Lastline Defender and Analyst Hosted Release Notes

Version 2019.12

New Features

  • New incident captured traffic profile
  • Access host overview sidebar from intrusion profile
  • Display network event verification outcome in portal
  • Docker IP Address Configuration
  • Display Lastline IDS signatures for detectors

NEW INCIDENT CAPTURED TRAFFIC PROFILE

A new incident based captured traffic profile view may be accessed via new contextual links added to the host profile threats tab, threat details (expansion) view. Where available, a "captured traffic" link is now revealed.

This new feature was tracked internally as FEAT-4540

ACCESS HOST OVERVIEW SIDEBAR FROM INTRUSION PROFILE

The host overview sidebar is now accessible from the Intrusion profile hosts tab. A click on a host IP opens a sidebar with summary information about the selected host and a link to the host profile.

This new feature was tracked internally as FEAT-4897

DISPLAY NETWORK EVENT VERIFICATION OUTCOME IN PORTAL

Lastline appliances now have the capability to infer if the activity observed within a network event was successful or not. This is made possible through the analysis of the interactions following a given detection and then assigns a verification outcome to the corresponding event. The following outcomes are supported: - SUCCEEDED: we have evidence that the detected interaction succeeded in its intent (e.g. a C&C communication interacted successfully with its server) - FAILED: we have evidence that the detected interaction did not succeed (e.g. the C&C server was not active) - BLOCKED: we have detected the interaction of some form of security tool that prevented the interaction from being successful. The network events list now includes a new column that displays network event verification outcomes. Additionally, outcomes are displayed as tags under the threats tab of the host profile view.

This new feature was tracked internally as FEAT-4743

DOCKER IP ADDRESS CONFIGURATION

The lastline_register utility now prompts the user to provide a network address range to use for internal appliance services. In previous releases, this address range was statically configured on a 172.16.0.0/12 network, which could cause a conflict if the range was already in use in the local network.

For details, please refer to the installation manual.

This new feature was tracked internally as FEAT-4742

DISPLAY LASTLINE IDS SIGNATURES FOR DETECTORS

The recently introduced detector documentation modal has been extended to include a new IDS Rule section. In this new section, a visually parsed representation of the relevant IDS signature is now available.

This new feature was tracked internally as FEAT-4638

Detection Improvements

  • FEAT-4302: Improved detection of phishing URLs. Lastline URL analysis engine performs an analysis of a rendered web page to recognize if the page is similar to a known phishing page based on image similarity.
  • TRES-843: Improved detection of malware with the ability to check the current keyboard layout.
  • TRES-824: Improved detection of malware which has PowerShell script after the end of an archive to bypass detection.
  • TRES-734: Improved detection of malware using extended attribute of the file to hide malicious payload.
  • TRES-616: Improved detection of malware which is abusing Microsoft signed script proxy execution.
  • TRES-552: Improved detection of Microsoft Office document auto-loading OLE objects.
  • SENT-2589: Improvement to the heuristics used by mail sensors to flag URLs for analysis based on the file extension of the target.

Bug Fixes and Improvements

  • FEAT-4156: Kibana now includes a dashboard to ease the exploration of network data indexed in an installation. The dashboard presents key facts and visualization for each of the records types currently indexed (netflow, pdns, webrequest, TLS, SMB, and Kerberos).
  • USER-3833: Within the "Email" section, the tables displaying "All attachments" and "All URLs" now show the Antivirus class and Malware.
  • USER-3222: Addressed certain conditions in which clicking on a link to a hosted URL might trigger an API error.
  • SENT-2592: Fix to a bug in the sensor email logger (generating data in /var/log/llmail/email) where the logger would incorrectly log the intention to upload a URL within the MalscapeUploader section also for URLs that are believed to be prefilter-benign. The bug does not affect functionality, but may lead to confusion in the analysis of the processing data (as some URLs will appear as uploaded but will never receive a score).
  • SENT-2583: Fixed an issue where a mail sensor may fail at processing messages that had been received by a prior version of the software before an update.
  • SENT-2570: Fixed an issue where the sensor SMB file extraction may erroneously submit large amounts of partial file transfers for analysis.
  • SENT-2557: Fix to a problem where it would still be possible to partially enable PF_RING sniffing drivers on xenial appliances (PF_RING has been deprecated in favor of AF_PACKET on xenial appliances).
  • LLADOC-820: Fixed an issue where a mail sensor may fail at processing messages containing certain PDF attachments due a segfault in the PDF parser.
  • FEAT-4833: Expose file's sha256 hash in Analyst API analysis reports.
  • FEAT-4630: When an INFO mode event in a customer's network is determined to be anomalous and is promoted to REAL mode, we now show only the evidence for the anomalous behaviour and do not include evidence for the base base behaviour anymore

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1130

Distribution Upgrade

Sensor 1130, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor {sensor_version}. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

2019.11 2019.13