Version 12.3

Introduction

We are excited to announce the features and enhancements implemented in version 12.3 of Flowmon ADS. This release:

• Significantly improves the insights that the dashboards provide into the security situation
• Streamlines your analysis workflows
• Adds a new layer for per-tenant user/role management and access to data
• Improves detection accuracy and tuning options of the DNS traffic detection methods

Flowmon ADS 12.3.3 release date: 17th July 2024

Let us know your feedback

Customers helped to choose and validate some of the features that went into this release. We want to hear from you to continue to improve Flowmon ADS. You can request to join and participate in pre-release activities on the Flowmon Customer Validation Program (CVP) and vote on and submit your product ideas on our ideas portal. Thank you for helping to make Flowmon ADS better!

What's New in Flowmon ADS 12.3?

Analysis Summary and Threat Score widgets in Dashboard & Reports

Dashboard & Reports are extended with two new widgets that help you quickly assess the security situation and focus on the most severe threat actors and hosts of interest. You can use these new widgets both in dashboards and reports.

You can now add Analysis summary (which was introduced in Flowmon ADS Analysis in the previous version) as a widget or a report chapter. The widget contains summary information that provides actionable insights. It compares the selected period with the previous one of the same length, allowing you to see what has changed, what the most important threat actors or hosts of interest are, and overall, how the security situation is evolving.

Threat Score was also introduced in the previous Flowmon ADS version as a way to help pinpoint the most important threat actors or hosts of interest and help you prioritize your investigation work. It takes into account various aspects, such as the count of detected events, their priority, the number of targets, variety of tactics from the MITRE ATT&CK framework, and others. New widgets will show you the top 10 hosts sorted by the highest threat score.

How to enable new widgets

The new widgets are located in Flowmon Dashboards and Reports. You can add them to your dashboard by using the New widget button at the bottom of your dashboard or by clicking Add chapter when creating or editing a report.

Streamlined event analysis workflow

The security dashboard provides a comprehensive overview of the security situation. It helps you prioritize your next step of investigation which almost always requires getting additional insights directly from Flowmon ADS. To make the transition from the dashboard or report to Flowmon ADS as smooth as possible, we extended the context menu for IP addresses and methods in Flowmon ADS widgets. Now you can go from a dashboard or report directly to Flowmon ADS by clicking on the IP address or method of interest and selecting the option from the new context menu.

Selecting the option from the menu opens a prefiltered view in the Flowmon ADS with the relevant events or hosts so that you can quickly continue with your analysis.

This feature is enabled by default (for Flowmon ADS widgets only). You can use it once your dashboard is populated with Flowmon ADS widgets or from chapters in Reports.

Multi-tenancy

Flowmon ADS introduces MSP-level multi-tenancy to allow separate data spaces and isolated configuration for individual tenants on a single Flowmon appliance. Flowmon ADS now respects tenants defined in the Flowmon Configuration Center. Thanks to this feature you can use the system simultaneously with multiple tenants without any awareness of each other.

In the Flowmon Configuration Center, you can set which flow sources or profiles a tenant has access to. You can then assign profiles to a particular data feed in the Flowmon ADS. Users can only see data (configuration, reported events, and so on) from the tenant they are members of.

The applicable REST API endpoints now include the tenantId field, providing information about the associated tenant.

How to enable multi-tenancy

If you have not used multi-tenancy yet and would like to start, go to Flowmon Configuration Center → System → User Settings → Tenants and follow the steps described on the Tenants page.

Also, remember to create new roles and users in each tenant after creating the desired tenants. You must first switch to a specific tenant and then create new roles and users.

Then, you can switch to the Anomaly Detection System and configure individual tenants according to your needs without worrying that changing the configuration in one tenant will affect other tenants. You can find more details about Tenants in the Flowmon and Flowmon ADS user guides.

Improved detection for DNS traffic

Based on customer feedback and increased usage of TCP for DNS in today's networks, we reviewed and improved our methods for detecting DNS traffic anomalies.

The TCPDNS submethod in DNSANOMALY was extended with IgnoreInternal parameter. When enabled, there is an additional check that ensures the destination IP is external. Use this parameter to remove detections of large DNS transfers using the TCP protocol that do not leave the monitored network. We also increased the upper limit (range) of the TCPTransferLimit parameter to 104 857 600 (that is, up to 100MB of TCP traffic in 5 minutes) to allow you to better tune the submethod sensitivity

The UnusualServer submethod in DNSANOMALY was extended with the ClientsToExclude parameter. This parameter lets you specify DNS servers that might sometimes have the role of a DNS client (for example, a recursive DNS server that tries to resolve a domain for a client if they do not have the translation) using a filter.

The DNSQUERY method now provides better results for DNS requests sent over TCP traffic. We adjusted the method to count one request as one flow for TCP traffic instead of one request as one packet which is valid for UDP protocol. This change will lower the number of false positive detections over DNS requests sent using the TCP protocol.

How to adjust method parameters

You can configure the new parameter in method instance settings. Go to Flowmon ADS → Settings → Processing → Methods. Click the DNSANOMALY method, then the three-dot menu of the method instance and Edit instance. Then, go to the Parameters tab and after configuring the parameters click Save.

No settings changes are required for the DNSQUERY method.

Submethods can be disabled in the method instance configuration

Method instance settings now allow you to disable selected submethods. This can be especially useful when some of the submethods do not provide good results or are not important to you. You can also use it to temporarily disable the detection when encountering a high number of false positives.

How to disable submethods

You can disable submethods in the method instance configuration. Go to Flowmon ADS → Settings → Processing → Methods. Click the method you want to configure, then the three-dot menu of the method instance and Edit instance. Then, go to the Parameters tab, select the submethods to deactivate, and click Save.

Top targets added to event attributes

Attributes in Event Detail now contain the top 20 most relevant targets. The relevance differs across detection methods for example, for the methods BITTORENT, COUNTRY, DIRINET, HIGHTRANSF, PEERS, and WEBSHARE the considered targets are the ones with the most data transferred. For other detection methods, the targets are the ones with the highest number of flows. The top 20 targets can change as the event updates.

This feature is enabled by default.

Other changes

• You can disable the Analysis Summary sections in Flowmon ADS → Settings → System Settings → General Settings. The setting is global and affects the displayed data in the Analysis Summary widget in Dashboard & Reports. Use the settings if you are not interested in particular sections or are experiencing a decreased loading speed of the Analysis page (in this case we recommend disabling "Threat Score" sections because they are the most resource intensive).

• As of Flowmon ADS 12.3, the Distributed Architecture (DA) configured in Flowmon ADS cannot work without equivalent Flowmon DA configured in Flowmon Configuration Center. Set up DA in Flowmon Configuration Center or disable DA in Flowmon ADS.

• Connection to a MISP server now respects the Flowmon Proxy settings.

• The following REST API endpoints were added:

  • /rest/ads/false-positives/{id}/activate
  • /rest/ads/false-positives/{id}/deactivate

Fixed issues

Issues fixed in Flowmon ADS 12.3.3

Ticket number	Issue topic	Issue details	Resolution details
-	Event deletion	After upgrading from from a version older than 12.3.0, events are not deleted according to the Storage settings → Delete events after parameter.	The events are now deleted correctly based on the settings.
-	Blacklists	Flowmon Origin blacklists available without standard or extended support are not being updated.	The blacklists are now correctly updated for customers without standard or extended support.

Issues fixed in Flowmon ADS 12.3.2

Ticket number	Issue topic	Issue details	Resolution details
205218	Event Detail	Event detail does not load.	Event details now open properly on installations with imported configurations from versions older than 12.3.
205737	Config Import	Importing configurations in subtenants fails while importing filters.	Fixed an issue that created inconsistent filters during the configuration import and caused the import to fail.
205737	Config Import	Importing configurations in subtenants fails while switched to the Czech or Japanese language.	Fixed an issue that might occasionally cause an error in translation methods and lead to import failure.

Issues fixed in Flowmon ADS 12.3.1

Ticket number	Issue topic	Issue details	Resolution details
-	Storage Settings	The "Delete events after" parameter does not work properly for events detected on versions lower than 12.3.0.	The parameter now works correctly. Undeleted events due to this issue are deleted after updating to this version.

Issues fixed in Flowmon ADS 12.3.0

Ticket number	Issue topic	Issue details	Resolution details
197657	IP details	Imported IP information (using the "IP details" feature) is shown only when the Application or WHOIS tabs are shown.	Imported IP information is shown regardless of other tabs in General IP Information.
198036	REST API	False-positive endpoints do not return the rule status (active/deactivated).	The relevant endpoints now return the active field containing a binary value (0 - deactivated, 1 - active).
-	Distributed architecture	Blacklists and BPATTERNs are sent from the Master Unit to the Slave Units every 5 minutes.	The Master Unit only pushes blacklists and BPATTERNs if there is some change after the update from the services portal (which occurs every 6 hours).
-	Filters	Filters with an "x" character on the third position in the name ("Zyxel", "_External DNS", and so on) are immediately deleted after creation or when renamed.	Filters with "x" character in the third position in the name are no longer deleted.
-	Detection methods	SRVNA incorrectly evaluates unsuccessful requests from client to a server resulting in incorrect detection.	SVRNA method implementation has been adjusted to count as request flows with only the TCP SYN flag as unsuccessful.
-	Detection methods	The behavior Pattern SuspiciousExtService does not work properly when a customer uses public IP addresses in their local range.	SuspiciousExtService now works correctly even for public IP addresses in the local range (when added to a LAN filter).
-	Permissions	The "Source IP Filters" column in the method detail on the Analysis page showed all filter names regardless of the User Permissions settings.	The column now only shows filter names that are assigned to the user in the User Permissions settings.

Known issues

• The REST API calls only work in the tenant that the user was created in. Currently, there is no API call to switch tenant. This means that the base tenant admin cannot switch to the subtenant to adjust the configuration using the REST API.
• When working in multiple browser tabs and switching to a different tenant in one tab, you should refresh the other tabs to prevent unexpected issues when doing changes in tabs where the tenant was not manually switched.
• Reports imported from configuration files generated in Flowmon ADS 12.3.0 or older do not contain report chapters created in Flowmon ADS → Report Chapters. The faulty imports are accompanied by the error message, for example: "Cannot display widget 'Events by type for all - Critical'. Please contact your administrator to grant you access to this chapter.". The affected reports need to be re-created.
• Beta participants: If you have installed the Flowmon ADS 12.3.0 Beta and are using method instances in false-positive rules definitions, review the false-positive rules after the update. In some rare cases, the method instances in the false-positive rule configuration might change during the update to version 12.3.3.

Release Information and Installation

Flowmon Anomaly Detection System (ADS)

Version: 12.3.3

Date: 2024-07-17

This package can be used for new installations or to upgrade Flowmon ADS on a Flowmon appliance.

Copyright Notice

Copyright © 2007 - 2024 Progress Software Corporation and/or its subsidiaries or affiliates. All Rights Reserved.

Support information

For help, contact our Support team at the Flowmon Support and Learning Hub.

Compatibility

• This package is compatible with Flowmon 12.3.5 or higher.

• This package is compatible with Flowmon Packet Investigator 12.2.0 or higher.

Dependencies

The following table summarizes the minimum required versions of Flowmon and Flowmon ADS for various versions of the package.

The table only lists versions with dependency changes.

Flowmon ADS version	Minimum required version of Flowmon	Minimum required version of ADS	Notes
12.3.0	12.3.5	12.2.0
12.2.0	12.3.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.3.0
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.2.0
12.1.0	12.2.0	11.1.1*	*ADS 12.0.4+ is needed when upgrading FM to 12.2.0
12.0.0	12.0.0	11.1.1*	*ADS 11.2.4+ is needed when upgrading FM to 12.0.0
11.4.1	11.1.9	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.9
11.3.2	11.1.7	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.7
11.3.0	11.1.6	10.0.0*	*ADS 11.1.1+ is needed when upgrading to 11.1.6
11.2.0	11.1.0	10.0.0*	*ADS 11.1.1+ is needed when upgrading FM to 11.1.0
11.0.4	11.0.1	10.0.0

Installation

The installation requires a Flowmon ADS license. To upgrade from previous major versions, a license with the Standard or Extended support is required.

The first installation and uninstallation of Flowmon ADS restarts the flow collector for a short period of time, during which flow data is not collected. This affects traffic charts in the Flowmon Monitoring Center and the event chart in Flowmon ADS.

When upgrading to Flowmon ADS 12.3:
If you are using tenants (in the Configuration Center) or want to start using tenants, review the Migration to a multi-tenant environment section of the ADS User Guide prior the update.

1. Download the package from the Support portal. Do NOT unpack it.
2. Log in to Flowmon Configuration Center on your Flowmon appliance.
3. Open the Version page.
4. Click Import package and choose the installation package.
5. Wait until a notification is displayed informing that the update was successful.

After upgrading from a previous major version, the web User Interface (UI) may display incorrectly with visual issues like missing text. If that happens, try to clear the browser cache.

Cleaning local storage in Firefox/Chrome browser:

1. Press F12 on your keyboard to open developer tools.
2. Select the Console tab.
3. Type the following command: localStorage.clear();
4. Press enter to confirm the command.

Notes

The Czech and Japanese translations (user guide and texts added or changed in the UI) might not be available with beta releases. The translations will be available with the stable release at the latest.