Lastline Defender and Analyst Hosted Release Notes

Version 7.6

New features

  • Notifications for audit events
  • Improved notification configuration UI
  • Improved account management page
  • Include account actions in audit log
  • Email analysis improvements
  • URL analysis report improvements
  • Sensor installation/registration improvements
  • Bug fixes and improvements

Notifications for audit events

Our syslog (SIEM) notifications, generic HTTP notifications and email notifications now also support notification of audit events.

Actions performed by a user on the portal, such as configuring an appliance or adding a user, will now also result in a notification being sent, if configured. Note that existing notification configurations are not being automatically updated to include this new type of message, so customers with existing notification configurations will have to enable audit event triggers in these configurations to start receiving these messages.

The syslog notification format version that includes these new messages is version 7.3. The formats of audit event syslog and HTTP messages are described in the integration guides available on the manuals page.

Improved notification configuration UI

The user interface for configuring notification integrations has been improved to better support the increased complexity of this functionality. The different types of triggers that can lead to notifications are now displayed in separate tables, and can now be enabled or disabled in bulk:

  • network triggers (for detections in network traffic)
  • mail triggers (for detections in mail messages)
  • appliance triggers (for appliances status)
  • audit triggers (for audit events)

The portal guide has also been updated to describe the new configuration UI.

Improved account management page

The (account management page)[/settings#/account/] has been improved.

  • Added functionality to block or unblock an account. Blocking an account is now the recommended way of disabling an end user's access to the system.

  • Certain sensitive operations on accounts, such as changing the password or email address of an account, now require the user to provide their password again for verification.

  • Fix bug that prevented adding some permissions again after they had been removed.

Include account actions in audit log

Audit log now includes additional events related to account management:

  • account created
  • account deleted
  • account blocked
  • account unblocked
  • account edited
  • account password changed
  • account email changed
  • password reset was requested
  • password reset was performed

Email analysis improvements

General improvements:

  • Improved logging for tracing emails as they are analyzed by the Sensor (the MD5 for all attachments is now logged)
  • When brute-forcing encrypted archives, also try password "infected" and passwords from a user-defined list
  • More relaxed MIME header parsing, so that some malformed email are still analyzed

MTA in-line mode improvements:

  • Support for customizable warning/block messages in the email body
  • An X-Lastline header is added to all emails analyzed by a Sensor
  • Ability to silently drop malicious emails
  • Add to the Received header information about whether an email was received over SSL/TLS
  • Support client-side SSL/TLS certificates for SMTP
  • Retry delivering an email in case of a 4XX error from the SMTP next hop in response to RCPT TO and MAIL FROM commands
  • In case of a non-permanent error delivering an email to the next hop, the default time interval during which attempts to re-delivery the email are done is now increased to 2 hrs (and to 15 minutes for already installed Sensors)

URL analysis report improvements

  • Improved the detection of malicious code
  • Improved the display of interesting scripts
  • Improved the identification of malicious URLs among the list of those that were visited

Sensor installation/registration improvements

  • Completely rewritten lastline_test_appliance, improving the number and effectiveness of the health checks performed on a Sensor
  • Stricter requirements of NTP: an NTP server needs to reachable to complete installation, whether it is update.lastline.com or a user-provided one
  • Allow blank gateway and DNS server setting in lastline_setup

Bug fixes and improvements

  • Improved packet capture performance on 10G Sensor appliances

  • Improved file classification accuracy and performance for text files as well as prefix-obfuscated MIME archives and MS Word documents

  • Improved document analysis and filtering to increase analysis throughput for benign documents

  • Additional table sorting options in file downloads, mail attachments and network event tables

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 704

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_account_details
  • query_accounts
  • delete_account
  • update_account

Furthermore, the following deprecated methods of the legacy API are being removed in this version:

  • query_default_key

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

7.5 7.7