🆕 Key Improvements

• Computer-assisted report generated from all information available in a case

• Case history can be downloaded in Markdown format

• Multiple improvements to Dockerfile and Docker Compose

• Fixed pagination issues when large amounts of data are present in the database

• Expanded and improved documentation for ELSA workflows, providing clear guidance and reference material on using FlowIntel’s ELSA integration and related workflows.

Important

A new migration script is available for the computer-assisted report. Don’t forget to apply it to your database.

📦 Release Notes – 2.3.0 (2025-12-15)

New

• [feature] download history as markdown. [David Cruciani]
• [feature] computer assistate report for cases. [David Cruciani]
• [api] create a from with a misp event in json format. [David Cruciani]

Changes

• [version] 2.3.0. [David Cruciani]
• [misp] update flowintel object to misp with new field. [David
  Cruciani]
• [docker] move bin. [David Cruciani]
• [docker] entrypoint and ubuntu 24.04 + python 3.12. [David Cruciani]
• [docker] compose with postgres and valkey. [David Cruciani]
• [templating] description handling for add_task_case. [David Cruciani]
• [template] markdown editor for description in add_task_case. [David
  Cruciani]
• [module] add galaxies and tags on event. [David Cruciani]
• [launch] kill tail and killscript different. [David Cruciani]
• [description] markdown editor for creation and edition. [David
  Cruciani]
• [case] button for open/finished, new filter for cases. [David
  Cruciani]

Fix

• [pagination] limit number of element. [David Cruciani]
• [launch] config file missing. [David Cruciani]
• [test] org and user. [David Cruciani]
• [admin] org and user creation. [David Cruciani]
• [connector] case from misp with global_api and uuid usage. [David
  Cruciani]

Other

• Merge pull request #60 from vx3r/fix/task-creation-from-template.
  [David Cruciani]

  Fix Task creation from template

• Add notes and urls_tools from template to the task, default history
  directory, remove obsolete attribute. [antomer]

• Merge pull request #58 from flowintel/docker-dev. [David Cruciani]

  Docker fix and working

• Merge remote-tracking branch 'origin/main' into docker-dev. [David
  Cruciani]

• Merge pull request #56 from cudeso/new/vulnerability-disclosure-
  policy. [Alexandre Dulaunoy]

  Add SECURITY.md with vulnerability disclosure policy

• Add SECURITY.md with vulnerability disclosure policy. [Koen Van Impe]

  SECURITY.md file for reporting security vulnerabilities, responsible disclosure guidelines, and contact information.

• Merge pull request #55 from cudeso/new/ELSA. [Alexandre Dulaunoy]

  Add ELSA compliance and governance documentation - R-NF-ELSA-0001

• Fix minor typos. [Koen Van Impe]

• Add ELSA compliance and governance documentation - R-NF-ELSA-0001.
  [Koen Van Impe]

  Introduced a set of documentation templates and guidance for Flowintel deployments, including DPIA screening (controller and developer), GDPR guidance, NIS2 compliance considerations, ROPA templates, retention and purpose limitation mapping, law enforcement annex, and a security breach response procedure.

  These documents support controllers in meeting legal, regulatory, and operational requirements for data protection and incident management.

Contributions

Special thanks to @cudeso for his valuable contributions to this release.

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

🆕 Key Improvements

• Markdown support in descriptions for cases, tasks, and templates
• API key now blurred on the profile page
• New button to view finished tasks
• Added a safe installer version
• Multiple bug fixes and improvements

📦 Release Notes – 2.2.1 (2025-11-10)

Changes

• [case] button for open and finished tasks. [David Cruciani]
• [sidebar] avoid redirect. [David Cruciani]
• [account] password edition and creation. [David Cruciani]
• [account] bur api key. [David Cruciani]
• [import] remove unused import. [David Cruciani]
• [case history] remove 'Modif' [David Cruciani]
• [my_assignment] description in md. [David Cruciani]
• [description] support markdown. [David Cruciani]

Fix

• [launch] config file for test. [David Cruciani]

• [user] delete from task assignment. [David Cruciani]

• [task] collapse and description button. [David Cruciani]

• [case_connectors] see only connectors of current_user of global ones.
  [David Cruciani]

• [case_from_misp] error caused by is_updated_from_misp. [David
  Cruciani]

  hack_lu

Other

• Merge pull request #49 from cudeso/improvement/db-documentation.
  [David Cruciani]

  Improvement/db documentation

• Database documentation. [Koen Van Impe]

• Stop tracking config.py. [Koen Van Impe]

• Update README. [Koen Van Impe]

• Pandoc release+version; correct venv in install. [Koen Van Impe]

• Update doc for default config files. [Koen Van Impe]

• Have launch script take into account different venv options. [Koen Van
  Impe]

• Safer installer script and default config files. [Koen Van Impe]

Contributions

Special thanks to @cudeso for his valuable contributions to this release.

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

🆕 Key Improvements

• Case Management

  • Update a case directly from a MISP event
  • Merge cases together

• UI & Usability

  • New calendar option with case/task checkbox
  • Drag-and-drop support for task templates

• Integrations & API

  • Improved MISP integration (import and download cases with MISP-Objects)
  • Extended API with connector and case management improvements

• Stability

  • More robust, DB-agnostic migration scripts
  • Numerous fixes for clusters, connectors, and modules

📦 Release Notes – 2.1.0 (2025-10-16)

New

• [feature] update a case from a MISP event. [David Cruciani]
• [feature] merge case. [David Cruciani]

Changes

• [version] 2.1.0. [David Cruciani]
• [global] add modal to delete something. [David Cruciani]
• [footer] add api link. [David Cruciani]
• [calendar] checkbox for case and task. [David Cruciani]
• [tools] search attr. [David Cruciani]
• [templating] api for connectors. [David Cruciani]
• [connectors] display global instance and modify only by creator.
  [David Cruciani]
• [case_api] remove connectors from case creation and edition. [David
  Cruciani]
• [templating] connectors. [David Cruciani]
• [ui] minor. [David Cruciani]
• [modules] add description. [David Cruciani]
• [users] display orgs. [David Cruciani]
• [api] namespace to centralize api doc. [David Cruciani]
• [flask session] use of valkey. [David Cruciani]
• [case/importer] download and import case with misp-objects. [David
  Cruciani]
• [api.case] append note to existing ones. [David Cruciani]
• [case_template] drag and drop for task template. [David Cruciani]
• [navbar] empty activepage when navigating into navbar. [David
  Cruciani]
• [workflow] test for all branch. [David Cruciani]

Fix

• [orgs] deleting a default_orgs didn't delete org in case. [David
  Cruciani]

• [admin] user creation with new org. [David Cruciani]

• [case] module instance error. [David Cruciani]

• [case] misp_object_event. [David Cruciani]

• [home] globe for public case. [David Cruciani]

• [launch] move source into a function to avoid having error in test.
  [David Cruciani]

• [case] global_api_key in modules. [David Cruciani]

• [test] move tasks. [David Cruciani]

• [test] return error of pytest. [David Cruciani]

• [migration] use op.batch_alter_table for sqlite db. [David Cruciani]

• [migration] add some more test. [David Cruciani]

• [doc] Update funding section in README. [Alexandre Dulaunoy]

  Added funding information and updated logos.

• [flowintel-modules] function instead of var. [David Cruciani]

• [case] update clusters. [David Cruciani]

• [global] multiple error with clusters. [David Cruciani]

• [connector] global api key visible by anyone. [David Cruciani]

• [template.connector] remove admin only. [David Cruciani]

• [misp_object_event] attribute update. [David Cruciani]

• [case] fork. [David Cruciani]

• [case/task] notifications. [David Cruciani]

• [case] select type of misp-attr. [David Cruciani]

• [misp-object] creation from misp + select sender. [David Cruciani]

Other

• Merge pull request #43 from sebdraven/main. [David Cruciani]

  Enhances database migration robustness

• Enhances database migration robustness. [Sebastien Larinier]

  Improves the reliability of database migrations by adding checks for existing tables and columns before attempting to create or modify them.
  This prevents errors during migration rollouts, especially in environments where migrations might have been partially applied.

  Specifically, changes include:

  • Using SQLAlchemy's inspect module to check for table and column existence.
  • Replacing try...except OperationalError blocks with conditional checks using the inspector.
  • Dropping indexes before dropping columns to avoid errors.
  • Updating column types safely using the inspector to fetch the column type.

• Merge pull request #40 from Jeremy-
  Bussy/connector_identifier_based_on_uuid. [David Cruciani]

  Use event uuid instead of event id for connector identifiers

• Use event uuid instead of event id for connector identifiers.
  [Era'Zon]

• Merge pull request #41 from Jeremy-Bussy/connector_in_case_template.
  [David Cruciani]

  Add connectors in case template

• Add connector in case template && Add global attribute to connectors
  && Fix "Sortable: el must be an HTMLElement, not [Object null]" in
  case_template_view that appeared sometimes on mounted. [Era'Zon]

Contributions

Special thanks to @sebdraven and @Jeremy-Bussy for their valuable contributions to this release.

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

🚀 Flowintel 2.0 – A New UI for Analysts

Flowintel is an open-source platform designed to help analysts and incident responders manage, investigate, and collaborate on cases efficiently.

It brings together case management, task tracking, timelines, and collaboration tools into a single analyst-friendly environment.

Flowintel also provides deep integration with MISP: you can publish cases as MISP events, create MISP object observables directly from cases, and import MISP events back into Flowintel for investigation and tracking.

In addition, Flowintel includes an easy-to-use templating system that helps standardize and reproduce intelligence or DFIR workflows. This makes it easier to share consistent processes and best practices across teams.

With version 2.0, Flowintel introduces a major redesign of the user interface, making workflows smoother, faster, and more intuitive.

✨ Highlights of the New UI

🆕 Key Improvements

• Updated sidebar with persistent state (local storage support)
• New drag-and-drop (SortableJS) to reorder tasks effortlessly
• Revamped calendar, now powered by FullCalendar.js with month picker
• Cleaner layout with relocated buttons for less clutter
• Added a footer for better navigation and status info
• Moved filters from collapsible panels to a dedicated modal
• Case UI refinements: tags editing inline, note editor, orgs/links visibility, improved timeline

📦 Release Notes – 2.0.0 (2025-09-02)

New

• [ui] Added footer. [David Cruciani]

Changes

• [version] Bumped to 2.0.0. [David Cruciani]
• [sidebar] New design with active page + toggled state stored in localStorage. [David Cruciani]
• [case.ui] Major refactor: title, actions, tags editing, org links, connectors tab, improved tasks view. [David Cruciani]
• [task] Introduced drag-and-drop (SortableJS) for task reordering. [David Cruciani]
• [calendar] FullCalendar integration with month picker. [David Cruciani]
• [timeline.ui] Styling improvements and background tweaks. [David Cruciani]
• [account] Updated UI and API key change support. [David Cruciani]
• [misp-objects] Object relation support. [David Cruciani]
• [search_attr] Improved visibility – show only relevant or public cases. [David Cruciani]
• [template.ui] Unified interface with case views. [David Cruciani]

Fixes

• [ui] Adjusted main height and word wrapping. [David Cruciani]
• [base] Added "scroll to top" button. [David Cruciani]
• [app] Fixed sidebar link error. [David Cruciani]
• [task] Fixed issues with reordering finished tasks, tag filtering, and template note deletion. [David Cruciani]

Other

• Merge pull request #38 from sebdraven/main – Feature: User-aware case search. [Sebastien Lariner]
• Merge pull request #39 from flowintel/feature/ui-changes. [David Cruciani]

👉 This release represents a big step forward in usability and lays the groundwork for more powerful analyst-centric features in upcoming versions.

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

New Features

• Search for attribute values to find previous cases containing the same MISP-Objects
• Added a guide for using Flowintel with PostgreSQL in production environments

Bug Fixes

• Fixed issues when exporting cases, tasks, and MISP-Objects to MISP
• Fixed migration scripts
• Improved pagination on the case index page to correctly display the number of cases specific to your organisation
• Fixed an error in the importer

Video

There is a recorded training available on YouTube

1.6.2 (2025-07-30)

New

• [feature] search for attributes value. [David Cruciani]
• [workflow] python 3.9. [David Cruciani]

Changes

• [version] 1.6.2. [David Cruciani]
• [doc] case example + readme. [David Cruciani]
• [misp-modules] table and case creation. [David Cruciani]
• [common] for module misp fix. [David Cruciani]
• [sidebar] reorganization of links. [David Cruciani]
• [config] production config. [David Cruciani]
• [db] forgot db file for last commit. [David Cruciani]
• [case.misp-object] disable correlation. [David Cruciani]
• [login] flash for invalid email. [David Cruciani]

Fix

• [db.py] issue with custom tags and notifications field size.
  [mehdi.safla]

• [migration] url_tool as NULL. [David Cruciani]

• [case_connector] var name. [David Cruciani]

• [migration] old script. [David Cruciani]

• [misp-module] task url/tool. [David Cruciani]

  new object, multiple identifier for same instance

• [task] filter. [David Cruciani]

• [case_api] doc. [David Cruciani]

• [case] pagination. [David Cruciani]

• [templating] edit. [David Cruciani]

• [importer] ref import. [David Cruciani]

Other

• Merge pull request #33 from MehdiSafla/main. [David Cruciani]

  Production deployment: doc, .env, db schema fix

• Add: [.env, doc] production deployment and directives. [mehdi.safla]

• Merge pull request #34 from Rileyy-2/main. [David Cruciani]

  Update misp_modules_result.html

• Update misp_modules_result.html. [Rileyy-2]

  Changing the "null" attribution to three attributes which overwrites potential previous set values. Instead, it attributes the "null" value only if the key is not set in the object.

• Fix invalid escape sequences. [David Cruciani]

  fix invalid escape sequences

• Fix invalid escape sequences. [LukeVader]

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

This release introduces a new feature:

• Correlation for attribute value between cases

Bug Fixes

• Fixed issues related to dockerfile
• Resolved task template error

1.6.1 (2025-07-01)

New

• [feature] correlation for attribute value between cases. [David
  Cruciani]

Fix

• [error] syntax for 3.9 and url form for task template. [David
  Cruciani]
• [tool] bad quote. [David Cruciani]

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

This release introduces several new features, including:

• Templates for notes that can be reused across cases
• Importing a Flowintel template into a case
• Creating a case from a MISP event
• A timeline view based on MISP-Objects included in a case
• Full API support for these features

Improvements

• Enhanced analyzer section with the ability to manage MISP-Objects directly from the results page
• Improved dashboard with new graphics and visual enhancements

Contributions

• Fixed the Docker installation script
• Added a macOS installer script
• Added compatibility fixes for Rocky Linux
• Corrected various minor typos

Bug Fixes

• Fixed issues related to case notes
• Resolved problems with exporting
• Various fixes on the dashboard

Don't forget to do a git pull before executing update.sh

1.6.0 (2025-06-11)

New

• [api] note template. [David Cruciani]

• [feature] note template. [David Cruciani]

• [api] import case template. [David Cruciani]

• [importer] case template. [David Cruciani]

• [feature] create a case from a misp event. [David Cruciani]

  Need some more verification

• [timeline] history and misp-objects. [David Cruciani]

Changes

• [version] 1.6.0. [David Cruciani]

• [case ui] tab name. [David Cruciani]

• [case] remove unused route. [David Cruciani]

• [case_note_template] exporting and content modif. [David Cruciani]

  Modify a template but just for the case

• [case] include note from template. [David Cruciani]

• [api] create case from misp event. [David Cruciani]

• [case from misp] Check different parameters. [David Cruciani]

• [404.html] use base.html. [David Cruciani]

• [ui] got top button. [David Cruciani]

• [install] version pandoc, nvm, node. [David Cruciani]

• [analyzer] copy result object to create misp object directly. [David
  Cruciani]

• [timeline] color. [David Cruciani]

• [history] ui. [David Cruciani]

• [stat] task per tags. [David Cruciani]

• [stats] case per tags. [David Cruciani]

• [case] remove unnecessary duplicate import. [Jeroen Pinoy]

• [export] improve sanitizer. [David Cruciani]

• [workflow] put two tag for when the latest is changed. [David
  Cruciani]

• [dashboard] include graph. [David Cruciani]

• [workflows] docker image on new tags. [David Cruciani]

• [analyzer] selection from misp-object of a case. [David Cruciani]

• [analyzer] misp-object with more than type and value fields. [David
  Cruciani]

• [misp-object] add comment, first/last seen, ids. [David Cruciani]

• [subtask] reorder. [David Cruciani]

Fix

• [tools_api] remove useless print. [David Cruciani]
• [stats] error when changing tabs. [David Cruciani]
• [case.history] object creation date. [David Cruciani]
• [misp-object] update attr list when changing object template. [David
  Cruciani]
• [case.note] empty note. [David Cruciani]
• [common_core] history + sanitizer. [David Cruciani]
• [case.note] multiple editors on tab activation. [David Cruciani]
• [export] escaping for note export. [David Cruciani]
• [case/task] finished date. [David Cruciani]
• [case.misp-object] add, edit. [David Cruciani]
• [admin] fix some typos in error messages. [Jeroen Pinoy]
• [doc] correct broken link in readme. [Jeroen Pinoy]
• [misp-modules] error handling. [David Cruciani]

Other

• Merge pull request #18 from LukeVader-IV/main. [David Cruciani]

  add support for dnf package manager

• Merge branch 'main' into main. [David Cruciani]

• Merge pull request #19 from flowintel/feature/note_template. [David
  Cruciani]

  Feature/note template

• Add install screen. [LukeVader]

• Add support for RockyLinux install. [LukeVader]

  check for package manager.
  If apt is detected, use current installation method
  if dnf is detected, use new install

• Merge pull request #15 from Wachizungu/Wachizungu-patch-3. [David
  Cruciani]

  chg: [case] remove unnecessary duplicate import

• Merge pull request #13 from Wachizungu/Wachizungu-patch-2. [David
  Cruciani]

  fix: [admin] fix some typos in error messages

• Merge pull request #12 from Wachizungu/Wachizungu-patch-1. [David
  Cruciani]

  fix: [doc] correct broken link in readme

• Merge pull request #11 from samuelmonsempessenthorus/main. [David
  Cruciani]

• Update docker-compose.yml. [samuelmonsempessenthorus]

• Update launch.sh. [samuelmonsempessenthorus]

• Merge pull request #2 from flowintel/main. [samuelmonsempessenthorus]

  merge from main

• Merge pull request #10 from samuelmonsempessenthorus/main. [David
  Cruciani]

  Fix Dockerfile & Add Docker Compose Configuration

• Update Dockerfile. [samuelmonsempessenthorus]

• Merge pull request #1 from flowintel/main. [samuelmonsempessenthorus]

  chg: [subtask] reorder

• Create docker-compose.yml. [samuelmonsempessenthorus]

• Update Dockerfile. [samuelmonsempessenthorus]

• Merge pull request #9 from lSorimoutou/feat/macos-installer-and-
  launcher. [David Cruciani]

  Add macOS installation and launch scripts for Flowintel

• Feat(macos): add launch_macos.sh to run Flowintel with screen
  sessions. [Lenaick]

• Feat(macos): add install_macos.sh script to install Flowintel
  dependencies on macOS. [Lenaick]

• Chore: update .gitignore to exclude env folders and IDE configs.
  [Lenaick]

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

This release introduces console logging to a file and adds ticket ID support in cases. A major enhancement is the revamped url_tool, which now supports multiple entries and is decoupled from task creation for greater flexibility. Another key improvement is the direct integration of misp-modules into the analyzer, enabling smoother and more powerful threat intelligence enrichment. Additional updates include various bug fixes addressing user creation, matrix ID errors, and task URL handling. Taxonomy management now supports versioning and UUIDs, with automatic tag updates when new versions are detected.

ticket id

Urls/Tools

Instructions

Be sure to make a git pull before running update.sh, the script have modifications.

1.5.0 (2025-04-07)

New

• [app] logging console into file. [David Cruciani]
• [case] ticket id. [David Cruciani]

Changes

• [login] border-radius. [David Cruciani]
  For sami's claims

• [importer] task urls_tools. [David Cruciani]

• [front] move go top into base.html. [David Cruciani]

• [app] add favicon route. [David Cruciani]

• [readme] point directly to doc website. [David Cruciani]

• [script] new option. [David Cruciani]

• [dependencies] pytaxonomies. [David Cruciani]

• [analyzer] direct integration of misp-modules. [David Cruciani]

• [task.url_tool] multiple entry and move out of task creation. [David
  Cruciani]

Fix

• [account] matrix_id error. [David Cruciani]

• [task] remove url. [David Cruciani]

• [migration] null column. [David Cruciani]
  Needed when apply all migration script on a new db

• [taxonomies] creation and update. [David Cruciani]
  add version and uuid. Update tags when new version is found

• [analyzer] loading page. [David Cruciani]

• [case_ui] ticket and description. [David Cruciani]

• [migration] simple quote for str args. [David Cruciani]

• [user] creation. [David Cruciani]

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

This release includes minor UI improvements in cases, fewer buttons for read-only users within a case, and various fixes related to case creation from a template and the task connector. Additionally, color issues in taxonomies have been corrected, but this applies only to newly created databases.
A method to update existing databases will be released soon.

1.4.1 (2025-03-12)

Changes

• [ui] improvement. [David Cruciani]
• [case] ui for read only. [David Cruciani]

Fix

• [init taxo] colour. [David Cruciani]
• [error] case and task. [David Cruciani]

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.

flowintel release version 1.4.1 with private cases, refactoring

flowintel is a flexible case management software written in python.

Main changes

• Creation of private case, not visible in the case list
• Big refactoring of filter
• Multiple fixes

1.4.0 (2025-03-03)

New

• [feature] private case. [David Cruciani]

  Create a case private that only people added in can see and access

Changes

• [home] version. [David Cruciani]

• [case_view] action button to a dropdown. [David Cruciani]

• [template] add cluster class. [David Cruciani]

• [refactor] CommonAbstract, FilteringAbstract. [David Cruciani]

• [refactor] case, case_template. [David Cruciani]

  Create an abstract class to regroup common code from case and case_template

• [sidebar] icon + 5px. [David Cruciani]

• [edit] template. [David Cruciani]

• [edit] case and task. [David Cruciani]

• [edit_task] different tag. [David Cruciani]

• [edit_case] taxonomies, galaxies. [David Cruciani]

Fix

• [admin_api] create users. [David Cruciani]
• [ui] small error and visual. [David Cruciani]
• [creation] taxonomies selection. [David Cruciani]
• [subtask] template + importer. [David Cruciani]
• [app] csrf expiration message. [David Cruciani]
• [importer] case privacy and task clusters. [David Cruciani]
• [case] sort_tasks call. [David Cruciani]
• [docker] eisvogel. [David Cruciani]
• [launch] reload db. [David Cruciani]
• [install] eisvogel, default case. [David Cruciani]
• [edit] cluster name error. [David Cruciani]

Funding

Flowintel is co-funded by CIRCL and by the European Union under FETTA (Federated European Team for Threat Analysis) project.