Lastline Defender and Analyst Hosted Release Notes

Version 2020.0

New Features

  • Additional host listing details and filters
  • Email Quarantine Support
  • Support for URL reputation in sniffing sensors
  • Index DHCP logs

ADDITIONAL HOST LISTING DETAILS AND FILTERS

Security analysts can now drill-down in to the details and access the list of host that are presented as summary numbers in the Host Monitoring widget on the Network Dashboard. Additionally new filters have been added to the host listing functionality in the portal that allow security analysts to filter by applications, device types, operating system etc.

This new feature was tracked internally as FEAT-4901

EMAIL QUARANTINE SUPPORT

Lastline now supports displaying detailed information related to emails quarantined on Lastline Sensors. Security teams can now easily inspect emails and have information on which emails have been quarantines from the email triage functionality in the portal. Security teams can also perform the action of releasing blocked emails or deleting blocked emails from the email page in the portal. Configuration options are also available for administrators to specify the number of days emails should be held in quarantine before automatically releasing them.

This new feature was tracked internally as FEAT-4974

SUPPORT FOR URL REPUTATION IN SNIFFING SENSORS

This release enables support for a new type of reputation event, URL reputation. On top of inspecting DNS resolutions and connections to known malicious hosts, sensors will now inspect HTTP activity and flag HTTP transactions towards low reputation URIs. This ability to evaluate URL locations in addition to hosts is particularly important when dealing with threats that leverage benign or compromised infrastructure for their distribution (e.g. phishing pages hosted on otherwise benign domains that have been compromised).

This new feature was tracked internally as FEAT-4611

INDEX DHCP LOGS

The sensor now generates records for DHCP messages, which summarize key features of DHCP transactions. These records are stored and made available for searching in the Network Explorer page, similarly to the other NTA records (Kerberos, netflow, pdns, SMB, TLS, and webrequest).

This new feature was tracked internally as FEAT-4948

Detection Improvements

  • TRES-975: Improved detection of Turla malware family.
  • TRES-1103: Improved detection of CVE-2015-1701.
  • TRES-1023: Improved detection of Padodor malware family.

Bug Fixes and Improvements

  • TRES-927: Improved detection of malicious JAR files.
  • PLTF-1220: Fixed issue that under some rare circumstances could lead to significant delays in correlation of network events.
  • MALS-3091: Fixed a bug in the Analyst API utilities "submit_files.exe" and "submit_files.py" that would truncate files when uploaded from a Microsoft Windows system.
  • USER-3993: Fixed an issue in the Alert Suppression wizard where the outcome Action needed to be capitalized.
  • TRES-1105: Improved PE authenticode certificate blacklisting capabilities.
  • FEAT-4829: Suppression rules for network events can now include constraints on what host tags are defined for the affected hosts.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

KnowledgeBase features deprecation schedule

The following KnowledgeBase features will be deprecated with this release:

  • To improve performance, the KnowledgeBase clustering service will be discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
  • All strings will remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you cannot search for strings by sub-key location (heap, stack, memory block or executable section).
  • The KnowledgeBase will no longer provide the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.

Deprecation of Lastline Checkpoint Integration

Lastline's integration with the Check Point firewall will be removed in the next release of Lastline Defender and Analyst Hosted, 2020.1. The Check Point VPN-1 firewall product the Lastline integration supports is no longer supported by Check Point.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1141

Lastline Supported Browsers

With this release, we will support the current versions of Google Chrome, Apple Safari, Mozilla Firefox and Microsoft Edge for Windows. Support for issues identified with versions of Internet Explorer, as well as any other unlisted browsers, will be based upon best effort, however, identified bugs will only be addressed with currently supported browsers.

Distribution Upgrade

Sensor 1141, which is being made available as part of this release, is supported only running on Ubuntu Xenial as the underlying operating system distribution.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", you will need to upgrade to Sensor 1051.4, then upgrade the running distribution to Ubuntu Xenial before upgrading to Sensor {sensor_version}. For detailed instructions on how to perform a distribution upgrade please see the following instructions. This update is not done automatically to prevent unexpected downtime.

2019.13 2020.1