Later this month the new version 2.2 of ASGARD Analysis Cockpit will be released. These are the most important new features.
The Optimize Button
The new “Optimize” button allows you to add all unassigned log lines to existing cases with matching filters. It is possible that you miss some events when creating a new case, either by the wrong selection or due to the fact that new log lines can arrive at any time via SYSLOG or log file import in the background.
Now it is possible to add all unassigned log lines to previously created cases by using the “Optimize” button.
It will not remove previously assigned log lines from existing cases. It just helps you to clear up the base lining section by removing events that are related to existing cases but haven’t been assigned to these cases yet.
You can later review all automatic assignments in the “Automatic Event Assignment” protocol.
The new “notification” settings allow you to create notification rules for the following type of events:
- Log lines that are automatically assigned to an existing case
- Status changes of cases
The current supported actions are:
- Syslog Forwarding
- Email Notification
This allows you to define flexible rules for many different events. You may e.g. create a rule that sends an email notification whenever a new “Incident” case is opened.
You could also forward all incoming log lines that are automatically assigned to a case of type “Incident” to your remote SIEM system. (each syslog message will be extended by two new fields: case_type and case_id)
An email for a opened “Incident” case will then look like this:
The attachments of these emails contain the included log lines (text) and a JSON with all case information in machine readable form.
The File Importer status view has been improved so that it shows the number of total files in queue and the number of processed files.
The new improved reporting allows you to generate reports not only for a given period of time (e.g. last month) but custom queries on the ElasticSearch database. E.g. you can generate report for the scans on your SuSE linux systems only.
The reports contain more panels and information on the data set.
The data from all reports can be downloaded as JSON file.
Upgrade to 2.2
The upgrade will be visible in the “Updates” section of your Analysis Cockpit once it is released. See the change.log notes for a full list of changes.