ASGARD ships as hardened virtual appliance and features agents for Microsoft Windows, Linux and MacOS.
Its rich API facilitates interoperation with SOAR frameworks, sandboxes, antivirus systems, SIEM systems, CMDBs, IPS devices – or in other words: with literally any security device you may have in place.
Single System Live Forensics
Evaluating SIEM or EDR events can be a tedious task. Analysts often have to decide whether to check off a warning or order a full forensic analysis. ASGARD allows you to run a live forensics scan on any connected endpoint, providing a deeper analysis, saving analysts time and costs.
Triage
In today’s fast-paced threat landscape, we get numerous indicators of compromise (IOCs) from public reports, official entities, partners or sharing groups. ASGARD allows you to quickly check end systems for a set of custom IOCs. It features MISP integration with a neat interface and supports manual STIX v2 imports.
Continuous Compromise Assessment
Compromise assessments provide an in-depth analysis including anomalies, suspicious elements and sometimes malicious activity. But this thorough analysis comes at a price: time and effort. In combination with the baselining features of our Analysis Cockpit, we limit the effort of every subsequent compromise assessment to a minimum.
Scalable
A single ASGARD Management Center can control up to 25,000 endpoints – providing central scan control and response functions with a single click on all connected endpoints.
With Master ASGARD it is possible to control multiple ASGARD Management Centers – thus providing central management for more than one million endpoints in a single console. This also allows for multi-tenant architectures in which individual ASGARDs remain dedicated to one tenant while all ASGARDs share central scan control through Master ASGARD.
Built-in Response Playbooks
The built-in and easy to execute response and information gathering playbooks can be executed on single systems, groups of systems and also large scale on all connected endpoints.
The built-in response playbooks include:
- Memory collection
- File collection
- Registry collection
- Quarantine
- Remote console (full cmd / shell)
Custom Response Playbooks
Our custom response playbooks help you orchestrate your specific responses. Prepare your individual response playbook with up to 16 consecutive steps.
A typical response playbook may look like this:
- Step 1: Quarantine endpoint on network level
- Step 2: Upload forensic toolset to endpoint
- Step 3: Execute forensic tools and generate output package
- Step 4: Download output package to ASGARD
- Step 5: Remove toolset and output package from endpoint
Powerful API
The ASGARD API facilitates integration with SOAR frameworks, SIEM systems, IOC feeds/providers (e.g. MISP, ….) and literally any piece of security infrastructure you have in place.
Typical use cases may include:
- Trigger THOR scan on system that caused alerts in IPS, SIEM, antivirus console, etc.
- Collect forensic evidence on endpoints
- Synchronize ASGARD assets with CMDB
- Drop suspicious samples into sandbox
Multi-Platform
ASGARD ships as hardened virtual appliance and features agents for Microsoft Windows, Linux and MacOS.
In the example we select all events with the keyword “Emotet”, add them to a new rule set and use that rule set in a new Group Scan with THOR.
“[…] At Infineon we integrated Asgard with many of our technical systems. Asgard ships with a comprehensive amount of detection rules and threat intelligence. Additionally, before a scan is triggered Asgard imports, its indicator set from our MISP based Threat Intelligence Platform enabling us to securely scan for host-based indicators from various private and public sources. If files are detected to be suspicious beyond a defined threshold we use Asgard’s Bifrost Protocol to automatically collect suspicious files for dynamic and static analysis. […]”
Raphael Otto
Head of Cyber Defense Center
Infineon Technologies AG
Optimized Analysis and Baselining
ASGARD Analysis Cockpit gives you full visibility on all your IOC matches, logs and sandbox reports. It allows you to set baselines and points you to security relevant changes in your environment.