Nextron Systems - Analysis Cockpit v4

Welcome to Nextron System's Manual for the ASGARD Analysis Cockpit v4.

Note

If you are still using an older version of the Analysis Cockpit, please click here to see the older version of the documentation.

Analysis Cockpit is the central platform for analyzing THOR events and SIGMA matches generated by ASGARDs real time agents.

It can be used in an environment where scans results can be automatically collected from ASGARD Management Centers, scan results originating from your THOR Cloud account, or environments in which THOR is executed by scripts or any other 3rd party solution.

In the following chapters we will describe how the Analysis Cockpit works, how to install the system, and how to use it. Additional information regarding troubleshooting, known issues, or general administrative tasks can also be found.

We marked each section (if applicable) with the corresponding path in the UI with the following format: >Section\Sub Section\Another Menu

This will allow you to find specific menus and buttons easier in your Analysis Cockpit.

Contents

• 1. Requirements
  • 1.1. Introduction
  • 1.2. Hardware Requirements
  • 1.3. Network Requirements
  • 1.4. Verify the Downloaded ISO (Optional)
• 2. Setup Guide
  • 2.1. Create a New ESX VM and Mount the ISO
  • 2.2. Navigate through the Installer
  • 2.3. Network Configuration
  • 2.4. Choosing a password
  • 2.5. Partitioning of the Hard Disk
  • 2.6. Proxy Configuration
  • 2.7. Changing the IP-Address
  • 2.8. Install the ASGARD Analysis Cockpit Service
• 3. Administration
  • 3.1. Link ASGARD Management Center
  • 3.2. Asset View
  • 3.3. Case Recommendations
  • 3.4. Syslog Forwarding
  • 3.5. TLS Certificate Installation
  • 3.6. Configure LDAP
  • 3.7. Cockpit Notifications
  • 3.8. Log File Import
  • 3.9. THOR Cloud Integration
  • 3.10. Sandbox Integration
  • 3.11. API
• 4. Basic Concepts
  • 4.1. Events
  • 4.2. Baselining
  • 4.3. Cases and Log Processing
  • 4.4. Understanding Users, Roles, Rights and Case Status
• 5. Baselining
  • 5.1. Customize Your View
  • 5.2. Manual Case Creation
  • 5.3. ChatGPT Integration
  • 5.4. Automated Case Creation
  • 5.5. Add to Case
  • 5.6. Customizing the Detailed View of Log Lines
  • 5.7. Usage of the Context Menu
  • 5.8. Case Intelligence
• 6. Case Management Best Practices
  • 6.1. Open a Case for Editing
  • 6.2. Case Dispatching
  • 6.3. Closing a Case
  • 6.4. Grouping Criteria
  • 6.5. Generate and Review auto_case_ids
  • 6.6. More Information about Cases
  • 6.7. Bulk Edit / Bulk Delete
• 7. Maintenance
  • 7.1. Diagnostics
  • 7.2. Data Retention
  • 7.3. Configuration Backup & Restore
  • 7.4. Auto Optimize
  • 7.5. Increasing ElasticSearch's Heap Space
  • 7.6. Elasticsearch Cluster Update
• 8. Troubleshooting
  • 8.1. Disabling Assignment Logs
  • 8.2. Location of Scan Logs
  • 8.3. Default password for file downloads
  • 8.4. Admin Password reset
  • 8.5. Multi Factor Authentication reset
  • 8.6. Resetting TLS/SSL Certificates
• 9. Known Issues
  • 9.1. AAC#004: Could not check for updates
  • 9.2. AAC#003: [WAR] could not create case
  • 9.3. AAC#002: Scan stuck at Status "Unknown"
  • 9.4. AAC#001: Could not get table data: Data too large
• 10. Upgrade from Cockpit v3.10.4 to Cockpit v4.x
  • 10.1. Cluster Upgrade
  • 10.2. Standalone Upgrade
• 11. Glossary
  • 11.1. Baselining
  • 11.2. Cases
  • 11.3. Invisible (Backend)
  • 11.4. Additional Resources
• 12. Changelog
  • 12.1. Analysis Cockpit v4.4
  • 12.2. Analysis Cockpit v4.3
  • 12.3. Analysis Cockpit v4.2
  • 12.4. Analysis Cockpit v4.1
  • 12.5. Analysis Cockpit v4.0

Index

• Index