Version 12.2

Version: 12.2.1

Date: 2023-11-29

Copyright © 2007 - 2023 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

This package can be used for new installations or upgrades of the Flowmon Anomaly Detection System (ADS) on the Flowmon appliance.

Support information

If you need any help, contact our Support team at the Flowmon Support and Learning Hub.

Compatibility

• This package is compatible with Flowmon OS 12.3.0 or higher.
• This package is compatible with Flowmon Packet Investigator 12.2.0 or higher.

Dependencies

The following table summarizes the minimum required versions of Flowmon OS and Flowmon ADS for various versions of the package.

The table only lists versions with dependency changes.

---

ADS pkg version	Minimum required version of Flowmon OS	Minimum required version of ADS upg / standard package	Notes
12.2.0	12.3.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.3.0
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.2.0
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.2.0
12.0.0	12.0.0	11.1.1*	*ADS 11.2.4+ is needed when upgrading FM to 12.0.0
11.4.1	11.1.9	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.9
11.3.2	11.1.7	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.7
11.3.0	11.1.6	10.0.0*	*ADS 11.1.1+ is needed when upgrading to 11.1.6
11.2.0	11.1.0	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.0
11.0.4	11.0.1	10.0.0

Installation

The installation requires a Flowmon ADS license.

To upgrade from previous major versions, a license with Gold or Platinum support is required.

The installation and uninstallation process of Flowmon ADS 11 restarts the flow collector for a short period of time, during which the flow data is not collected.

This will affect traffic charts in the Flowmon Monitoring Center and the event chart in Flowmon ADS.

1. Download the package from the Support portal. Do NOT unpack it.
2. Log in to the Flowmon Configuration Center on your Flowmon appliance.
3. Open the Versions page.
4. Click Import package and select the installation package.
5. Wait until a notification is displayed informing that the update was successful.

After upgrading from a previous major version, the web UI may display incorrectly with visual artifacts like missing text. If this happens, clear the browser cache.

To clean the local storage in the Firefox/Chrome browser:

1. Press F12 to open developer tools
2. Select the Console tab.
3. Type the following command: localStorage.clear();
4. Press Enter to confirm the command.

Notes

The Czech and Japanese translations (user guide and texts added or changed in the UI) might not be available with beta releases. The translations will be available with the stable release at the latest.

Changes in version 12.2.1 (2023-11-29)

FIXED ISSUES:

• Columns of MITRE ATT&CK matrix chapter now always fit the PDF page size and do not overflow.

• Fixed 3rd party Curl library CVE-2023-38545 vulnerability.

• Attached flows in Event Evidence now show server time instead of local time.

• The increase of Threat Score must now be at least +20% compared to previous value to show the hosts in the Analysis Summary.

• Start time of triggered traffic record is now explained better in the user guide.

Previous releases

Version 12.2.0 (2023-10-05)

WHAT’S NEW:

• IDS (Intrusion Detection System) events analysis on the Analysis page.

  • To streamline investigation of IDS events, we have introduced a new IDS event analysis with the same visuals and workflows. You can drill-down to IDS events level in the same way as for ADS events. The IDS event detail also contains related IDS events and related flows with a link to the FMC (Flowmon Monitoring Center) Analysis for a quick analysis on a flow level. Related flows in Event Evidence are available for events detected after the upgrade to version 12.2.0.

  • Dashboards can be populated with IDS-related widgets and reports can be populated with IDS related chapters.

  • This feature can be enabled by installing the Flowmon IDS Probe package on the Flowmon Probe and enabling IDS Collector in the Flowmon ADS. For Flowmon IDS Probe package download and more information about installation, configuration, and tuning refer to the Support portal (Knowledge Base > Flowmon Integrations).

• Analysis summary and threat score.

  • The Analysis page now contains an automated summary of the most important findings and notable events in the selected time interval. It also includes a brand-new Threat Score that helps you to prioritize and focus on important threat actors or hosts of interest.

    • Analysis Summary considers the selected time interval and compares it with the previous interval of the same length.

    • Analysis Summary highlights:

      • Hosts with the highest number or increase of events.

      • Hosts with the highest number or increase of threat score.

      • Methods with a significant increase of events or methods not present in the previous interval.

      • Increase or decrease of average flows per second. Number of flows not processed due to license limit (if any).

  • Calculation of the Threat Score considers various aspects, such as the count of detected events for a particular host, their priority, the number of targets in these events, and tactics from the MITRE ATT&CK framework that are assigned to the events.

  • ‘By hosts’ view on the Events page is now sorted using the Threat Score instead of the IP addresses.

• Application to IP mapping.

  • Flowmon ADS now provides additional network intelligence to map IP addresses to corresponding SaaS (Software as a Service) applications and platforms. This simplifies and streamlines the process of event analysis and investigation.

  • The information about the application or platform of a particular IP address is now available everywhere where you can see the external IP address (if the mapping exists) with the exception of Event Evidence.

    • Icons next to the IP address were redesigned for better visual clarity. Each icon is in its own frame. There are up to three possible icons:

      • Country icon (already available),

      • Application icon (added in this version),

      • Blacklisted IP icon (redesigned in this version).

  • 'General IP information' now contains the Application tab with the application name and logo, category, homepage and description.

  • The 'Targets' window and tab in Event Detail now contains a 'By application' view that aggregates events targetted by mapped application.

  • Event tables can be extended with an optional 'Application' column. It shows applications with source or target IP addresses of the detected event. This column is hidden by default.

• Application blacklists.

  • New application blacklists are available to alert on communications with undesired applications and shadow IT.

  • Application blacklist can be added as a new local blacklist in Settings > Processing > Blacklists. Users can select from more than 1,500 applications and 30 application categories when creating an application blacklist.

  • Communication with a blacklisted application is detected as a standard event by the BLACKLIST method.

• Flows not processed due to the license limit are now shown.

  • Flows that exceed the license limit and are not processed are now shown in the Flows chart on the Analysis page in addition to the Analysis Summary.

• DICTATTACK method was improved.

  • The false positives rate that was caused by long-lasting connections is now lowered.

  • Detection is now more precise for services such as HTTP & HTTPS, and other services that use multiple ports.

• SCANS method was improved.

  • Legitimate connection attempts no longer cause false positives.

• There is a new documentation platform for the user guide.

  • The user guide is now available online using the standard Progress platform https://docs.progress.com/. The online user guide is available in English, Czech, and Japanese. The language is selected based on the browser language (with English as a fallback).

  • The PDF version is available from the Flowmon appliance directly when the online version is not reachable.

• REST API User guide now contains changelog.

• VirusTotal added to default external services.

  • External IP queries are available from the context menu of an IP address.

• MITRE ATT&CK mapping updated to version 13.

• The severity of SYSCHECK warning messages about disabled methods has been increased to trigger syslog reporting.

• PHP upgraded to version 8.1, compatibility with Flowmon 12.3 and Flowmon Packet Investigator 12.2.

FIXED ISSUES:

• 187203: CSV files exported from Flowmon ADS now include UTF-8 BOM (Byte Order Mark). The absence caused a problem when opening the CSV files with the Japanese language in Excel.

• 192365: Fixed translation of "Delete events marked as false positives" in Czech version of user guide to better explain the functionality.

• 192655: Content changes of Filters are now correctly propagated to corresponding False Positive rules.