was not reachable.
    • analysis-skipped=REASON-whitelisted: the email or artifact was not analyzed because of a whitelisted elements. REASON can be one from sender, recipient, subject, attachment-filename, attachment-md5, url.
  • In email in-line mode, it is now possible to configure the sensor to start rejecting incoming emails if the nexthop rejection ratio is too high.
  • A bug in matching of sender whitelist in SMTP sniffing mode has been fixed by stripping angle brackets from email addresses before matching.

Bug fixes and improvements

  • Display also SHA256 hash of analyzed file in analysis report overview.
  • Fix issue where link to "additional artifacts" in analysis report would not work.
  • Fix issue where, in some corner-cases, email notification for a detected URL could contain the un-escaped malicious URL.
  • Fix a bug in Sensor statistics collection that could break the web UI's "Concurrent flows" networking metrics plot.
  • Increased robustness when downloading threat intelligence to the Sensor over very slow links.
  • Fix a bug in our filetype classifier that could cause some obfuscated WSF files to get skipped in the Sensor's prefilter.

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_license_details
  • update_license_details
  • update_sensor_details

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Furthermore, with this release we are deprecating the legacy malscape api (/malscape). Functionality that replaces this API is available in the analysis module of the Lastline API. Additionally, analysis functionality can be accessed directly through the Lastline Analyst API.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 715
7.17 7.19