Version 2020.6
New Features
- Introduced configurable data retention for network pcaps in UI
- Added capability to block URL reputation events
- Removed the processing of events outside the home network
- Added Lastline-defined host tags to enhance correlation accuracy
- Introduced event list sidebar to replace row expansion
- Added signature evidence sidebar to threat card views
INTRODUCED CONFIGURABLE DATA RETENTION FOR NETWORK PCAPS IN UI
The number of days that network pcaps will be retained is now configurable through the manager UI under the Appliance configuration > data retention tab. The default is set to 183 days.
This new feature was tracked internally as FEAT-5928
ADDED CAPABILITY TO BLOCK URL REPUTATION EVENTS
The sensor has now the capability to perform blocking on URL reputation events. URL reputation events that are considered suspicious enough to trigger a block event will attempt to do so on sensors where a blocking methodology compatible with the HTTP protocol has been configured. It should be noted that, due to the characteristics of the pipeline, we cannot guarantee blocking of the first interaction with a given URL.
This new feature was tracked internally as SENT-2832
REMOVED THE PROCESSING OF EVENTS OUTSIDE THE HOME NETWORK
The definition of a home network in the network settings now has an impact on the content being analyzed by the sensor. The sensor will no longer analyze artifacts, produce alerts or attempt blocking for traffic where both endpoints are outside the configured home network.
This new feature was tracked internally as FEAT-5894
ADDED LASTLINE-DEFINED HOST TAGS TO ENHANCE CORRELATION ACCURACY
The host tagging feature has been extended with Lastline-defined tags. Assigning these non-editable tags to known hosts in your environment will provide increased accuracy to threat correlations. Further details can be found here
This new feature was tracked internally as FEAT-5874
INTRODUCED EVENT LIST SIDEBAR TO REPLACE ROW EXPANSION
The event list UI no longer expands a row entry on click but instead opens a sidebar with a summary of the event. All the summary details are still there with additional information exposed at this top level. Access to the full event details is now made from the sidebar.
This new feature was tracked internally as FEAT-5735
ADDED SIGNATURE EVIDENCE SIDEBAR TO THREAT CARD VIEWS
A signature evidence details sidebar has been added for threat evidence type "Signature" and for "Unusual behavior" evidence that is signature based. This sidebar will appear in the intrusions timeiine and the host threats tab.
This new feature was tracked internally as FEAT-5729
Detection Improvements
- TRES-1572: Improved detection of documents accessing geolocation services.
- TRES-1583: Improved detection of Snake ransomware.
- TRES-1199: Improved detection of malicious encrypted Excel document attachments in email.
- FEAT-5865: Improved Lastline sensor's ability to perform reputation decisions based on the query arguments of a URL.
- TRES-1627: Improved detection of malicious XL4 weaponized XLS documents.
- TRES-1590: Improved detection of ZLoader.
Bug Fixes and Improvements
- FEAT-5391: The classification of devices from their observed network traffic has been improved by integrating data provided by Fingerbank.
- PLTF-1468: When clicking on the 'Logs' tab of the 'Files downloaded' page, the file download logs are now properly sorted by timestamp.
- MALS-3294: Removed SSDeep hash information extracted during static analysis of applications.
- FEAT-5905: A list of password candidates may be provided when submitting a URL using the analyst API. This list will be used if the URL is for encrypted content (like an encrypted archive).
- FEAT-6211: The version of Kibana has been upgraded to 7.7.1.
Deprecation of API Methods
The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:
Lastline Sensor version 1200
End of Support For Dell R320 and Dell R420
Lastline has deprecated support for the Dell R320 and Dell R420 as of June 30, 2020. Our software is no longer certified for use on these platforms. For information on the hardware we continue to support, visit our hardware support page.