Lastline Defender and Analyst Hosted Release Notes

Version 2020.3

COVID-19 Announcement

For more information on Lastline preparedness and response during the COVID-19 outbreak visit this page.

New Features

  • New Network Analysis Rules UI
  • Added support for NTA rules matching on host properties
  • Display MAC Address and Hostname in Event Details
  • LLKB UI - Filtering by Industries no longer supported
  • Social Engineering attempt detection in malicious MS Office documents
  • New appliance swap in/out metric graphs

NEW NETWORK ANALYSIS RULES UI

Security Analysts can now create custom detection and have alerts for these detections. These custom detections are expressed as network rules. These network rules are written in a rule language similar to elastic search query language and are typically expressed as metadata matches on network protocol data. Security Analysts will be provided a guide in the user interface to help create simple rules and will have access to the rule language details for expressing more complex scenarios. Note again, these detections are only on network metadata.

This new feature was tracked internally as FEAT-5499

ADDED SUPPORT FOR NTA RULES MATCHING ON HOST PROPERTIES

It is now possible to add network analysis rules that match on properties of the source/destination host. These new properties have been added to match on the host's category and on the the applications, operating system, and services detected on the host.

This new feature was tracked internally as FEAT-4934

DISPLAY MAC ADDRESS AND HOSTNAME IN EVENT DETAILS

Lastline has enhanced device identification to include additional metadata. MAC address of the machine is now used as a key identifier in addition to IP address and other metadata. With this release, Lastline includes MAC Identifier in the event lists as an additional attribute with host IP and host name

This new feature was tracked internally as FEAT-5596

SOCIAL ENGINEERING ATTEMPT DETECTION IN MALICIOUS MS OFFICE DOCUMENTS

Lastline document analysis system now detects attempts at social engineering. The system uses an Optical Character Recognition (OCR) to recognize the text on images embedded into MS Office document, and detects if a user is asked to perform certain actions, such as enabling macro or clicking on the icon, etc.

This new feature was tracked internally as FEAT-4328

NEW APPLIANCE SWAP IN/OUT METRIC GRAPHS

To provide more visibility into the load of an appliance, a set of new graphs, swap memory in and a swap memory out, have been added to the Admin > Appliances > Metrics > Load view.

This new feature was tracked internally as USER-4058

Detection Improvements

  • FEAT-5003: Added correlation rule that correlates exfiltration activity with other indications of compromise into intrusions.
  • TRES-1341: Ursnif Gen13 now properly detected.
  • TRES-1362: Improved detection of phishing PDF files.
  • TRES-1321: Improved detection of Sytro malware family.
  • TRES-1308: Improved coverage of MITRE ATT&CK Tactics and Techniques in Lastline Sandbox.
  • TRES-1273: Improved detection of Service and Driver components of Turla malware.
  • TRES-1102: Improved detection of Nemucod malware family.
  • TRES-1096: Improved detection on ransomware using stealth technique to move files.
  • TRES-1483: Improved detection of CMSTP - Mitre ID T1191.
  • TRES-1396: Improved detection of Ursnif.
  • TRES-1293: Identify Qemu Detection by Visual Basic 6 malware.
  • TRES-1161: Improved detection of the binary that is built using AutoIt.

Bug Fixes and Improvements

  • LLANTA-986: Fixed a bug in the API that returns the data used to display the intrusion blueprint graph, which in some conditions resulted in an incorrect graph layout.
  • CINF-389: Fixed the upload of appliance-monitoring data when using an HTTPS proxy.
  • SENT-2713: Fixed a problem in the suricata reassembler that would prevent the extraction of files in certain corner cases.
  • USER-4247: To streamline the appliance management workflow in the portal, the default landing page for the main menu Admin button has been updated to point to the Appliances Overview page.
  • SENT-1149: Fixed an issue in the way suricata computes protocol stats that would cause us to incorrectly reports statistics on the amount of UDP traffic processed by the appliance.
  • MALS-3019: The Lastline Analyst API will no longer support mmh3 hashing. As a result, calling query_file_hash with a mmh3 hash will no longer return any results.

Knowledgebase Feature Deprecation

The following KnowledgeBase feature is being deprecated with this release:

  • Industries information remain available and displayed under the summary returned by searches in the Intelligence page. However, this information can no longer be used as a filter to refine your search. Filtering by detection severity, antivirus label or file type remain available.

REMOVAL OF LASTLINE TANIUM INTEGRATION

This release deprecates support for the legacy Tanium API integration for threat hunting.

Deprecation of API Methods

The Lastline Analyst API will no longer support mmh3 hashing. As a result, calling query_file_hash with a mmh3 hash will no longer return any results.

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1170

End of Support For Dell R320 and Dell R420

Lastline is deprecating support for the Dell R320 and Dell R420 on June 30, 2020. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page.

2020.2 2020.4