Feature Ideas
Submit IdeaEditing filter criteria of cases
After creating a case if would be helpful to edit the filtering criteria: Add Conditions Refine Conditions Toggle "Assign newly incoming events based on ..."
Philipp W#Improvement 👍#ASGARD Analysis Cockpit1
Setting to Force 2FA for all accounts
Please provide a setting on all ASGARD family servers to force users to use/register 2FA
Michael Sepp // BETTA Security G#Improvement 👍#ASGARD Analysis Cockpit#ASGARD Management Center1
Start ASGARAD Playbooks e.g. collect file/directory from within the Analysis Cockpit
Today the analysts need to jump a lot between the two servers if an event leads to the download of a file or directory. It would be beneficial if this could be accomplished by just click an icon next to the file/directory that triggers the download of that file/directory via ASGARD API on the affected asset. Also it would be nice if the analyst could trigger playbook like CyLR from within the Cockpit.
Michael Sepp // BETTA Security G#ASGARD Analysis Cockpit#Deal Breaker 💔#Integrations 🔗1
Multiple Changes to the Statistics Overview
I would like to propose several improvements/feature requests to the "Statistics Overview" in the Analysis Cockpit. With the "Statistics Overview" I'm referring to the 8 graphs above the Baseline events in the Analysis Cockpit Make the values copyable. E.g by right-click Make the width/height customizable, as some events have more text and are currently cut Make the number of graphs and the number of values per graphs customizable Give the ability to "flip" the values, i.e show the least frequent values instead of most frequent Make the x-axis scale dynamically instead of an fixed logarithmic x-axis Make the position and number of the graphs customizable. I.e maybe I want two small graphs at the top and one wide graph at the bottom
Evgen Blohm // S#Improvement 👍#ASGARD Analysis Cockpit0
Let THOR scan forensic images directly
It would be awesome, if we could scan forensic images (like E01 or AFF4) directly with the THOR scanner and the --lab command switch. Currently, we mount the image with Arsenal or FTK, but the performance is not so great. Reading the image format natively would make scanning a lot easier (pipelining, error proof, reduce dependencies, etc). Love to hear your comments!
Matthias T#Improvement 👍#THOR Scanner#Integrations 🔗1
Execution path of asgard2_agent
The installation of the asgard-agent is contrary to CIS Benchmark (Red Hat Enterprise Linux 8): The execution path of the asgard is: /var/lib/asgard2-agent/asgard2-agent The CIS Benchmark advises to set the -noexec flag for the separate partition of /var. Result: The agent is not able to start. Please change the execution path for the agent.
Philipp W#Improvement 👍#Misc 🤷0
Another default asgard playbook - print file content
i keep adding "type $file$" and "cat $file$" playbooks to view the content of txt, ps1, bat and other text files without download. It saves a few clicks compared to the Collect file playbook, speeds up the analysis and reduces the number of LA cases in the security center. Would be nice to have such playbook(s) as part of the default set.
Albina // BETTA Security G#Improvement 👍#ASGARD Management Center1
Reporting: Option to cancel a Reporting Process and Progress Bar
Tested with Asgard Analysis Cockpit V3.7.4 Issue: Unfortunately there currently is no option to cancel the creation of a report and the only status update given during the creation is "Running". Possible Use-cases: Cancel reports with a wrong configuration or ones that take too long. Proposed Improvement: Similar to scan tasks in the Management Center it would be helpful if reporting tasks in the AC had a "Stop" button and ideally a progress bar showing how far along the report creation is. Thanks in advance :)
Marius Genheimer // S#Improvement 👍#ASGARD Analysis Cockpit#Styling 🎨0
ASGARD Agent Installer as .MSI File
To make deployment easier we are seeing more request from customers for a .msi based ASGENT installer rather .exe based installer. Would be nice to have that option.
Michael Sepp // BETTA Security G#Improvement 👍#ASGARD Management Center#Misc 🤷2
Drag&Drop in ASGARD AC Filters
It would be great to have a drag and drop ability in the dialogue of the case creation. My personal workflow is like this: I go through the events and have a finding to create a case of. I partially negate the filter to find more events but from different sourceimage (just an example). In the end I have the same finding from various sourceimages. When creating a case of the whole query, I have to copy&paste from the "logical and" to "logical or". With drag&drop it would be much more convenient.
Philipp W#Improvement 👍#ASGARD Analysis Cockpit1
Modern authentication
If you could implement modern authentication methods like SAML or MFA. That would be great.
Philipp W#ASGARD Analysis Cockpit#ASGARD Management Center#Integrations 🔗1
Move Events from Case A to Case B
Often you need to move certain Events from Case A to Case B. Right now the workflow is to delete those Events from Case A and then re-add them to Case B. I would suggest adding a button to each case that moves the selected Events to another desired Case.
Evgen Blohm // S#Improvement 👍#ASGARD Analysis Cockpit0
Filter prioritization process in Cockpit
The full prioritization process doesnt work. The priority (low, medium, high, very high) does not have an effect on the assignment of events. For example: In ASGARD all incident cases get notified. In ASGARD we have an incident case for log4shell rules. The vulnerability scanner does active checks (exploitation) for log4shell. The destination server writes the request to the log files. Thor detects the pattern and reports it as Incident. We developed a new case with higher priority which detects the exploitation pattern from the vulnerability scanner. This case does not get all events. Our Notification workflow does not work correctly.
Philipp W#ASGARD Analysis Cockpit#Deal Breaker 💔#Bug 🐛2
Sorting Events from the Eventlog Module by Event_Time
Each Event from the module Eventlog contains a field called Event_Time. An example of such Values is the following EVENT_TIME: Sun Oct 24 00:58:13 2021 As the value of the field begins with the name of the day, it is not possible to sort these Events by Event_Time, as they will be sorted alphabetically. By Sorting i refer to adding the field Event_Time to the columns in the Analysis Cockpit and sorting there Please change the format of these Events so that you can sort them chronologically.
Evgen Blohm // S#ASGARD Analysis Cockpit#Bug 🐛1
Remote Console Window cannot be resized since ASGARD 2.11.11
Since version 2.11.11 the buttons to resize the size of the remote console cannot be extended by adding additional rows or columns. This leads to a very tiny view port to work in. Please add the " Add row" and Add columns" button back to the UI.
Michael Sepp // BETTA Security G#ASGARD Management Center#Bug 🐛0