Lastline Defender and Analyst Hosted Release Notes

Version 7.9

New features

  • Improved display of evidence for detections in portal
  • Global search tab in portal
  • View detection data for all licenses in portal
  • Improved mail tab showing suspicious URLs found in emails
  • Improved syslog, HTTP and email notifications for suspicious emails
  • Notification format updated for Syslog, HTTP and email notifications
  • Display TLS exchanges in captured traffic
  • Email analysis improvements
  • Bug fixes and improvements

Improved display of evidence for detections in portal

All of the evidence collected by Lastline for an incident detected on a protected network is now presented together, to allow end users to immediately view this evidence and have more information to evaluate the impact of the incident.

This information is available in three places in the Lastline Portal:

  • In the "Infected host" view that shows all information about a host on the network. This is in the "Evidence" section near the top of this page. Each piece of evidence will provide a link to a specific network event that includes that evidence, so the user can immediately find a concrete example of what was detected, even for hosts that have many network events. This link is found in the "Reference" column of the table.

  • In the "Incident" page showing details about a single Incident. This is in the "Evidence" section near the top of this page. Each piece of evidence will provide a link to a specific network event that includes that evidence, so the user can immediately find a concrete example of what was detected, even for incidents that have many network events. This link is found in the "Reference" column of the table.

  • In the Event page showing details about a single event on the network. This is in the "Event Evidence" section of this page. This replaces the "Malicious Activity" section of the interface, and presents all different types of evidence for a network event in a consistent way.

For detections performed before the release of this version, only a subset of the above information may be available.

Global search tab in portal

A new top-level "Search" tab has been added to the Lastline Portal for Lastline Enterprise hosted customers.

This new tab provides a unified way to search for specific features such as IP addresses or file hashes across all detection data for a customer's monitored networks. Specifically, search can currently be used to find:

  • IP addresses
  • Domain names
  • File hashes (MD5)
  • Lastline Analyst UUIDs

Search results are returned for these features across different types of data collected by Lastline. For instance, a file hash may be found in an HTTP file download or in a mail attachment detected by a Lastline Sensor.

The types of features that may be searched for as well as the scope of search results will be extended over time to provide more comprehensive search capabilities.

View detection data for all licenses in portal

When viewing detection data, users can now view data across licenses in a single view. This can be done by selecting "All Licenses" and "All Sensors" in the License and Sensor drop down menus, respectively.

This new capability applies to all the relevant tabs of the Lastline Portal:

  • Dashboard
  • Console
  • Events
  • Downloads
  • Mail
  • Search

Improved mail tab showing suspicious URLs found in emails

The Mail tab of the Lastline Portal has undergone a major redesign to display additional information. Specifically, it now includes information on URLs found in emails analyzed on the sensor.

For this, the Mail tab is now divided into a number of different views.

  • Messages: shows individual mail messages that were analyzed, whether because of attachments or URLs that they contain.

  • Unique attachments: shows unique analyzed files that have been found attached to emails

  • All attachments: shows all instances of analyzed files attached to emails

  • Unique URLs: shows unique analyzed URLs that have been found attached to emails

  • All URLs: shows all instances of analyzed URLs attached to emails

Mail URL information will be available in the portal only after upgrading sensors to the version made available in this release.

Improved syslog, HTTP and email notifications for suspicious emails

Notifications sent when a suspicious or malicious email is detected have been extended in two significant ways.

  • Notifications for URLs found in emails: In addition to notifying for suspicious attachments, we can now notify also for suspicious URLs found in an email. Note however that existing notification configurations are not being modified. Users who want to add this type of notification to existing configurations will need to edit the notification configuration for their syslog, HTTP or email notifications to enable the new "Malicious Mail URLs" trigger type.

  • Notifications for suspicious attachments now include a link to a page on the portal providing information about the specific email that raised the alert.

Notification format updated for Syslog, HTTP and email notifications

With this release, the Syslog notification format is updated to 7.5. Details about the contents of our Syslog notifications in CEF and LEEF formats can be found in the updated integration guide.

Likewise, the generic HTTP notification format is updated to 7.5. Details about the contents of our HTTP notifications can be found in the updated integration guide.

Changes in version 7.5 include:

  • Add new email-url notification type, for URLs detected in analyzed emails.

  • Add EventDetailLink/event_detail_link field for email-attachment notification type, providing link to the details of this specific email in the Lastline Portal.

  • Improve the format of notifications for audit events. All notifications for audit events are now of type audit-event. The specific type of action is now contained in a new "audit action type" field.

Display TLS exchanges in captured traffic

When viewing the details of a traffic capture of TLS traffic (such as HTTPS), the portal now displays parsed out information about the TLS exchange, such as the TLS protocol version and the certificate used. This UI feature complements our ability to detect malware that uses the HTTPS protocol based on characteristics of the certificates used in malicious network infrastructure.

Email analysis improvements

With this release, the email analysis module on the Sensor will start to upload for analysis all URLs pointing to executables.

The email analysis module received also the following improvements:

  • Improved email attachment filetype logging of the Sensor.
  • Fixed delayed inbox refresh issues when fetching emails from an IMAP server.
  • When configured to drop whole emails, only drop emails with malicious content (and not if they only have suspicious content).
  • In in-line mode, ensure multi-line template text terminates with a newline.
  • In in-line mode, do not hold email for more than 30 minutes if analysis results are delayed.

Bug fixes and improvements

  • Improved support for JScript files intended for scripting in Windows Script Host.
  • URL analysis performance improvements.

Deprecation of API methods

The following deprecated methods of the legacy API are being removed in this version:

  • query_event_labels
  • query_incident_labels
  • query_incident_label_description

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 706
7.8 7.10