3.4. TLS Certificate Installation

Instead of using the pre-installed self-signed TLS Certificate, users should upload their own TLS Certificate for ASGARD. This will avoid browser warnings when navigating to your Analysis Cockpit's web interface.

In order to achieve the best possible compatibility with the most common browsers, we recommend using the system's FQDN in both fields Common Name AND Hostnames.

Navigate to the TLS section via the Settings menu. You can click Generate CSR to open the following modal.

Generate a Certificate Signing Request (CSR)

Generate a Certificate Signing Request (CSR)

Hint

Please note that generating a CSR on the command line is not supported.

The generated CSR can be used to generate a TLS Certificate. Subsequently, this TLS Certificate can be uploaded in the in the same section of your Analysis Cockpit.

Upload a TLS Certificate

Upload a TLS Certificate

3.5. Configure LDAP

The LDAP tab in the Users and Roles section lets you configure an LDAP server and define mappings between LDAP groups and roles within the Analysis Cockpit.

Configure LDAP

Configure LDAP

3.6. Configure Notifications

As described in Cases and Log Processing, the Analysis Cockpit is able to forward logs to a SIEM system in case this particular log line was added automatically to a case with the type "Incident".

The Notifications section in the Case Management settings allow you to define custom notifications for event assignments (Event Assignment Notifications). It is recommended to at least configure an Event Assignment Notification for events that get added to existing Incident cases.

Additionally, notifications can be defined for changes to cases (Case Change Notifications), so Level 2 analysts can get notified if a case gets added to their in-queue (e.g., Finished Level 1).

The notification itself can be a syslog message or an email. In order to use email for notifications you have to setup an email account in the Mail Account Tab. Additionally webhook support has been added to facilitate interfacing to services like Slack.

Case Management - Notifications

Case Management - Notifications

Note

The Analysis Cockpit will collect all triggering events and send only one email every 15 minutes. Syslog and Webhooks are triggered in real time for every single event.

Additionally, you can see the notifications in the top right corner (bell icon) and inspect them. You will see all Unread notifications, which can be Acknowledged by selecting one or more notification and clicking Acknowledge. Only Unread notifications will show up in the top right status bar of the Cockpit.

UI Notification Bell

UI Notification Bell

UI Notifications

UI Notifications

3.6.1. Configure Event Assignment Notifications

To configure log notifications, click the Add Event Assignment Notification button in the Notifications section of the Case Management menu. This leads you to a form that allows you to set a name for your notification, the notification type (syslog, email, webhook or notification within the Analysis Cockpit) and the condition that will trigger your notification.

Event Assignment Notification

Event Assignment Notification

3.6.2. Configure Case Change Notifications

To configure Case Change Notifications, click the Add Case Change Notification button in the Notifications section of the Case Management menu. This leads you to a form that allows setting a name for your notification, the notification type (syslog, email, webhook or notification within the Analysis Cockpit) and the condition that will trigger your notification.

Case Change Notification

Case Change Notification