Version 2019.6
New Features
- UI to display log of all email messages
- Network and security summary widget
- Updated host profile - new summary and tabs
- Display documentation for detectors
- Display the state of processed mail messages
- Integrate Antimalware Scan Interface (AMSI) for MS Office document analysis in Lastline sandbox
- Monitored network hosts widget
- Ingest TLS logs
- Detection of URL link chains
UI TO DISPLAY LOG OF ALL EMAIL MESSAGES
Lastline mail sensors now provide a status update of each message during processing.
A new section has been added to the Email tab, called Messages log. The new section displays a table with all mail messages processed. Details about each message are available with a single click. Additionally, several new filters have been introduced, including mail message log id, message action, and content action.
Additionally, while previously only messages containing suspicious artifacts were surfaced in the Email Tab, the new Message tab reports the full log of all messages processed by the sensor, including messages with no urls or attachments or messages whose artifacts were considered benign during analysis
This new feature was tracked internally as FEAT-4091
NETWORK AND SECURITY SUMMARY WIDGET
A new visualization widget has been introduced to show how network traffic is processed and analyzed by the product.
This new feature was tracked internally as FEAT-4072
UPDATED HOST PROFILE - NEW SUMMARY AND TABS
Security teams can now investigate threats on hosts more efficiently. A newly designed Summary section for the hosts lists various common attributes that enables security teams to identify the hosts and provides actionable context. The new design also clearly identifies all incidents and events for the hosts. Additionally, the host profiles also provides context of applications observed on the hosts based on network data. This provides context when investigating threats on a host.
This new feature was tracked internally as FEAT-4027
DISPLAY DOCUMENTATION FOR DETECTORS
A user can now click on a detector in the User portal to learn about the detector goal, a high-level overview of how the detection works and well-known causes of false and true positives.
This new feature was tracked internally as FEAT-3709
DISPLAY THE STATE OF PROCESSED MAIL MESSAGES
A user can now see up-to-date information for both, emails that have fully resolved, and emails that are still in process. Additionally, a user can filter emails based on said state information.
This new feature was tracked internally as FEAT-3677
INTEGRATE ANTIMALWARE SCAN INTERFACE (AMSI) FOR MS OFFICE DOCUMENT ANALYSIS IN LASTLINE SANDBOX
The Windows Antimalware Scan Interface (AMSI) was integrated into Lastline Sandbox for MS Office document analysis. The AMSI increases visibility into execution of VBA code, which allow the sandbox to observe not only system level events, but also VBA code specific events.
This new feature was tracked internally as FEAT-4043
MONITORED NETWORK HOSTS WIDGET
A new widget has been introduced on the Network dashboard that displays an overview of the number of hosts on a network, and information about the devices, OSs, services, and applications running on each host.
This new feature was tracked internally as FEAT-4025
INGEST TLS LOGS
Defender now supports ingesting TLS records generated by the Lastline sensor. The records are stored and can queried together with other existing NTA records (passive DNS, netflow, web requests).
The Defender rules language has been extended to support creating rules matching on TLS records (including SNI and JA3 values).
This new feature was tracked internally as FEAT-4008
DETECTION OF URL LINK CHAINS
Lastline's URL analysis engine extracts and analyzes URLs found in Google Docs submitted for analysis. This allows the engine to follow URL link chain and detect malicious payload or phishing page at the end of the chain when a URL is manually submitted for analysis.
This new feature was tracked internally as FEAT-3578
Detection Improvements
- TRES-534: Improved detection of evasive Microsoft Office documents which use country-specific checks to bypass analysis systems.
- TRES-462: Improved detection of EvilOsx malware family.
- TRES-456: Improved detection of PPminer malware family.
- TRES-422: Improved detection of XMRig malware family.
- TRES-367: Improved detection of Microsoft Office document exploits that using scriptlets to execute payload.
- TRES-324: Improved detection of ASLR bypass in Microsoft Office documents
- TRES-215: Improved detection of CVE-2017-0199 MS Office exploits.
- LLMAIL-498: Support for detection of a new redirection attack observed in recent spam waves, where the URLs leverage benign third party redirection services such as google.dm
- LLMAIL-489: Added support for processing URLs in emails that have been analyzed by Zix.
Bug Fixes and Improvements
- USER-3394: The link from Admin / Appliances / Configuration / Integrations / Active Directory to Admin / Data Sources / Active Directory now works as expected.
- USER-3297: Fixed incorrect URLs linking to the AWS documentation.
- TRES-451: Fix False Positive on the DLL files signed by Qihu.
- SENT-1162: Added monitoring of the file processing pipeline used by the sensor to process artifacts in sniffing and ICAP mode. Queue utilisation for the file processing pipeline is now reported in the monitoring logs and the appliance status will warn in case of anomalous increases in the backlog.
- LLMAIL-491: Fixed bug that could cause llmail to crash while performing message reputation analysis.
- FEAT-3871: Improved performance of Microsoft Office document analysis in Lastline Sandbox. Analysis of a document executes faster allowing more behavior to be observed.
Deprecation of API methods
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:
Lastline Sensor version 1070
Distribution Upgrade
Sensor 1070, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor 1070. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.