Version 11.4

Version 11.4.2

Date: 2021-11-22

Fixed issues:

• A comma in the filter name no longer causes issues when the filter is used in False Positive rules.

• Fixed an issue that caused email notifications with weekly summaries to not be aligned with the calendar week.

• When the MITRE ATT&CK chapter is exported as CSV in Dashboard & Reports it now respects the 'Tactics only' option.

Known issues:

• Some of the method-specific attributes in Event Detail are presented twice and are formatted differently. This issue is valid for several methods (submethods). For example:

  • DHCPANOM:ServerOverloadNetwork - Average=2500 and AvarageTraffic=2.44 KiB

  • DICTATTACK:FTPProtocol - Average=3600 and AverageDuration=3s 600ms

  • IPV6TUNNEL:TeredoTunnel - Description=[teredo.managemydedi.com] and Descriptions=teredo.managemydedi.com

• When exporting a report as CSV, the 'Flow Overview' chapter does not contain data unless 'All series' check box in chapter settings is checked out (Edit chapter > Widget > Time series chart > All series).

Version 11.4.1

Date: 2021-10-26

What's new:

• Added user guide for Czech and Japanese languages.

Fixed issues:

• 157474: Fixed an issue that caused high memory consumption on slave collectors in DA (Distributed Architecture) installations.

• 157208: MISP blacklists are now updated correctly.

• Update of false-positive rule usage statistics was optimized for installations with a high amount of false-positive rules. A slow update could lead to peaks in the flow chart.

Known issues:

• Some of the method-specific attributes in Event Detail are presented twice and are formatted differently. This issue is valid for several methods (submethods). For example:

  • DHCPANOM:ServerOverloadNetwork - Average=2500 and AvarageTraffic=2.44 KiB

  • DICTATTACK:FTPProtocol - Average=3600 and AverageDuration=3s 600ms

  • IPV6TUNNEL:TeredoTunnel - Description=[teredo.managemydedi.com] and Descriptions=teredo.managemydedi.com

• When exporting a report as CSV, the 'Flow Overview' chapter does not contain data unless 'All series' check box in chapter settings is checked out (Edit chapter > Widget > Time series chart > All series).

Version 11.4.0

Date: 2021-09-30

What's new:

• False-positive rule processing was reimplemented and rules are applied directly to the flow data instead of detected events. This change results in more accurate baseline that improves the reliability of the information provided by event details and boosts system performance.

  • False-positive rules are now applied on the backend before detection methods process the flow data.

    • Flow data that match the false-positive rule definition are dropped before processing.

    • 'Time Validity' parameter (previously 'Detection Time') can restrict when the false-positive rules are evaluated. Only the flow data matching the rule with start time inside the 'Time validity' interval are dropped.

  • New false-positive usage chart is added and replaces false-positive usage count. It indicates the rule usage within ten-minute intervals for the last day and one-hour intervals for the last week.

  • Evaluation of false-positive rules now has a much lower impact on the system performance.

• Method instances can be configured as part of the perspective definition to provide a more granular event reporting configuration.

  • Advanced form in Perspectives allows configuring different method instances to different priorities.

• Event chart now comes with more pleasant colors that are less tiring and help users to navigate between the chart and the legend.

  • Event chart is now available in two modes - Modern and Contrast.

    • Modern:

      • This mode is the same chart with an adjusted gradient to improve readability.

      • Method legend now corresponds with the colors in the chart to improve navigation.

    • Contrast:

      • This mode does not use any gradient for both event chart and method legend to achieve the best readability and navigation.

• You can select the chart mode by clicking on the settings icon in the Events chart. The settings in the dialog are only temporary. The permanent settings can be changed on the User Settings page.

• Syslog messages are extended with method instance name (for all methods) and blacklist name (for method BLACKLIST) to help users filter and process Syslog messages in 3rd party tools like SIEM.

  • A sample of all possible events generated by Flowmon ADS is available on the Flowmon Support and Learning Hub

• Flowmon categories are mapped to events without MITRE ATT&CK to help explain detected events to the users.

• MITRE ATT&CK mapping was updated to the latest version 9.

• Improved content and formatting of TXT file that can be exported from Event Evidence.

  • The file contains all information from Event Detail including event attributes.

• In an effort to improve the product, a feature that collects solely non-personally identifiable data about the appliance configuration - including usage statistics, enabled features, and general configuration - has been introduced. It does NOT collect customer data stored on or processed by Flowmon appliances. You can review the collected data in Configuration Center / System / System Settings / Maintenance / Product usage data collection. When enabled, it sends collected data to external servers through a secure communication channel. It is enabled by default and can be disabled in Configuration Center / System / System Settings / Maintenance / Product usage data collection.

Fixed issues:

• 7636411: ANOMALY now shows the correct number of source's communication peers in Event Detail

Known issues:

• Some of the method-specific attributes in Event Detail are presented twice and are formatted differently. This issue is valid for several methods (submethods). For example:

  • DHCPANOM:ServerOverloadNetwork - Average=2500 and AvarageTraffic=2.44 KiB

  • DICTATTACK:FTPProtocol - Average=3600 and AverageDuration=3s 600ms

  • IPV6TUNNEL:TeredoTunnel - Description=[teredo.managemydedi.com] and Descriptions=teredo.managemydedi.com.

• The user guide for Czech and Japanese languages is currently unavailable and will be available in the upcoming 11.4.x releases (prior to the stable version).