At its core, this version introduces a powerful new query language, complemented by targeted improvements that significantly support the daily workflows of security and incident response teams.

Highlights

AQL – ASGARD Query Language

The central highlight of version 4.4 is the introduction of AQL (ASGARD Query Language).

AQL enables analysts to create complex and combined queries across multiple fields, going far beyond traditional filter mechanisms.

A key benefit is the integration of time-based fields, including THOR time information. This allows queries such as:

• Events from the last two weeks or a defined time range
• Combination with a score threshold (e.g., score ≥ 85)
• Additional criteria to further narrow down relevant findings

AQL example from the baseline section

Value Completion for Quick Filters

Quick filters now support value completion, enabling faster and more convenient filter creation. Suggested values reduce typing errors and help analysts build precise filters without interrupting their analysis workflow.

Selector example with MD5 from the baseline section

Improved FilterBar and Consistent UI Across DataTables

The FilterBar has been further refined, and overall UI consistency across all DataTables has been improved. This results in a cleaner, more streamlined interface and a consistent user experience when working with large data sets and complex filters.

Example from the case section

Enhanced Performance and Reliability of Baselining and Case Intelligence

The Baselining and Case Intelligence modules received further performance and stability optimizations. Analyses run faster and more reliably, especially in environments with high event volumes or extensive historical data.

Improvements

• Email and GUI notifications for unassigned events
• Extended support for time-based fields, including THOR time information
• Export of search results and case templates
• Score slider for improved case prioritization
• Improved error messages for filter queries
• Additional enhancements as listed in the changelog

Bugfixes

ASGARD Analysis Cockpit 4.4 also includes numerous bug fixes and stability improvements. Detailed information can be found in the official changelog.

Conclusion

ASGARD Analysis Cockpit 4.4 is a clear quality and efficiency upgrade. The introduction of AQL significantly enhances search and analysis capabilities, enabling analysts to more effectively identify relevant events, meaningful context, and actionable facts.

What’s next

Alongside this release, we are already working at full speed on the next generation of the Analysis Cockpit. Our goal is a new and further evolved analysis platform with a modernized design, enhanced analytical capabilities, and significantly improved correlation of events, context information, and facts.

FAQs

How long does the update take?

The update process typically completes within a few minutes.

Will the system restart during the update process?

The ASGARD Analysis Cockpit service will be restarted as part of the update, but a full system reboot is not required.

Do I need to update my API integrations or scripts?

No. The API interface remains unchanged in this release, so all existing integrations and scripts will continue to work without modifications.

Are there any changes to user roles or permissions?

No changes have been made to the permission model. All existing roles and access rights remain the same, ensuring seamless continuity in user management.

Further Information

For more details, please refer to our manual or our ASGARD Analysis Cockpit Youtube-Playlist, which provides comprehensive guidance on all the new features and changes. You can also contact our support for further assistance.