Nextron Systems - Analysis Cockpit v4

Welcome to Nextron System's Manual for the ASGARD Analysis Cockpit v4.

Note

If you are still using an older version of the Analysis Cockpit, please click here to see the older version of the documentation.

Analysis Cockpit is the central platform for analyzing THOR events and SIGMA matches generated by ASGARDs real time agents.

It can be used in an environment where scans results can be automatically collected from ASGARD Management Centers or environments in which THOR is executed by scripts or any other 3rd party solution.

In the following chapters we will describe how the Analysis Cockpit works, how to install the system, and how to use it. Additional information regarding troubleshooting, known issues, or general administrative tasks can also be found.

Contents

• 1. Requirements
  • 1.1. Introduction
  • 1.2. Hardware Requirements
  • 1.3. Network Requirements
  • 1.4. Verify the Downloaded ISO (Optional)
  • 1.5. Other Optional Requirements
• 2. Setup Guide
  • 2.1. Create a New ESX VM and Mount the ISO
  • 2.2. Navigate through the Installer
  • 2.3. Network Configuration
  • 2.4. Choosing a password
  • 2.5. Partitioning of the Hard Disk
  • 2.6. Proxy Configuration
  • 2.7. Changing the IP-Address
  • 2.8. Install the ASGARD Analysis Cockpit Service
• 3. Administration
  • 3.1. Link ASGARD Management Center
  • 3.2. Asset View
  • 3.3. Configure Canned Recommendations
  • 3.4. Syslog Forwarding
  • 3.5. TLS Certificate Installation
  • 3.6. Configure LDAP
  • 3.7. Configure Notifications
  • 3.8. Log File Import
  • 3.9. Sandbox Integration
  • 3.10. API
• 4. Basic Concepts
  • 4.1. Events
  • 4.2. Baselining
  • 4.3. Cases and Log Processing
  • 4.4. Understanding Users, Roles, Rights and Case Status
• 5. Baselining
  • 5.1. Customize Your View
  • 5.2. Manual Case Creation
  • 5.3. Automated Case Creation
  • 5.4. Add to Case
  • 5.5. Customizing the Detailed View of Log Lines
  • 5.6. Usage of the Context Menu
• 6. Case Management Best Practices
  • 6.1. Open a Case for Editing
  • 6.2. Case Dispatching
  • 6.3. Closing a Case
  • 6.4. Grouping Criteria
  • 6.5. Generate and Review auto_case_ids
  • 6.6. More Information about Cases
  • 6.7. Bulk Edit / Bulk Delete
• 7. Maintenance
  • 7.1. Diagnostics
  • 7.2. Data Retention
  • 7.3. Configuration Backup & Restore
  • 7.4. Extending Disk Space
  • 7.5. Regain Disk Space
  • 7.6. Increasing ElasticSearch's Heap Space
  • 7.7. Elasticsearch Cluster Update
• 8. Typical Pitfalls
  • 8.1. Log File Import of Previous Years
  • 8.2. Disk Watermark
  • 8.3. Recover from a Full Disk
  • 8.4. Debug Failed File Imports
  • 8.5. Fixing a Broken Proxy Configuration
• 9. FAQs
  • 9.1. Disabling Assignment Logs
  • 9.2. No Events visible
  • 9.3. No new Events in Case
  • 9.4. Location of Scan Logs
  • 9.5. Default password for file downloads
  • 9.6. Disk Space filling up quickly
  • 9.7. Reverse Proxy to access the Analysis Cockpit
  • 9.8. Internet Explorer
  • 9.9. Admin Password reset
  • 9.10. Multi Factor Authentication reset
  • 9.11. Resetting TLS/SSL Certificates
• 10. Known Issues
  • 10.1. AAC#004: Could not check for updates
  • 10.2. AAC#003: [WAR] could not create case
  • 10.3. AAC#002: Scan stuck at Status "Unknown"
  • 10.4. AAC#001: Could not get table data: Data too large
• 11. Upgrade from Cockpit v3.10.4 to Cockpit v4.x
  • 11.1. Cluster Upgrade
  • 11.2. Standalone Upgrade
• 12. Glossary
  • 12.1. Baselining
  • 12.2. Cases
  • 12.3. Invisible (Backend)
  • 12.4. Additional Resources
• 13. Changelog
  • 13.1. Analysis Cockpit v4.2
  • 13.2. Analysis Cockpit v4.1
  • 13.3. Analysis Cockpit v4.0

Index

• Index