You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Import undo/redo — roll the whole case (findings, IOCs, timeline, MITRE, attacker path) back to exactly before an import that floods the dashboard, and redo; restores the snapshot verbatim with no AI call. A per-case stack keeps multiple levels (DFIR_IMPORT_UNDO_DEPTH, default 10), surfaced as Undo/Redo buttons next to the Import button (closes #76).
AI-suggested playbook hunts — propose a Velociraptor hunt for each endpoint-related Playbook task; a task tied to one host deploys as a single-endpoint collection (collect_client), otherwise a fleet hunt; suggestions render inline under each task and collapse (closes #70).
Velociraptor client inventory — snapshot the enrolled fleet (host/FQDN ↔ client id) into velociraptor/clients.json at startup, on demand (Settings → Velociraptor → Refresh client list), and when playbook hunts are generated (so a client enrolled mid-investigation is resolvable); single-endpoint collections resolve the host from it (short-name⇄FQDN tolerant), self-healing on a miss (#70).
Collection results in the dashboard — a single-endpoint collection now pulls its rows back inline (Refresh + auto-poll, rendered as a table) like a fleet hunt, instead of only deep-linking to the Velociraptor GUI; POST /velociraptor/collect-results (#70).
Dedicated Velociraptor hunt model — a separate LLM just for generating Velociraptor VQL hunts (DFIR_AI_VELO_PROVIDER/_MODEL/_KEY/_BASE_URL, default openrouter / anthropic/claude-haiku-4.5), since many models botch VQL; editable in Settings → AI (#70).
Persistent + incremental hunt suggestions — generated playbook hunts survive a page refresh (state/playbook-hunts.json); a suggestion is kept while its task is unchanged and dropped once the task is reworded/deleted. Pressing Generate again only sends NEW or CHANGED tasks to the model, never regenerating hunts that already exist (force:true regenerates all) (#70).
Playbook task short IDs — each task gets a stable sequential display ID (T001, T002, …) stored in the task record; shown at the bottom-left of each card in the same blue monospace style as IOC and Finding IDs; existing tasks are back-filled on the next sync.
Telegram notifications — Telegram bot channel for findings/playbook/milestone notifications; configure via bot token + chat ID in Settings → Notifications (closes #75).
Fixed
Playbook delete button for auto-derived tasks — deleting a next-step or finding task now marks it skipped (persists across re-syncs) instead of silently removing it and having syncPlaybook re-add it immediately (closes #78).
Playbook-hunt VQL grounded in the server's real artifacts — the prompt now lists the Velociraptor server's actual CLIENT artifact names (fetched per generation) and forbids referencing any Artifact.<Name> not in that list, so the model stops inventing artifacts (e.g. Windows.EventLogs.Sysmon) that don't exist and fail to compile. Also: correct plugin args (parse_evtx(filename=…), handles(pid=…)), prefer raw plugins, no SQL JOIN (use foreach), timestamp(string=…) for absolute times; per-call timeline trimmed (DFIR_PBHUNT_MAX_EVENTS/DFIR_PBHUNT_MAX_ARTIFACTS) (#70).
Endpoint-side collection errors surfaced — when a collection launches but its flow ends in ERROR (e.g. a bad plugin arg), the dashboard now shows Velociraptor's error message instead of polling "no results yet" forever; the no-flow-id error for both collections and hunts now points at the VQL (a non-existent artifact/plugin can't compile) rather than blaming the api_client role (#70).
