Nextron Systems - Analysis Cockpit v4

Welcome to Nextron System's Manual for the ASGARD Analysis Cockpit v4. If you are still using older versions, please click here .

Analysis Cockpit is the central platform for analyzing THOR events and SIGMA matches generated by ASGARDs real time agents.

It can be used in an environment where scans results can be automatically collected from ASGARD Management Centers or environments in which THOR is executed by scripts or any other 3rd party solution.

In the following chapters we will describe how the Analysis Cockpit works, how to install the system, and how to use it. Additional information regarding troubleshooting, known issues, or general administrative tasks can also be found.

Contents

• 1. Requirements
  • 1.1. Introduction
  • 1.2. Requirements
  • 1.3. Network Requirements
  • 1.4. Verify the Downloaded ISO (Optional)
  • 1.5. Other Optional Requirements
• 2. Setup Guide
  • 2.1. Create a New ESX VM and Mount the ISO
  • 2.2. Navigate through the Installer
  • 2.3. Network Configuration
  • 2.4. Choosing a password
  • 2.5. Partitioning of the Hard Disk
  • 2.6. Proxy Configuration
  • 2.7. Changing the IP-Address
  • 2.8. Install the Analysis Cockpit Services
• 3. Administration
  • 3.1. Administration
  • 3.2. Configure Canned Recommendations
  • 3.3. Syslog Forwarding
  • 3.4. TLS Certificate Installation
  • 3.5. Configure LDAP
  • 3.6. Configure Notifications
  • 3.7. Log File Import
  • 3.8. Connect to ASGARD Management Center
  • 3.9. Asset View
  • 3.10. Sandbox Integration
  • 3.11. API
• 4. Basic Concepts
  • 4.1. Events
  • 4.2. Baselining
  • 4.3. Cases and Log Processing
  • 4.4. Understanding Users, Roles, Rights and Case Status
• 5. Baselining
  • 5.1. Customize Your View
  • 5.2. Manual Case Creation
  • 5.3. Automated Case Creation
  • 5.4. Add to Case
  • 5.5. Customizing the Detailed View of Log Lines
  • 5.6. Usage of the Context Menu
• 6. Case Management Best Practices
  • 6.1. Open a Case for Editing
  • 6.2. Case Dispatching
  • 6.3. Closing a Case
  • 6.4. Generate and Review auto_case_ids
  • 6.5. More Information about Cases
  • 6.6. Bulk Edit / Bulk Delete
• 7. Maintenance
  • 7.1. Configuration Backup & Restore
  • 7.2. Regain Disk Space
  • 7.3. Increasing ElasticSearch's Heap Space
• 8. Typical Pitfalls
  • 8.1. Certificate Validation Failed
  • 8.2. Log File Import of Previous Years
  • 8.3. Recover from a Full Disk
  • 8.4. ElasticSearch Index Locked Due to Low Free Disk Space
  • 8.5. Debug Failed File Imports
  • 8.6. Fixing a Broken Proxy Configuration
• 9. FAQs
  • 9.1. Disabling Assignment Logs
  • 9.2. No Events visible
  • 9.3. No new Events in Case
  • 9.4. Location of Scan Logs
  • 9.5. Default password for file downloads
  • 9.6. Disk Space filling up quickly
  • 9.7. Reverse Proxy to access the Analysis Cockpit
  • 9.8. Internet Explorer
  • 9.9. Admin Password reset
  • 9.10. Multi Factor Authentication reset
• 10. Known Issues
  • 10.1. AAC#001: Could not get table data: Data too large
• 11. Upgrade from Cockpit v3.10.1 to Cockpit v4.x
  • 11.1. Cluster Upgrade
  • 11.2. Standalone Upgrade
• 12. Glossary
  • 12.1. Baselining
  • 12.2. Cases
  • 12.3. Invisible (Backend)
• 13. Changelog
  • 13.1. Analysis Cockpit v4

Index

• Index