Release Notes

Explore the full changelog here.

New features

Direct/indirect syscall evasion scanners

Evasion scanners are designed to detect attempts by malware to bypass defenses by abusing direct or indirect syscall techniques.

Unprecedented performance and precision

Performance gains and improved precision in many areas spanning the rule engine, event processing and callstack symbolization.

Process token enrichment

Events are enriched with detailed information about process access tokens, such as integrity level and elevation type.

50+ curated detection rules

The system includes a new extended set of detection rules that covering privilege escalation, defense evasion and execution tactics.

Console output colourization

Terminal output is enhanced with color-coded formatting to make different event types, parameters, or fields easier to distinguish at a glance.

Eventlog alerts in JSON format

Alerts can be emitted to the Windows Event Log in structured JSON format, making them easier to parse, forward, and integrate with external systems such as SIEMs or log pipelines.

Breaking changes

removal of ps.child.* filter fields. Migrate to ps.* fields instead
LoadImage and UnloadImage events renamed to LoadModule and UnloadModule
registry.value field semantics change. It now returns the value name. Use registry.data to obtain the value data

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v3.0.0

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Release Notes

New features

Direct/indirect syscall evasion scanners

Unprecedented performance and precision

Process token enrichment

50+ curated detection rules

Console output colourization

Eventlog alerts in JSON format

Breaking changes

Uh oh!