Whids Versions Save

Open Source EDR for Windows

v1.8.0-beta.8

1 year ago

v1.8.0-beta.7

1 year ago

v1.8.0-beta.6

2 years ago

Fixes

  • #90 v1.8.0 beta5 bug
  • #91 Correlate and enrich Microsoft-Windows-Kernel-File ETW logs

v1.8.0.beta.5

2 years ago

Changes

  • Improved EDR event action handler
  • Improved file upload to manager to reduce memory impact of big file upload
  • migration to sod v1.5
  • changed the way user are managed
  • changed logic around user authentication
  • added a way to create user from manager's CLI
  • auto generating OpenAPI definition from tests
  • OpenAPI definition

Fixes

  • #87: Improve golang unit testing
  • #86: Fix golang unit tests
  • #85: Add API endpoint to manage IOCs spread on endpoints for detection
  • #84: Ability to config default actions on different criticality thresholds
  • #82: Action to produce short reports
  • #81: Change "Api-Key" Authentication header
  • #78: request feature - list closed report on a defined time period
  • #77: Missing query criticality parameter on get /endpoint call
  • #65: Archive reports
  • #66: Implement /endpoint/{UUID}/report/archive
  • #63: Make manager's data persistent

v1.8.0-beta.5

2 years ago

Changes

  • Improved EDR event action handler
  • Improved file upload to manager to reduce memory impact of big file upload
  • migration to sod v1.5
  • changed the way user are managed
  • changed logic around user authentication
  • added a way to create user from manager's CLI
  • auto generating OpenAPI definition from tests
  • OpenAPI definition

Fixes

  • #87: Improve golang unit testing
  • #86: Fix golang unit tests
  • #85: Add API endpoint to manage IOCs spread on endpoints for detection
  • #84: Ability to config default actions on different criticality thresholds
  • #82: Action to produce short reports
  • #81: Change "Api-Key" Authentication header
  • #78: request feature - list closed report on a defined time period
  • #77: Missing query criticality parameter on get /endpoint call
  • #65: Archive reports
  • #66: Implement /endpoint/{UUID}/report/archive
  • #63: Make manager's data persistent

v1.8.0-beta.2

2 years ago 
Changes:
    - new way to store events
    - new way to search for events

Fixed issues:
     - #75 List endpoints by group / status in /endpoints
    - #74 Implement API endpoint to update endpoints fields
    - #73 List of ever loaded modules in report
    - #72 Track list of loaded modules
    - #71 EdrData section in events
    - #70 API endpoint /endpoint/artifacts
    - #69 Implement API endpoint used to stream events
    - #68 showkey parameter in /endpoints
    - #64 Change /alerts to /detections
    - #61 Integrate with ETW
    - #60 Add score /endpoints
    - #58 Date last alert in /endpoints
    - #57 Add group member to manager API endpoint structure
    - #56 Skip parameter in /logs /alerts
    - #55 Limit parameter in /logs /alerts
    - #54 Filter parameter in /rules API endpoint

v1.8.0-beta

2 years ago

v1.7.0

3 years ago
  • New Administrative HTTP API with following features:
    • Manage endpoints (list, create, delete)
    • Get basic statistics about the manager
    • Execute commands on endpoints and get results
      • Can drop files prior to execution, to execute binaries/scripts not present on endpoint. Dropped files are deleted after command was ran.
      • Can retrieve files (post command execution), to retrieve results of the command
    • Collect files from endpoints for forensic purposes
    • Contain / Uncontain endpoints by restricting any network traffic except communication to the manager.
    • Query endpoints logs
    • Query endpoints alerts
    • Pivot on a timestamp and retrieve logs/alerts around that time pivot
    • Access endpoint report
      • Scoring (relative to each environment) allowing to sort endpoints and spot the ones behaving differently from the others.
      • Alerts / TTPs observed on a given time frame
    • Manage rules (list, create, update, save, delete)
  • Integration with Sysmon v12 and v13
    • Integrate ClipboardData events
      • Put the content of the clipboard data inside the event to allow creating rule on the content of the clipboard
    • Integrate ProcessTampering events
      • Enrich event with a diffing score between .text section on disk and in memory
  • Implemented certificate pinning on client to enhance security of the communiaction channel between endpoints and management server
  • Log filtering capabilities, allowing one to collect contextual events. Log filtering is achieved by creating Gene filtering rules (c.f. Gene Documentation).
  • Configuration files in TOML format for better readability
  • Better protection of the installation directory

v1.6.2

4 years ago

Integration with MISP

Fixed issues:

  • #9 (issue forwarding log from endpoint to manager)
  • #10 (Enrich candidate sysmon event with CurrentDirectory information)

v1.6.1

4 years ago
  • Fixed issue #7
  • Sysmon 10.41 + configuration files