WLS 220.127.116.11 has been released! This release includes many new features, as well as enhanced performance and reduced CPU/memory utilization.
- Bad clock detection
- Bandwidth throttling
- Certificate store monitoring
- File attribute collection as part of FileMetadata
- Device monitoring – partial successor to WatchDevices
- Drive monitoring – partial successor to WatchDevices
- Network can be defined by min-max range (previously CIDR only)
- Performance counter instance re-evaluation
- Port monitoring now includes process id and name
- Removable drive file monitoring
- Tagging of logs by user defined regular expressions
What is WLS?
If you’d like more information on WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.
Arbitrary tagging based on log content
You can now specify a tag and choose which field(s) to compare with a regular expression. If a match is found for any field, the tag will be added to the log entry.
Certificates for all logged in users will be reported for the certificate store(s) specified. This includes extensions, key usages, enhanced key usages, user-defined metadata, etc. Periodic checks for changes will report any new certificates based on thumbprint.
The former “WatchDevices” has been split into DeviceMonitor and DriveMonitor. The new DriveMonitor will report drive changes and optionally report file system changes (create, delete, rename) for removable drives.
Port Monitoring with process association
The previous port monitor did not report the process associated, now it does.
The features above were implemented based on user feedback and trends I’ve noticed in recent malicious activity. Does your Windows logging tool provide all the data you need? If you are doing enterprise DFIR, why not have your hosts log the information you need before an incident occurs? If you’d like more information on WLS, use the Contact Me! form.