MASTER ASGARD – One ASGARD to Rule Them All

We are glad to announce our new product MASTER ASGARD, a central control for a set of ASGARD systems.

MASTER ASGARD is designed to control multiple instances of ASGARD, which itself supports up to 10,000 endpoint agents. Using MASTER ASGARD you are able to control more than 100,000 end points from a single central location. 

This control includes:

  • Run distributed THOR and SPARK scans
  • Schedule distributed THOR and SPARK scans
  • Manage and distribute IOCs
  • Collect files and memory from Windows and Linux end systems

 

 

Here are some screenshots:

Management of multiple ASGARDs

Evidence Collection

Distributed Scans

MASTER ASGARD will be available for BETA program customers at the end of February and to the full customer base in May 2019.  

ASGARD v1.7.2 with File and Memory Collection

Our brand new ASGARD 1.7 comes with a shiny new feature: Evidence Collection

The evidence collection feature allows you to collect files or main memory from connected end systems.

The memory and file collection tasks provide a throttling option to reduce the upload speed of the dump files in order to save bandwidth and avoid higher response times of servers or workstations. 

The file collection feature allows you to get a single file, the contents of a folder with or without its sub directories. You can set size limits for each file and the whole archive.

The “Evidence Collection” tab lists all active and completed tasks. 

A log shows you the details of all the collection tasks.

ASGARD version 1.7.2 has been released today and can be upgraded via the “Updates” section. 

Please note that the memory collection on Linux endpoints is integrated but not fully supported. 

 

ASGARD Management Center Feature: Scanner Package Download Links

ASGARD features a new section since the last upgrade that you may have missed. It’s called “Downloads” and contains a section in which you can configure a download link for scanner packages.

In previous versions, the scanners have been accessible right from the login screen without any authentication, just like the GRR agents, which are still accessible in that way.

We’ve removed these unauthenticated scanner downloads and created that new “Downloads” section, which can be used by authenticated users in different ways.

While selecting different options in the form, the download link changes.

After you have selected the correct scanner, operating system and target hostname (not FQDN), you can copy the download link and use it to retrieve a full scanner package with included license file for that host. These download links can be send to administrators or team members that don’t have access to ASGARD management center. Remember that the recipients of that link still need to be able to reach ASGARD’s web server port 443/tcp. 

If you don’t set a hostname in the “Target Hostname” field, the scanner package will not contain a license file. If you have an unlimited “Enterprise” license, you’ll have to provide it separately.  

Use Case 1 – Provide Download Links

You can generate download links for the different scanner packages without included license for yourself or the administration team. A valid license (e.g. “Enterprise” or “Incident Response”) has to be provided and placed in the program folder. You can also use “thor-util” to retrieve licenses for specific hostnames from an ASGARD server (see the “THOR_Util_Manual.pdf” in each scanners “./docs” folder for details)

Use Case 2 – Administrator Asked to Run a Scan

You can copy the final download link and send it to an administrator, which can use this link on one of the servers to retrieve a full scanner package with license and run a scan. 

Use Case 3 – Use the URL in Script

You can use the URL in Bash or PowerShell scripts to automate scan runs on systems without installed ASGARD agent. Replace the hostname value with the value of the current host on which the script runs to get a URL for scanner download package with a host-specific license. 

Feature: SPARK Sample Quarantine via Bifrost

The new SPARK v1.14.16 supports the sample quarantine protocol named Bifrost.

With Bifrost you’re able to send suspicious samples that THOR or SPARK  detect on endpoints directly to a central server for analysis.

A Bifrost server is shipped in form of a Python script with THOR and SPARK. (./tools sub folder)
You can also activate the Bifrost server on our ASGARD platform.

All samples that have a score higher than the given limit are dropped into a given directory and are available for further post-processing – e.g. drop them into a sandbox or static analysis.

ASGARD IOC Management

The upcoming ASGARD version 1.5 comes with a IOC management section in which you can manage your own set of IOCs in text files, YARA and Sigma rules.

You can then select each of the folders when creating a new scan run with THOR or SPARK. Selecting one of these folders will not include the sub folders.

You can schedule and run scans with different IOC, Sigma and YARA rule sets. You can review the included custom signatures in the scan details. 

The following features are not yet implemented in v1.5 but on the roadmap for ASGARD v1.6:

  • Signature verification
  • Exclude the standard rule set (shipped with THOR and SPARK)

ASGARD Management Center version 1.4

Release notification of the ASGARD Management Center version 1.4

We have release version 1.4 for ASGARD.

This version has major improvements in usability, flexibility, stability and performance.

  • Plan and run THOR and SPARK scans on up to 10.000 endpoints – with a single 1RU appliance
  • Plan and run THOR and SPARK scans on up to 5.000 endpoints – with a virtual appliance
  • Improved the user interface with more information from a single pane
  • Schedule start date/time for single and group scans
  • Define frequency rhythm of scheduled scans (hourly, daily, weekly, etc.)
  • We added our own MySQL database to better track asset data
  • Improved ASGARD logging
  • Improved the ASGARD extension for GRR (added log status and scan duration to ASGARD)
  • You can now download the Scan Log from Scan Control
  • Import / export function to and from your CMDB system
  • Added full macOS support (Darwin) for SPARK scans
If you would like to see the core functions in action, check out our demo video:

https://youtu.be/G1VX9AloJNA

Plan and run THOR and SPARK scans
Set the frequency of your planned scans
Monitor your progress

Scan information