Version 2019.8
New Features
- Add fail open configuration options under sensor mail configuration
- Display 'Processing' and 'Delivery' information in the Mail Message Details view
- Create suppression rules based on incident and host in UI
- New contextual WHOIS modal
- New threats tab in host profile
- Restrict incidents to a single threat
ADD FAIL OPEN CONFIGURATION OPTIONS UNDER SENSOR MAIL CONFIGURATION
It is now possible to configure from the sensor configuration UI the behavior of the mail analysis component in case of unexpected issues. This includes: - Ability to specify the maximum amount of time that the sensor is allowed to hold an email message for analysis. - Ability to specify the behavior of the sensor in case of a full analysis queue: whether to reject new incoming messages, or to still accept them and forward them without analysis. - Ability to specify the behavior of the in-depth analysis in case of inability to communicate with the manager. - Maximum amount of time the sensor is allowed to wait for the completion of a backend analysis of a URL or file.
This new feature was tracked internally as FEAT-4229
DISPLAY 'PROCESSING' AND 'DELIVERY' INFORMATION IN THE MAIL MESSAGE DETAILS VIEW
A user can now see up-to-date processing and delivery information for emails.
This new feature was tracked internally as FEAT-4214
CREATE SUPPRESSION RULES BASED ON INCIDENT AND HOST IN UI
Security Analysts can suppress future events related to a threat that match certain criteria such as source IP, destination IP etc. In addition to having this functionality be accessible from events, suppress functionality has been made available from Incidents and Hosts. When triaging threats on the host, security analysts can now choose to suppress future events as an action for each threat.
This new feature was tracked internally as FEAT-4174
NEW CONTEXTUAL WHOIS MODAL
Security Analysts will be provided with key contextual information on External IPs and Domains by providing WHOIS information inline as part of the event data. A new icon has been added for external IPs and Domains which brings up contextual WHOIS information
This new feature was tracked internally as FEAT-4040
NEW THREATS TAB IN HOST PROFILE
Enhanced Threat Page for Host Profile delivers a simplified view of all threats seen on a host. These threats now have clear threat score based on impact, timeline of when the threats happened on the host and an easy to access list of associated evidence for that threat - specifically showing the network interactions and network IOCs
This new feature was tracked internally as FEAT-3559
RESTRICT INCIDENTS TO A SINGLE THREAT
Prior to this release, Lastline performed correlation on network events at two levels: incidents (on a single host), and intrusions (that can span multiple hosts). An individual incident could involve multiple different threats.
With this release, correlation will only be performed to create intrusions. Incidents are now a simple aggregation of events involving the same threat on the same host. Correlation of different threats on one or more hosts will instead lead to the creation of an intrusion object.
As a result of this change security analysts will now have a more streamlined threat triage workflow.
This new feature was tracked internally as FEAT-3279
Detection Improvements
- TRES-657: Improved detection of Ursnif downloaders.
- TRES-641: Improved detection of OSX/Pirrit malware family.
- TRES-569: Improved detection of PUA/Softcnap malware family.
- TRES-468: Reduced false positives on benign binaries signed by Trend Micro
- TRES-370: Improved detection of OSX/Komplex malware family.
- TRES-365: Improved detection of malicious Microsoft Office documents using ActiveX functions
- TRES-269: Reduced false positives on benign Microsoft Office documents which have excel worksheet file as a table.
Bug Fixes and Improvements
- TRES-650: Improved stability of detection scanners.
- TRES-563: Reduced false positive rate for executables.
- LLMAIL-499: Mail and URL analysis in the sensor component now inspects recursively the content of any attached email message.
Deprecation of API methods
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:
Lastline Sensor version 1090
Distribution Upgrade
Sensor 1090, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor 1090. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.