Key takeaways:
- False-positive rule processing follows a more accurate baseline that improves the reliability of the information provided by event details and boosts system performance.
- Method instances can be configured as part of perspective definition to provide a more granular event reporting configuration.
- Syslog messages have been extended to provide more detail when fed into 3rd-party tools.
- The event chart colors are friendlier to the eye and match the colors in the legend for quick navigation.
Accurate event details
False-positive rules are now applied on the backend before detection methods process the flows.
This principal architectural change operates with more accurate baselines to prevent potential inaccuracies in event details, such as volumes of traffic that are not attributed to any source.
Now, false-positive rules are applied immediately after filters, so if the rule does not apply, the data is processed by detection methods, and if it does, the flows are dropped.
Figure 1 – Charts of false positive usage over the past 24 hours and 7 days
This means that the event details, as far as false-positive rules are concerned, will always be accurate, and will greatly reduce system load.
Granular event reporting
A highly requested feature, the new version of ADS 11.4 now allows you to configure the instances of methods in addition to methods themselves when configuring perspectives. For instance, you can now assign different priorities to different method instances to allow for a more granular configuration of event reporting.
Figure 2 – An UPLOAD method defined with a different priority in different perspectives
This functionality is highly practical for users who curate ADS-delivered security for other customers, as it enables them to manage their own instances as well as the method instances of their customers, making reporting clearer.
Detailed feeds for 3rd-party tools
Flowmon ADS feeding a 3rd party tool via syslog now provides more granular detail.
We have extended the syslog messages with the method instance name and blacklist name to help you sort detected events in 3rd-party tools (e.g. a SIEM) based on method instance or the blacklist to which the reported IP/domain/URL belongs and use this information further.
Thus, for example, a security provider using a blacklist will be able to discern and filter detected events in their SIEM from events detected by their customers using their own blacklists.
Event chart refresh
SOC operators will welcome changes to the event chart, which now comes in more pleasant colors that correspond to the method legend. The new visuals improve user comfort especially for users who spend long hours watching the chart.
Figure 3 – Improved event chart
You can also switch the axis of the chart or enable a contrast setting without gradients.
Figure 4 – Improved event chart in a contrast setting
Other improvements
Flowmon ADS 11.4 expands on the system’s built-in intelligence by providing its own categories for events that the MITRE ATT&CK matrix does not cover.
In this way, you get the same amount of context and additional explanation even in the case of events like WEBSHARE (potentially hazardous applications) or DNSANOMALY (potential DNS server misconfiguration or reconfiguration).
Figure 5 – A DNS traffic anomaly assigned to a Flowmon category of configuration issues
Lastly, much like the Monitoring Center and Packet Investigator, ADS now reports on the usage habits of users and provide us with insights to optimize the product.
Thank you for your feedback
This latest release of Flowmon ADS is all about your feedback. We always value your input and are hungry for more.
If you have any thoughts or impressions to share, please, let us know.