Arbitrary tagging based on log content
You can now specify a tag and choose which field(s) to compare with a regular expression. If a match is found for any field, the tag will be added to the log entry.
Certificates for all logged in users will be reported for the certificate store(s) specified. This includes extensions, key usages, enhanced key usages, user-defined metadata, etc. Periodic checks for changes will report any new certificates based on thumbprint.
The former “WatchDevices” has been split into DeviceMonitor and DriveMonitor. The new DriveMonitor will report drive changes and optionally report file system changes (create, delete, rename) for removable drives.
Port Monitoring with process association
The previous port monitor did not report the process associated, now it does.
The features above were implemented based on user feedback and trends I’ve noticed in recent malicious activity. Does your Windows logging tool provide all the data you need? If you are doing enterprise DFIR, why not have your hosts log the information you need before an incident occurs? If you’d like more information on WLS, use the Contact Me! form.