Feature Ideas

  1. SIGMA Ruleset Automatic Rules

    Hello, when creating a ruleset you can select the option to add automatically rules with a specific level (critical, high, etc.) With rule updates, these levels change sometimes. Maybe the automatic removel would be a great addition to this feature. kind regards Philipp

    Philipp W
    #Improvement 👍#ASGARD Management Center

    0

  2. Editing filter criteria of cases

    After creating a case if would be helpful to edit the filtering criteria: Add Conditions Refine Conditions Toggle "Assign newly incoming events based on ..."

    Philipp W
    #Improvement 👍#ASGARD Analysis Cockpit

    1

  3. Setting to Force 2FA for all accounts

    Please provide a setting on all ASGARD family servers to force users to use/register 2FA

    Michael Sepp // BETTA Security G
    #Improvement 👍#ASGARD Analysis Cockpit#ASGARD Management Center

    1

  4. Start ASGARAD Playbooks e.g. collect file/directory from within the Analysis Cockpit

    Today the analysts need to jump a lot between the two servers if an event leads to the download of a file or directory. It would be beneficial if this could be accomplished by just click an icon next to the file/directory that triggers the download of that file/directory via ASGARD API on the affected asset. Also it would be nice if the analyst could trigger playbook like CyLR from within the Cockpit.

    Michael Sepp // BETTA Security G
    #ASGARD Analysis Cockpit#Deal Breaker 💔#Integrations 🔗

    2

  5. Multiple Changes to the Statistics Overview

    I would like to propose several improvements/feature requests to the "Statistics Overview" in the Analysis Cockpit. With the "Statistics Overview" I'm referring to the 8 graphs above the Baseline events in the Analysis Cockpit Make the values copyable. E.g by right-click Make the width/height customizable, as some events have more text and are currently cut Make the number of graphs and the number of values per graphs customizable Give the ability to "flip" the values, i.e show the least frequent values instead of most frequent Make the x-axis scale dynamically instead of an fixed logarithmic x-axis Make the position and number of the graphs customizable. I.e maybe I want two small graphs at the top and one wide graph at the bottom

    Evgen Blohm // S
    #Improvement 👍#ASGARD Analysis Cockpit

    0

  6. Let THOR scan forensic images directly

    It would be awesome, if we could scan forensic images (like E01 or AFF4) directly with the THOR scanner and the --lab command switch. Currently, we mount the image with Arsenal or FTK, but the performance is not so great. Reading the image format natively would make scanning a lot easier (pipelining, error proof, reduce dependencies, etc). Love to hear your comments!

    Matthias T
    #Improvement 👍#THOR Scanner#Integrations 🔗

    4

  7. Execution path of asgard2_agent

    The installation of the asgard-agent is contrary to CIS Benchmark (Red Hat Enterprise Linux 8): The execution path of the asgard is: /var/lib/asgard2-agent/asgard2-agent The CIS Benchmark advises to set the -noexec flag for the separate partition of /var. Result: The agent is not able to start. Please change the execution path for the agent.

    Philipp W
    #Improvement 👍#Misc 🤷

    0

  8. Modern authentication

    If you could implement modern authentication methods like SAML or MFA. That would be great.

    Philipp W
    #ASGARD Analysis Cockpit#ASGARD Management Center#Integrations 🔗

    1

  9. Filter prioritization process in Cockpit

    The full prioritization process doesnt work. The priority (low, medium, high, very high) does not have an effect on the assignment of events. For example: In ASGARD all incident cases get notified. In ASGARD we have an incident case for log4shell rules. The vulnerability scanner does active checks (exploitation) for log4shell. The destination server writes the request to the log files. Thor detects the pattern and reports it as Incident. We developed a new case with higher priority which detects the exploitation pattern from the vulnerability scanner. This case does not get all events. Our Notification workflow does not work correctly.

    Philipp W
    #ASGARD Analysis Cockpit#Deal Breaker 💔#Bug 🐛

    2

  10. Sorting Events from the Eventlog Module by Event_Time

    Each Event from the module Eventlog contains a field called Event_Time. An example of such Values is the following EVENT_TIME: Sun Oct 24 00:58:13 2021 As the value of the field begins with the name of the day, it is not possible to sort these Events by Event_Time, as they will be sorted alphabetically. By Sorting i refer to adding the field Event_Time to the columns in the Analysis Cockpit and sorting there Please change the format of these Events so that you can sort them chronologically.

    Evgen Blohm // S
    #ASGARD Analysis Cockpit#Bug 🐛

    2

  11. Remote Console Window cannot be resized since ASGARD 2.11.11

    Since version 2.11.11 the buttons to resize the size of the remote console cannot be extended by adding additional rows or columns. This leads to a very tiny view port to work in. Please add the " Add row" and Add columns" button back to the UI.

    Michael Sepp // BETTA Security G
    #ASGARD Management Center#Bug 🐛

    0

  12. Add "AND NOT" or "AND" Label aggregation options for THOR Group Scans

    Add "AND NOT" or "AND" Label aggregation options for THOR Group Scans via ASGARD instead of the implicit "OR" that is automatically applied. AND This would ease up label management by a large factor because one could control scans without the need for having tons of labels. Example if you would like to scan the Windows ("WIN") 2016 ("SRV_2016") servers in France ("COUNTRY_FR") you would need to crate an additional label like "COUNTRY_FR_WIN_SERVER_2016". Using existing label would not work because using the existing labels WIN, SRV2016, COUNTRY_FR would lead to a scan of all asset that have label "COUNTRY_FR" and all assets that have label "SRV_2016" and all assets that have label "WIN" applied. AND NOT Also it would be helpful to use labels in a scan like "SERVER" AND "WIN" AND NOT "CAR_FACTORY_CONTROL" to exclude groups of asset with certain labels quickly from a scan.

    Michael Sepp // BETTA Security G
    #Improvement 👍#ASGARD Management Center#Deal Breaker 💔

    0

  13. Different Themes in ASGARD, e.g. "Light", "High Contrast"

    The idea is to add different CSS themes in ASGARD Management Center apart from the default dark theme, e.g. "Light", "High Contrast"

    Florian Roth
    #Improvement 👍#ASGARD Management Center#Styling 🎨

    1

  14. Aurora Detection Message

    When the Aurora agent blocks an activity on a client via response action, the user should receive a message. Even if Aurora is connected to an Asgard. User notifications are also provided by similar products such as Defender (P2). In a larger organization, this allows the service desk to better respond to user requests, whether they are false positives or the user is vehemently trying to fall for a phishing scheme. Without notification, users and the service desk have no clue which application is affecting the system and need 2nd level support directly.

    Philipp K. // D
    #Deal Breaker 💔#Aurora Agent

    1

  15. Baselining counts for all Scanners

    At the moment in the Analysis Cockpit 3.5.6, the count shown after "Baselining" is only for THOR Events, this is kind of misleading. An indicator that there are more events, so Aurora and LogWatcher events, to analyze would be great. An idea would be to show 3 counts, e.g. THOR Events (in that cool THOR green-blue color), Aurora in green and LogWatcher for example in a yellow-ish color, maybe separated by a pipe character.

    Christoph L
    #Improvement 👍#ASGARD Analysis Cockpit

    1