L A B Y R I N T H

Loading

Gartner Peer Insights Labyrinth the First Finalists for the ECSO CISO Choice Award 2025

1. NEW AND IMPROVED 

1.1. Improved Alerts representation 

One of the biggest changes of this release is the way we operate with Alerts. The scope includes the following: 

1.1.1. Alerts list refactoring 

We are introducing a fresh, modernized design to the Alerts List, enhancing visual clarity, and making it easier for users to quickly grasp critical information. The new UI maintains a clean and organized appearance, ensuring a seamless and aesthetically pleasing user experience. 

Clicking on one of the Alerts will expand it uncovering more detailed information, which includes three tabs: 

  • Details – more detailed description of the Alert, which includes MITRE mapping, Point info, and Additional info, which can be different for different Alert Reasons; 
  • Events – shows events that are related to the Alert; 
  • Activity – indicates the changes to the Alert status made by a user. 

In addition to that, a user can easily filter the Alerts, by clicking on the filter icon and choosing the fields: 

There is also the functionality to set the time range for displaying the Alerts by simply clicking on the calendar icon: 

1.1.2. Severity instead of Alerts Score 

In response to evolving industry standards and to provide users with a more intuitive experience, we have transitioned from the use of "Alerts Score" to the more universally recognized term, "Severity." 

Implemented Severity levels are: 

  • Low 
  • Medium 
  • High 
  • Critical 
  • Unknown

This update affects multiple parts of the interface. Firstly, it is Alert list as presented previously on page 2. 

Secondly, Alerts sidebar: 

Finally, integrations, including SIEM Integration (Syslog Forwarder). The value is being transferred in numerical form. Basic log format (CEF): 

Jan 18 11:07:53 host CEF:Version|Device Vendor|Device Product|Device Version|Device Event ClassID|Name|Severity|[Extension] 

The rest of the integrations includes Slack Notifications, Microsoft Teams Notifications, SMTP Notification, Webbook. 

 

1.1.3. Extended MITRE mapping 

Added mapping for Fake credential usage detected – alert that occurs when two-way integration detects usage of the fake credentials. 


1.2. Services health monitoring 

Starting from this release, we added functionality to check system service statuses right from the web interface.  

For this you should navigate to the Nodes and choose the node that you are interested in. After that, click on three dots to get the results: 

The services include: 

1. For Management Console (AdminVM): 

  • API – backend 
  • Celery 
  • Consul Server 
  • Curator 
  • Elasticsearch 
  • Elastalert 
  • MongoDB 
  • PostgreSQL 
  • RabbitMQ 
  • Redis 
  • Nginx 
  • NTP server 
  • Xch server (wireguard / vpn keys exchange) 
  • Docker

2. For Worker Node(s): 

  • Consul Agent 
  • Honeycontainers  
  • Honeynetman 
  • IPtables logger 
  • Seeder-proxy-svc 
  • net-dhcp  
  • NTP client 
  • Docker 


1.3. Extended Alerts info in Public API 

While acquiring more information about specific alert via Public API, starting from the current release you get extended information about it: 

This includes data about the attacked Point, which is: 

  • Point type 
  • Point ID 
  • Point IP 
  • Point Hostname 
  • Honeynet ID 

A detailed description of the REST API is accessible via your Labyrinth appliance:  

                         https:///api/v1/documentation 


1.4. New integration: Energy LogServer 

As a result of the Labyrinth and Energy Logserver technology partnership, the Labyrinth Deception Platform is now officially supported by Logserver. This integration allows for easily delivery of deception data into Logserver, where data analysis, correlation, and visualization occur. 

Advanced dashboard in Logserver shows all trapped attacks which has been detected by Points (network decoys which act as autonomous hosts in the network with different services to attract an attacker) in Labyrinth Deception Platform. 

Energy Logserver is a modular platform which provide LogManagement, SIEM and SOAR technologies. 

A green and blue triangle with a exclamation markDescription automatically generatedMore information about Energy Logserver and their latest release is available on their official website

 

1.5. New integration: webhooks  

The purpose of the integration is to send alerts via HTTP(S) to the URL specified in the form.

For input you need: 

  • Enable - on/off; 
  • Webhook  URL - a field where the client can specify the URL of the webhook; 
  • Verify TLS - check the server certificate in case of HTTPS or ignore it. 

Here is example of payload which is sent to webhook URL: 

  "alert": { 

    "reason": "Port scan detected (TCP SYN, e.g. nmap -sS -T4)", 

    "timestamp": "2023-09-06T13:04:03Z", 

    "destination_ip": "172.16.71.143", 

    "id": "167015ad-3d6d-4295-a2e1-b188c99333a7", 

    "source_ip": "172.16.254.2", 

    "honeynet": "208vlan", 

    "location": "labdev", 

    "hostname": "candlewood", 

    "point_id": "1c-5c3bba4e", 

    "point_ip": "172.16.71.143", 

    "point_type": "1c", 

    "mitre_te": "T1595", 

    "mitre_ta": "TA0043" 

  } 

 

1.6. Updated Wordlists view 

The view of the Settings->Wordlists was updated with a view of the Wordlist in a single table similarly to the tables that are present in the rest of the interface (e.g. Points, Point types, Honeynets, etc.): 


 

Displayed information includes: 

Field  Description
Name/ID  Name of the wordlist, chosen by the user
Type Wordlist type. Can be any of the following: Hostnames, Usernames, Passwords. 
Words count
The number of words in the dictionary 
In Use  Indicates if the wordlist is in use in the Honeynet/Point type configuration.
Description Brief description 

By clicking on three dots, the following actions are available: 

  • Edit; 
  • Download; 
  • Delete. 

A green and blue triangle with a exclamation markDescription automatically generated

Only unused wordlists can be deleted. 

 

In addition to that, the form to add new wordlists was updated as well: 

1.7. Logo update 

Redesign of the Labyrinth found its implementation in the interface as well.  

As for this release, you can witness new logo on: 

1. The login page 

2. Top bar 


2. FIXES 

2.1. Fixed ICS MITRE mapping for “Attempt to manipulate on CPU state (s7comm request)" 

We used to classify Attempt to manipulate on CPU state (s7comm request) as TA0108 : T08066 ( Initial Access : Exploitation of Remote Services ).  

After examining this event in more detail, it was confirmed that it was necessary to change the classification to TA0104 : T0858 ( Execution : Change Operating Mode ). 

Updated alert mapping: 

2.2. CEF message missing correct Labyrinth version and Severity level 

Alert message which was sent to SIEM via syslog did not include the correct Labyrinth version and Severity level. Now the current version of Labyrinth is provided in Common Event Format (CEF) fields. Also Severity is provided in CEF field as a numeric value and it’s string representation in CEF extension field (e.g. severity=Low): 

CEF:v2.0.54-3|Labyrinth Technologies|Point|0|LAB_ALERT|Connection to SMB resource detected|4|src=172.16.254.2 dst=172.16.66.104 pointType=samba-users honeynetID=honeynet01 location=labdev dvc=172.16.66.104 dvchost=thalassa deviceExternalId=samba-579df1d1 severity=Medium cs3=TA0007 cs3Label=Tactic cs4=T1135 cs4Label=Technique cs1=Connection to file share has been detected cs1Label=Description cs2=Identify the host of the source IP. Identify the owner of this host. Recommendation: Verify previous activity from Source IP. Continue monitoring Source IP activity. cs2Label=Playbook 

Here version of Labyrinth is v2.0.54-3, severity=Medium (numeric representation – 4). 

2.3. Insufficient TLS certificate validation may lead to unpredictable results 

When TLS certificate and key was uploaded in Settings -> General -> SSL/TLS Certificate you may got unpredictable results due the following conditions: 

  1. TLS certificate and key are of correct PEM format 
  2. TLS key corresponds to provided TLS certificate 
  3. TLS certificate includes full chain of certificates (server, intermediate, CA) in wrong order 

According to RFC 5246 Section 7.4.2 certificates chain has strict order: server’s certificate, intermediates, Certificate Authority / Root CA. Otherwise it is invalid. Validation of this case has been added to avoid such mistakes. 

2.4. Generation may hang due some circumstances 

Due unpredictable conditions Generation process of seeder tasks may hang up for a long period of time. This case rarely appears but needs Labyrinth support involvement. This race condition has been fixed in the current version. 

Subscribe to our Newsletter

You successfully subscribed!