Loading
1. NEW AND IMPROVED
1.1. Improved Alerts representation
One of the biggest changes of this release is the way we operate with Alerts. The scope includes the following:
1.1.1. Alerts list refactoring
We are introducing a fresh, modernized design to the Alerts List, enhancing visual clarity, and making it easier for users to quickly grasp critical information. The new UI maintains a clean and organized appearance, ensuring a seamless and aesthetically pleasing user experience.
Clicking on one of the Alerts will expand it uncovering more detailed information, which includes three tabs:
In addition to that, a user can easily filter the Alerts, by clicking on the filter icon and choosing the fields:
There is also the functionality to set the time range for displaying the Alerts by simply clicking on the calendar icon:
1.1.2. Severity instead of Alerts Score
In response to evolving industry standards and to provide users with a more intuitive experience, we have transitioned from the use of "Alerts Score" to the more universally recognized term, "Severity."
Implemented Severity levels are:
This update affects multiple parts of the interface. Firstly, it is Alert list as presented previously on page 2.
Secondly, Alerts sidebar:
Finally, integrations, including SIEM Integration (Syslog Forwarder). The value is being transferred in numerical form. Basic log format (CEF):
Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Version|Device Event ClassID|Name|Severity|[Extension]
The rest of the integrations includes Slack Notifications, Microsoft Teams Notifications, SMTP Notification, Webbook.
1.1.3. Extended MITRE mapping
Added mapping for Fake credential usage detected – alert that occurs when two-way integration detects usage of the fake credentials.
1.2. Services health monitoring
Starting from this release, we added functionality to check system service statuses right from the web interface.
For this you should navigate to the Nodes and choose the node that you are interested in. After that, click on three dots to get the results:
The services include:
1. For Management Console (AdminVM):
2. For Worker Node(s):
1.3. Extended Alerts info in Public API
While acquiring more information about specific alert via Public API, starting from the current release you get extended information about it:
This includes data about the attacked Point, which is:
A detailed description of the REST API is accessible via your Labyrinth appliance:
https://
1.4. New integration: Energy LogServer
As a result of the Labyrinth and Energy Logserver technology partnership, the Labyrinth Deception Platform is now officially supported by Logserver. This integration allows for easily delivery of deception data into Logserver, where data analysis, correlation, and visualization occur.
Advanced dashboard in Logserver shows all trapped attacks which has been detected by Points (network decoys which act as autonomous hosts in the network with different services to attract an attacker) in Labyrinth Deception Platform.
Energy Logserver is a modular platform which provide LogManagement, SIEM and SOAR technologies.
More information about Energy Logserver and their latest release is available on their official website.
1.5. New integration: webhooks
The purpose of the integration is to send alerts via HTTP(S) to the URL specified in the form.
For input you need:
Here is example of payload which is sent to webhook URL:
{
"alert": {
"reason": "Port scan detected (TCP SYN, e.g. nmap -sS -T4)",
"timestamp": "2023-09-06T13:04:03Z",
"destination_ip": "172.16.71.143",
"id": "167015ad-3d6d-4295-a2e1-b188c99333a7",
"source_ip": "172.16.254.2",
"honeynet": "208vlan",
"location": "labdev",
"hostname": "candlewood",
"point_id": "1c-5c3bba4e",
"point_ip": "172.16.71.143",
"point_type": "1c",
"mitre_te": "T1595",
"mitre_ta": "TA0043"
}
}
1.6. Updated Wordlists view
The view of the Settings->Wordlists was updated with a view of the Wordlist in a single table similarly to the tables that are present in the rest of the interface (e.g. Points, Point types, Honeynets, etc.):
Displayed information includes:
| Field | Description |
|---|---|
| Name/ID | Name of the wordlist, chosen by the user |
| Type | Wordlist type. Can be any of the following: Hostnames, Usernames, Passwords. |
| Words count | The number of words in the dictionary |
| In Use | Indicates if the wordlist is in use in the Honeynet/Point type configuration. |
| Description | Brief description |
By clicking on three dots, the following actions are available:
Only unused wordlists can be deleted.
In addition to that, the form to add new wordlists was updated as well:
1.7. Logo update
Redesign of the Labyrinth found its implementation in the interface as well.
As for this release, you can witness new logo on:
1. The login page
2. Top bar
2. FIXES
2.1. Fixed ICS MITRE mapping for “Attempt to manipulate on CPU state (s7comm request)"
We used to classify Attempt to manipulate on CPU state (s7comm request) as TA0108 : T08066 ( Initial Access : Exploitation of Remote Services ).
After examining this event in more detail, it was confirmed that it was necessary to change the classification to TA0104 : T0858 ( Execution : Change Operating Mode ).
Updated alert mapping:
2.2. CEF message missing correct Labyrinth version and Severity level
Alert message which was sent to SIEM via syslog did not include the correct Labyrinth version and Severity level. Now the current version of Labyrinth is provided in Common Event Format (CEF) fields. Also Severity is provided in CEF field as a numeric value and it’s string representation in CEF extension field (e.g. severity=Low):
CEF:v2.0.54-3|Labyrinth Technologies|Point|0|LAB_ALERT|Connection to SMB resource detected|4|src=172.16.254.2 dst=172.16.66.104 pointType=samba-users honeynetID=honeynet01 location=labdev dvc=172.16.66.104 dvchost=thalassa deviceExternalId=samba-579df1d1 severity=Medium cs3=TA0007 cs3Label=Tactic cs4=T1135 cs4Label=Technique cs1=Connection to file share has been detected cs1Label=Description cs2=Identify the host of the source IP. Identify the owner of this host. Recommendation: Verify previous activity from Source IP. Continue monitoring Source IP activity. cs2Label=Playbook
Here version of Labyrinth is v2.0.54-3, severity=Medium (numeric representation – 4).
2.3. Insufficient TLS certificate validation may lead to unpredictable results
When TLS certificate and key was uploaded in Settings -> General -> SSL/TLS Certificate you may got unpredictable results due the following conditions:
According to RFC 5246 Section 7.4.2 certificates chain has strict order: server’s certificate, intermediates, Certificate Authority / Root CA. Otherwise it is invalid. Validation of this case has been added to avoid such mistakes.
2.4. Generation may hang due some circumstances
Due unpredictable conditions Generation process of seeder tasks may hang up for a long period of time. This case rarely appears but needs Labyrinth support involvement. This race condition has been fixed in the current version.