The last five months we’ve been working on a shiny new version of our ASGARD platform that overcomes previous limitations and includes exciting new features.
ASGARD 2 is a completely rewritten management platform, featuring a new interface, load balancing options, a new lightweight agent, custom response playbooks and greatly improved IOC management.
Fundamental Changes
- Easy to use GUI and API for response functions (replaces GRR as underlying framework)
- Rewritten agents consume much less memory
- New dynamic agent load control allows to connect up to 25,000 endpoints
- Predefined and custom playbooks
- IOC management support for MISP
- Remote consoles
IOC Management
The new IOC management allows to interface with a MISP instance and create rule sets based on filters.
For example, you can search for and select all MISP events containing the keyword “Emotet”, create a new rule set from them and then select this rule set to be used in a new THOR scan.
Playbooks
The so-called playbooks allow you to define a set of steps that the agent executes on an end system.
Each playbook can have up to 16 independant steps of the types “Run Command Line”, “Download File” or “Upload File”.
It is easy to set up new playbooks that e.g. download a certain tool to the endpoints, run it and collect the generated output.
Each or all results of playbook executions can be collected via GUI or API. Playbooks can be triggered via API to allow the integration into security orchestration, automation and response (SOAR) solutions.
ASGARD v2 ships with a set of predefined playbooks including:
- Collect system memory
- Collect file or folders
- Quarantine endpoint
- Collect triage package
- Collect process tree
Remote Console
The remote console allows you to open up a web based command line window on any attached end system. This greatly facilitates the analysis of suspicious events. Analysts can browse the remote system, review or change settings and issue commands.
During the session, you can select files for collection or define certain playbooks to be executed after disconnecting the command line session.
Every session gets recorded for complete traceability.
Time Schedule
Beta customers will test drive ASGARD v2 in March and April. We expect a first release in June.
An upgrade guide for ASGARD v1 customers will be provided.