Lastline Defender and Analyst Hosted Release Notes

Version 2020.2

New Features

  • UI Support for filtering on host tags in events
  • Introduce "can search knowledgebase" permission
  • Additional Links to Kibana
  • DNS Tunnel anomaly sidebar
  • New event verification evidence sidebar
  • Installation-specific feed of Network IoCs

UI SUPPORT FOR FILTERING ON HOST TAGS IN EVENTS

Host tags are frequently used for setting context on hosts seen on the network. Security analysts can now use host tags when filtering event lists to quickly identify events for hosts with a certain tag.

This new feature was tracked internally as FEAT-4023

INTRODUCE "CAN SEARCH KNOWLEDGEBASE" PERMISSION

A new permission "can search knowledgebase" has been introduced that controls access to the intelligence tab of the Lastline Portal and the ability to search using Lastline's knowledgebase API.

Non-administrator accounts will need to be granted this permission by their administrators to maintain access to this functionality.

This new feature was tracked internally as PLTF-1308

ADDITIONAL LINKS TO KIBANA

Lastline Defender now makes it easier for security analysts to investigate network data related to specific event or host by providing links that pre-populate the required queries in the Network Explorer (Kibana) interface. These links take the security analyst to the query interface in Kibana with the correct filters and times.

This new feature was tracked internally as FEAT-5068

DNS TUNNEL ANOMALY SIDEBAR

Lastline Defender includes a new anomaly detection interface (sidebar) that is available from intrusions for unusual DNS tunneling. This sidebar provides information on the detector and provides specific data as evidence for the detection.

This new feature was tracked internally as FEAT-4891

NEW EVENT VERIFICATION EVIDENCE SIDEBAR

Lastline now provides additional information on evidence related to Event Verification. Event Verification is a feature that updates each event with an indication of whether the attack succeeded or failed. The new interface for Event Verification provides information on how this verification was implemented.

This new feature was tracked internally as FEAT-4746

INSTALLATION-SPECIFIC FEED OF NETWORK IOCS

Lastline can now generate an installation specific feed of Network Indicators of Compromise (IoC) that are relevant to a customer's network. The Network IoC feed currently consists of:

  • IP addresses
  • domain names

These are suspicious IPs and domains that have been observed in network detections in the customer network, or that have been observed during detonation of samples captured in the customer network.

This feed of Network IoCs can be exported using the existing notification backends:

  • syslog (in CEF or LEEF formats)
  • email
  • streaming API
  • HTTP post

This new feature was tracked internally as FEAT-4738

Detection Improvements

  • TRES-999: Improved detection of batch files, spawning Visual Basic Script files.
  • TRES-1214: Improved detection of CVE-2020-0601
  • TRES-1272: Improved detection of Darkshell rootkit drivers.
  • TRES-1243: Improved detection of Ursnif macro based samples.
  • TRES-1237: Improved detection of malicious MS Office document that is abusing subDocument tags to load an external document.
  • TRES-1171: Improved detection of Mansabo trojan.
  • TRES-1137: Improved detection of XL4 macros in Office documents.
  • TRES-1029: Implemented detection of signed binary proxy execution (MITRE T1218).

Bug Fixes and Improvements

  • FEAT-4941: Analyst API now accepts ELF binaries for analysis. The analysis of ELF binaries will be limited to static detection of internal structure.
  • USER-4175: Fixed an issue related to the alert suppression rule editor where the matching expression parser was unnecessarily appending an "AND()" clause at the end of a rule causing the editor validation to break.
  • USER-4168: The attack stages tooltip under the intrusion profile now shows the relevant threat accurately.
  • SENT-2703: Fixed an issue where performing any action on a quarantined message processed in a previous calendar month would cause the generation of a duplicate event in the UI.
  • TRES-1282: Improved URL extraction during PDF analysis.
  • SENT-2685: Fixed an issue where the sensor may upload conflicting verification information on network events. More specifically, the issue would cause inconsistent associations with correct verification outcomes with incorrect verifier names.
  • PLTF-1142: The lastline_test_appliance utility can now check syslog for evidence of processes killed by OOM (out of memory).
  • FEAT-5065: NTA records in Kibana are now enriched with the user-selected name of the sensor that generated them, if available.
  • FEAT-4962: Improved annotation of file analysis failures. The report overview exposes more detailed information for the cases when sandbox failed to analyze a sample (i.e. file, document etc).

New Linux kernel: Reboot Recommended

Lastline has upgraded the Linux kernel running on the sensor from 4.4.0 to 4.15.0, which improves support for more recent hardware. A reboot is recommended after performing the Sensor upgrade.

When running the appliance in a VMware virtual machine, you may experience a kernel boot lockup under the following conditions:

  • In the VM settings, hypervisor.cpuid.v0 = FALSE (this is not the default)
  • VMware version 6.5 or 5.5 on Intel Xeon CPU E5-2620 v2/v4

If this issue is encountered while upgrading, steps for a workaround can be found here.

Software Update CDN

The installation and update services of Lastline appliances need to connect to external servers for downloading software and data bundles. With this release, Sensor 1160 now supports downloading of large files from content distribution network (CDN) servers, this feature is enabled by default.

As CDN hosts are geographically distributed, the contacted hosts may vary from system to system, and hosts outside the documented list may be contacted for downloads. Please be aware that with this setting enabled, firewalls may need to be updated to allow the download traffic.

Detailed steps on how to disable this setting can be found in the Lastline Installation Guide.

Deprecation of API Methods

The following API Method has been deprecated with this release:

  • /papi/blacklist/export

For more details, the Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of this deprecated method with supported a method.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1160.2

End of Support For Dell R320 and Dell R420

Lastline is deprecating support for the Dell R320 and Dell R420 on June 30, 2020. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page.

2020.1 2020.3