Lastline Defender and Analyst Hosted Release Notes

Version 2021.4

New Features

  • Home network to default to RFC-1918 private IP ranges if not configured.
  • Report source of flows in collector mode

Home network to default to RFC-1918 private IP ranges if not configured.

The home network setting has become increasingly important to Defender functionality. Home network information is taken into account throughout the detection and correlation pipeline, and is important to ensure accurate detection, classification and correlation of relevant threats.

For this reason, if a user has not configured a home network setting for a sensor group, we now default to setting its home network to the standard RFC1918 private IP ranges:

  • 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

For users who have already configured a home network for their sensor groups, nothing is changing, but we encourage all users to verify that their home network setting is appropriate for their environment.

Report source of flows in collector mode

A new feature is being added to the sensor collector mode, used to ingest netflow data generated by external appliances such as routers. The goal is to allow an investigator looking at the netflow records in kibana to receive information on the appliance that generated such records. For all collector instances defined in the "Flow Collection" section of the UI, it will now be possible to see in the netflow record the associated collector name. Additionally, if the collector instance explicitly lists the IPs of the generator of the data, the appliance will be able to report the IP of the generator in the record as well as its reverse resolution.

Detection Improvements

  • LLAM-7154: Improved detection of Faceliker JavaScript Clickbot.
  • LLAM-7057: Improved detection of XLSB documents that make use of malicious formulas.
  • LLAM-7335: Improved detection of malware detecting the presence of known hypervisors via CPUID instruction.
  • LLAM-7313: Improved detection for samples that overrides SEH with a custom handler.
  • LLAM-7293: Improved detection for samples that make use of CRC-32 checksum function.
  • LLAM-7289: Improved detection for samples that try to evade different analysis tools by checking characteristic filenames.

Bug Fixes and Improvements

  • USER-5214: Fixes broken export link under analysis report caused by redundant 'papi'. Hide export link in NSX mode.
  • USER-5336: Download link (ISO link) for Pinbox will only be displayed to lastline user.
  • PLTF-2455: Fix issue that could prevent active directory login events from being processed correctly. This would result in information regarding user logins being missing in "Active Directory login events" in the UI.
  • PLTF-2424: Fix bug that could lead to incorrect data being displayed in the "Daily Infected Hosts by Impact" graph in generated reports.
  • USER-5356: Fix issue that could cause a global search query for a IP addresses to return data unrelated to the queried addresses.
  • FEAT-6954: In the previous release there existed a race condition in the collection of analyst task results that occasionally resulted in the analyst task being completed and results available with an error only after a four hour timeout. This release will fix this race condition and now analyst tasks will be completed and their full results available immediately when the analysis is done.

Deprecation of API Methods

The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:

  • Lastline Sensor version 1270
2021.3 2021.5