Lastline Defender and Analyst Hosted Release Notes

Version 2019.11

New Features

  • Extend displayed analysis information for mail messages
  • Kibana Integration in Hosted Portal
  • Added password protection support for analysis artifact download
  • MITRE ATT&CK techniques and details now available in Analysis report
  • Support for analysis of artifacts extracted from HTTP uploads
  • Participating host sidebar
  • Display TLS data records
  • Support querying SMB records in NTA rules
  • Ingest SMB and Kerberos logs

EXTEND DISPLAYED ANALYSIS INFORMATION FOR MAIL MESSAGES

The displayed analysis information for a mail message now includes a table "Detections", where applicable, that outlines analysis detections associated with the messages native content (excluding attachments and URLs). Also, Email, Generic HTTP, Streaming API, and Syslog notifications for such detections can be configured in the notifications settings.

This new feature was tracked internally as FEAT-3634

KIBANA INTEGRATION IN HOSTED PORTAL

The Kibana visualization tool is now integrated in the portal, giving access to the data records stored on the data nodes (webrequests, passive DNS, and netflow records). This new functionality enables analysts to easily explore data records, for example, as part of an investigation.

The Kibana interface is accessible via the new menu item Investigation -> Network explorer for accounts with the Can Access Kibana permission.

This new feature was tracked internally as FEAT-4305

ADDED PASSWORD PROTECTION SUPPORT FOR ANALYSIS ARTIFACT DOWNLOAD

Users downloading malicious files for further analysis via the Analysis Overview page now have the option of downloading an encrypted (password-protected) ZIP archive of the file, so that other solutions monitoring traffic do not automatically inspect the threat.

This new feature was tracked internally as FEAT-4627

MITRE ATT&CK TECHNIQUES AND DETAILS NOW AVAILABLE IN ANALYSIS REPORT

Users are now able to see the MITRE ATT&CK techniques and details under the Analysis Overview section in the Lastline Analysis report.

This new feature was tracked internally as FEAT-4590

SUPPORT FOR ANALYSIS OF ARTIFACTS EXTRACTED FROM HTTP UPLOADS

The sensor now has the ability to extract artifacts uploaded by a client towards a target server (e.g., by means of an HTTP POST) and submit them for analysis, similar to what is already supported for HTTP downloads, and file transfers on other protocols. In the UI, the "File Downloads" table now indicates when a given transfer was, in fact, an upload.

This new feature was tracked internally as FEAT-4541

PARTICIPATING HOST SIDEBAR

In the Host profile page threats view, clicking on the domain or IP of a host identified as participating in a given threat now opens a sidebar that displays contextual information about said host, including WHOIS information, and in-network hosts with whom the participating host communicated.

This new feature was tracked internally as FEAT-4405

DISPLAY TLS DATA RECORDS

The portal now displays the TLS records collected by the sensor in the monitored network. More precisely, TLS records are shown:

  • In the Network Analysis page, after selecting a node corresponding to a host
  • In the Events page, if the event has been generated based on the analysis of TLS data

This new feature was tracked internally as FEAT-4357

SUPPORT QUERYING SMB RECORDS IN NTA RULES

It is now possible to write NTA rules that query SMB records.

This new feature was tracked internally as FEAT-4016

INGEST SMB AND KERBEROS LOGS

The sensor now generates records for SMB and Kerberos messages, which summarize key features of the SMB/Kerberos communication. These records are stored and made available for searching, similarly to the other NTA records (netflow, pdns, webrequest, and TLS).

This new feature was tracked internally as FEAT-4007

Detection Improvements

  • SENT-2545: Ensure that the email analysis component selects for analysis URLs known to belong to file sharing services.
  • TRES-928: Improved detection of evasive Microsoft Office documents using country-specific checks
  • TRES-876: Reduced false positives on benign Office documents which have a remote image on an unreachable server.
  • TRES-749: Improved detection of Dridex banking trojan.
  • TRES-691: Improved detection of phishing PDF files.

Bug Fixes and Improvements

  • FEAT-4538: The Threats view of the Host Profile lists the evidence associated with each Threat. This release extends the information presented there, providing more specific insight into the details of each piece of evidence, such as listing filenames for suspicious downloads, etc.
  • USER-3726: Fixed a bug where, under certain conditions, attempting to set a 'host label' via the UI would fail with an API error.
  • USER-3721: Fixed a bug where the 'Appliance Status Configuration' page could cause the User's browser to stall.
  • USER-3626: Fixed a bug where users could not delete a 'host label' in the Host Profile or Host Sidebar views.
  • TRES-918: Improved scanners logic based on parent/child process relation.
  • TRES-834: Reduced false positive rate for script-based automation tools
  • TRES-722: Reduced false positive rate of benign installers
  • SENT-2544: Fixed an issue in sensors using Silicom NICs for bypass, where the appliance would not disable bypass mode after a reboot on xenial appliances.
  • SENT-2535: Fixed a bug where the sniffing tests triggered by a manual run of lastline_test_appliance may fail due to an unexpected error.
  • PLTF-888: Intrusion notifications will now include the impact of the intrusion that triggered the notification

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1120

Distribution Upgrade

Sensor 1120, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor {sensor_version}. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

2019.10 2019.12