Build IDs: 6-2-rc-1, master-2021

Witfoo precinct personas

WitFoo Incident Responder 
Enhancements in Precinct 6.2 allow Incident Responders to quickly comprehend and respond to ongoing threats and coordinate with law enforcement when appropriate.  
WitFoo Incident Responder Workflows

WitFoo Assessor  
Assessor workflows transform machine data into reports on compliance, readiness and business effectiveness to enable architects, auditors, insurers, solution developers and executives to do their part to secure the world together. 
WitFoo Assessor Workflows 

WitFoo Threat Researcher  
Precinct 6.2 introduces new features that allow incident responders to coordinate evidence with Threat Researchers across law enforcement and national security to thwart cybercrime and make the world secure together. 
WitFoo Threat Researcher Workflows 


  • Build custom lead rules. See : 
  • Support for DataStax Astra Cassandra Cluster. See: 
  • Support for RFC6587 framed syslog on port 7514/tcp. 
  • Asset Search 
  • Threat Intel Search Interface.
  • Threat Actor Creation, Detection and Sharing 
  • Machine Learning on internal Asset Categorization 
  • Modus Operandi Support for Network/IT OPS, Financial Crimes and SCADA attacks 
  • Interface for toggling Modus Operandi 
  • User Session and Network Activity Machine Learned Baselines and Alerting (UEBA/NBAD) 
  • TAXII 2.0 Support 
  • Multi-tiered Multi-tenancy reporting 
  • API for manual Verification of Control 
  • Incorporate Human annotations into Reports 
  • Load incident when URL has querystring for ID and partition 
  • Right bar for Actor Node Type 
  • Create Agent Editor 
  • Okta User inventory collected via integration 
  • okta `asset_inventory` job 
  • UI support Actor facet on Incident listing & query 
  • cylance `asset_inventory` job 
  • office 365 user inventory collected via integration 
  • UI under Admin -> Settings -> Modus Operandi to enable/disable MO’s 
  • Superintendent – Support for artifact and incident independent retention values 
  • Intel: render cyto as Incident linkboard on “Relations” tab 
  • Time snapshot/histogram of compliance API


  • Okta Integration
  • Add Crowdstrike Vulnerability artifact creation to Asset scan


  • Faster loading of Incident Lists 
  • Improved Resource management in vertical scale 
  • Faster Artifact Indexing for Searching 
  • Apache Cassandra upgrade to 4.0.1  
  • Apache HTTP Server (httpd) upgrade to 2.4.51 
  • Apache Kafka upgrade to 2.8.1 
  • Faster Data disk clean up 
  • Remove Logstash container from stack (utilize custom listeners) 
  • Remove Metricbeats container from stack (utilize custom metrics) 
  • Retool Tenant/Agg key change daily to prevent bruteforce & allow editor 
  • Retro processing of new hit intel 
  • Asset Columns 
  • add vulns to crowdstrike `asset_inventory` job 
  • Node API: Add cyto and caching 
  • Move Logstash Features to Streamer (Remove Logstash) 
  • Configure cassandra and streamer datacenter 
  • Change disk stats log tail to use /kafka and /docker instead of /data/kafka and /data/docker 
  • Account for cassandra commit log mount in SUP diagnostics 
  • Intel: Zoom map out to global level 
  • Datacenter awareness 
  • Remove MetricBeats container and add CPU count, CPU utilization, RAM util to Superintendent_Main_CycleSummaryEvent 
  • Asset Improvements 
  • Intel Improvements 
  • Allow multiple criteria of the same type on artifact searches 


  • Incident Lists may not load 
  • Compliance calculations are inaccurate in some situations 
  • Casebooks may not load 
  • Federated Data may not synchronize 
  • Artifact Search results may be missing results 
  • Taxii name can be missing 
  • Missing name on Assets
  • Country code not in Artifact search results 
  • Nessus integration not working 
  • Actor edit needs visible scroll bar 
  • Clicking Search doesn’t give immediate indication that submission was received (leading to multiple submissions from user) 
  • Global IOC data on right bar should wrap (currently truncating) 
  • Support Request buttons not rendering properly
  • Okta events and Assets not paginating 
  • Dispatcher dying 
  • TAXII incoming feed 
  • Some ThreatFeed submissions do not contain ‘hit’ 
  • Crowdstrike Asset job not working 
  • Sophos integration not working 
  • Org switching on Aggregator 
  • Asset query is slow for some users 

NOTE: How to take control of when your deployment of Precinct upgrades.

NOTE: Clear Chrome cache using the instructions linked here.

RSS Feed for release notes is:

Email notifications for WitFoo Release Notes can be subscribed to here: