New WLS features

Arbitrary tagging based on log content

You can now specify a tag and choose which field(s) to compare with a regular expression. If a match is found for any field, the tag will be added to the log entry.


Name Type Data
AlternateDataStream REG_SZ BaseFileName;(:)

Certificate Monitoring

Certificates for all logged in users will be reported for the certificate store(s) specified. This includes extensions, key usages, enhanced key usages, user-defined metadata, etc. Periodic checks for changes will report any new certificates based on thumbprint.

Drive Monitoring

The former “WatchDevices” has been split into DeviceMonitor and DriveMonitor. The new DriveMonitor will report drive changes and optionally report file system changes (create, delete, rename) for removable drives.

Port Monitoring with process association

The previous port monitor did not report the process associated, now it does.

The features above were implemented based on user feedback and trends I’ve noticed in recent malicious activity. Does your Windows logging tool provide all the data you need? If you are doing enterprise DFIR, why not have your hosts log the information you need before an incident occurs? If you’d like more information on WLS, use the Contact Me! form.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s