Lastline Defender and Analyst Hosted Release Notes

Version 7.21

New features

  • Knowledgebase new interface and workflows
  • Improved Analyst API Authentication
  • Email analysis improvements

Knowledge Base new interface and workflows

Users with a Knowledge Base license now have access to a new version of the Knowledgebase interface through the Lastline Enterprise Portal's Intelligence Page. With this version, licensed users can, in a few steps, validate Indicator of Compromises (IoCs), enrich these IoCs for greater coverage, triage and export these IoCs for use within their environment.

The intelligence page results have been enriched and reorganized to support flexible workflows. Knowledge Base search results are now divided into different tabs for an easier navigation and direct access to the information needed: - A "Summary" tab providing statistical charts about the results for fast IoC validation, - A "Reports" tab providing examples of analysis reports in order to support exploration and drill downs, - A "Threat Profile" tab providing the related malicious activities for a quick assessment of the IoC severity, - A "Network IoCs" tab providing enriched lists of related IPs and domains; these lists are completed with reputation information for a quick triage and can be directly exported for faster reaction (plain text and STIX formats supported). - A "DNS" tab providing DNS information around the query. - A "Clustering" tab pointing to similar analysis reports, based on code or dynamic execution similarities, for additional exploration and further enrichment of the original set of IoCs.

All these new features as well as the rich set of information returned by the interface are described in details within the Lastline Portal Guide.

Improved Analyst API Authentication

This release enables users of the Analyst API to leverage Session IDs as an alternative to authentication using API Key and Token embedded in each request. There is no plan to deprecate the existing behavior (the new solution is designed to be fully backward compatible), but clients should consider switching to the improved authentication mechanism.

The Analyst API documentation contains a detailed description of this change.

Email analysis improvements

  • Allow selection of email headers (or SMTP envelope values) to use for reporting sender and recipients of analyzed emails. Default to email To/From headers for MTA without delivery and default to SMTP envelope values for full MTA mode.

Bug fixes and improvements

  • Fix bugs in file downloads tab of the Lastline Portal. Filtering on "Contacted IP" and on "File Type" was not working correctly
  • Added get_pending function for retrieving pending submissions via the Analyst API
  • More robust handling of Unicode in filenames on the Sensor
  • Upgrade of the Sensor's IDS codebase to libhtp 0.5.23, improving HTTP parsing robustness
  • Improve the analysis of URLs fetched by PDF files via the app.launchURL API
  • Improve the analysis of JavaScript files that use the Blob API to drop additional artifacts. In particular, the determination of the file type of the dropped file has been improved, leading to potentially more precise analysis results
  • Improve the export of analysis reports to PDF/RTF for Flash files submitted for analysis
  • Fix missing screenshots in export of analysis report to PDF/RTF
  • Fix truncation of authenticode-signer information in analysis overview
  • Fix export of analysis report activities (strip and suppress internal data)
  • Fix download of analysis report artifact
  • Fix missing analysis subject metadata in analysis reports
  • Allow configuration of multiple NTP server in lastline_setup.

Deprecation of API methods

The following API methods of the legacy API (/ll_api/ll_api) are being deprecated in this version:

  • query_ip_range_whitelist
  • set_ip_range_whitelist
  • delete_ip_range_whitelist
  • query_stats_notifications
  • add_stats_notification
  • update_stats_notification
  • delete_stats_notification

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 718
7.20 7.22