Update README.md

README.md

@@ -2,33 +2,39 @@
   <img src="https://github.com/0xrawsec/whids/blob/master/doc/img/logo.png?s=200" alt="logo">
 </p>
 
-Very flexible Host IDS designed for Windows. We are making
-use of a previously developped rule engine [Gene](https://github.com/0xrawsec/gene)
-designed to match Windows events according to custom rules. The
-rules are simple to write and easy to understand so that everyone can
-identify why a rule has triggered.
-
-With the democratisation of Sysmon, this tools is perfect to quickly build
-hunting rules or simply monitoring rules to screen things of interest happening on your
-machine(s). With WHIDS you don't have to bother with an over
-complicated Sysmon configuration which often turns to the nightmare when you want
-to be very specific.The simplest thing is just to enable all the logging
-capabilites of Sysmon and let WHIDS do his job, grab a coffee and wait
-for the juicy stuff to happen. The tool has a low overhead for the system,
-according to our current benchmarks.
-
-This tool can be used on any Windows machine so you might install it either on
-regular workstations or on Windows Event Collectors where you are receiving
-all the logs of your infrastructure. The output format is nothing else than
-JSON so it is very easy to handle the alerts generated by the HIDS in whatever
-tool you want to use for this purpose like ELK, Splunk or simply your favourite
-SIEM.
+## What
+
+This is an hybrid solution combining a flexible **Host IDS** with detection based **Incident Response 
+capabilities**. The detection engine is built on top of a previously developped rule engine 
+[Gene](https://github.com/0xrawsec/gene) specially designed to match Windows events against 
+user defined rules.
+
+## Why
+* Provide an **Open Source EDR** like tool
+* Flexible detection
+* Easy integration with other open-source tools (MISP, The Hive ...)
+
+## How
+### Detection
+* On host real time detection
+* Listens to Windows event log channels and apply detection rules
+* User defined rules (we know why we detect something)
+* Designed to be used with MS [Sysmon](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)
+* Enriches Windows events in order to build powerfull detection primitives
+* Central agent to distributes rules and collect alerts
+
+### Incident Response
+* Reacts on detection (when an event above a given criticality is detected, artifacts are collected)
+* Real time evidence collection (files, process memory and registries)
+* Central agent to collect evidences
 
 <p align="center">
   <img src="https://github.com/0xrawsec/whids/blob/master/doc/img/workflow.png" alt="workflow">
 </p>
 
-# Example
+# Demo
+
+## Rule Example
 
 Here is an example of a rule designed to catch suspicious access to *lsass.exe*
 as it is done by the well known Mimikatz credential dump tool.
@@ -56,8 +62,7 @@ as it is done by the well known Mimikatz credential dump tool.
 You can find a bunch of other rules as well as a quick introduction to the
 syntax of the rules on the [Gene repository](https://github.com/0xrawsec/gene-rules).
 
-# Demo
-
+## In Action
 Running WHIDS with an already running Powershell Empire agent which invokes
 Mimikatz module.
 
@@ -99,7 +104,7 @@ which matched the event.
 
 ## WHIDS
 1. Download and extract the latest WHIDS release https://github.com/0xrawsec/whids/releases
-2. Run `install.bat` as administrator
+2. Run `install.bat` as **administrator**
 3. Verify that files have been created at the **installation directory**
 4. With a text editor **opened as administrator** (to prevent changing rights of WHIDs installation directory) open `config.json` and modify it as you wish
 5. Skip this if running with a connection to a manager. If there is nothing in the **rules directory** the tool will be useless, so make sure there are some **gene** rules in there. You can get some compiled rules [here](https://raw.githubusercontent.com/0xrawsec/gene-rules/master/compiled.gen)
@@ -223,7 +228,7 @@ To know how to write rules for the engine please visit: https://rawsec.lu/doc/ge
 
 * Does not work properly when ran from a network share **mapped as a network drive** (this case prevent whids to identify itself and thus generate some noise). Example: if `\\vbox\test` is mounted as `Z:` drive, running `Z:\whids.exe` **won't work** while running `\\vbox\test\whids.exe` actually would.
 
-# Recommandations
+# Recommendations
 
 In order to get the most of WHIDS you need to activate specific features