Merge Main into V3

administration/agent.rst

@@ -3,8 +3,17 @@
 ASGARD Agent Deployment
 -----------------------
 
-In order to register a new endpoint to the ASGARD Management Center,
-download and install the ASGARD Agent on the system you want to register. 
+There are currently two modes of operation for the ASGARD Agent:
+
+- **Normal** - This is the default mode and allows usage of all ASGARD features.
+- **Essential** - This is a lightweight mode which only allows THOR scanning
+  and Aurora deployment.
+
+Please note that the Agent in Essential Mode is a separate installer and
+needs to be created in the :ref:`advanced/custom-agent:creating custom agent installers`.
+
+In order to connect a new endpoint to the ASGARD Management Center,
+download and install the ASGARD Agent on the system you want to onboard.
 
 The ASGARD Agent can be directly downloaded from the Management Center
 login screen through the button ``Download Agent Installers``. A list
@@ -43,12 +52,6 @@ endpoint shows up in the assets overview and is now ready to be managed and scan
 
    Accepting ASGARD Agent Requests
 
-A registered agent will poll the Management Center at a given
-interval between 10 seconds and 10 Minutes – depending on the number of
-connected endpoints (see :ref:`advanced/performance:performance tuning` for
-details). If your Management Center has scheduled a task for the endpoint (for example:
-run THOR scan) it will be executed directly after the poll.
-
 Windows Agent Deployment
 ^^^^^^^^^^^^^^^^^^^^^^^^
 

administration/assets.rst

@@ -34,37 +34,18 @@ individual ASGARD ID, their IP addresses and host names.
    Asset View
 
 By clicking the control buttons in the Actions column, you can start
-a new scan, run a response playbook, open a command line or switch
-the endpoints ping rate to a few seconds instead of a maximum of 10 minutes. 
-
-.. figure:: ../images/mc_asset-actions.png
-   :alt: Asset Actions
-
-   Available Actions (left to right): Run Scan, Run Task,
-   Connect To Remote Console, Show Timeline, Enable/Disable Fast Poll Mode
+a new scan, run a response playbook, open a command line or browse the
+remote file system.
 
 .. note::
 
-    * The internal ping between the ASGARD agent and ASGARD is based on HTTPS not ICMP
-    * Depending on the user's role some of the control buttons may be disabled
+    * Depending on the user's role, some of the control buttons may be disabled
     * The ``Run Scan`` button might be greyed out in new installations - this is
-      because ASGARD did not download the THOR packages yet. You can either wait for a
-      few minutes, or see the chapter :ref:`administration/updates:updates of thor and thor signatures`,
+      because the ASGARD Management Center did not download the THOR packages yet.
+      You can either wait for a few minutes, or see the chapter
+      :ref:`administration/updates:updates of thor and thor signatures`,
       to trigger a download manually.
 
-Column Visibility
-^^^^^^^^^^^^^^^^^
-
-Users can select various columns and adjust their view according to their
-needs by clicking the gear wheel in the top right corner of any table.
-You can toggle visibility of columns by clicking the icon next to the name.
-You can also drag and drop the columns to change the order in the table view.
-
-.. figure:: ../images/mc_asset-columns.png
-   :alt: Asset Columns
-
-   Available columns in Asset Management
-
 Asset Labels
 ^^^^^^^^^^^^
 

administration/aurora.rst

@@ -5,15 +5,15 @@ Aurora
 
 - Aurora is a lightweight endpoint agent that applies Sigma rules and IOCs on local event streams.
 - It uses Event Tracing for Windows (ETW) to subscribe to certain event channels.
-- It extends the Sigma standard with so-called "response actions" that can get executed after a rule match
-- It supports multiple output channels: the Windows Eventlog, a log file and remote UDP targets
+- It extends the Sigma standard with so-called "response actions" that can get executed after a rule matches
+- It supports multiple output channels: the Windows Eventlog, a log file and remote syslog.
 
 Its documentation can be found `here <https://aurora-agent-manual.nextron-systems.com/en/latest/index.html>`_.
 
 Aurora Overview
 ~~~~~~~~~~~~~~~
 Under ``Service Control`` > ``Aurora`` > ``Asset View (Deployed)`` the overview
-of all assets with installed Aurora is shown. Clicking on the entry opens a
+of all assets with Aurora installed can be seen here. Clicking on the entry opens a
 drop-down menu with details and additional information.
 
 .. figure:: ../images/mc_aurora-view-deployed.png
@@ -113,7 +113,6 @@ Best Practices for Managing Aurora
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 1. Install the ASGARD agent on the asset (see :ref:`administration/agent:asgard agent deployment`)
-2. Install the ASGARD service controller on the asset (see :ref:`administration/service-control:service controller installation`)
 3. Deploy the Aurora Service on the asset using the ``[Default] Standard configuration with critical and high Sigma rules``
 4. configuration (see :ref:`administration/aurora:deploy aurora on asset`)
 

administration/download.rst

@@ -20,8 +20,6 @@ the download token by disabling and then re-enabling it using ``New Download Tok
 .. figure:: ../images/mc_download-thor-package.png
    :alt: Generate THOR Package Download Link
 
-   Download THOR package and license workstation named 'WIN-CLI-DE-1234'
-
 While selecting different options in the form, the download link changes.
 
 After you have generated a download token and have selected the
@@ -41,15 +39,15 @@ anybody can download THOR from this ASGARD or can generate licenses.
    Incident Response license, you must provide it separately.
 
 
-Use Case 1 - Share th URL without Hostname
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Use Case 1 - Share the URL without Hostname
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 You can generate download links without an included license by
 leaving the `hostname` field empty. A valid license (e.g. "Incident Response")
 must be  placed in the program folder after the download and extraction. 
 
-Use Case 2 - Share th URL with Hostname
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Use Case 2 - Share the URL with Hostname
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 By including the hostname in the form, a license will be generated
 and included in the download package You can copy the final download
@@ -83,4 +81,6 @@ scans on systems without an installed ASGARD agent.
 .. code-block:: powershell 
 
    $Type = "server"
+   $Hostname = "server1"
+   $Token = "my-unique-token"
    $Download_Url = "https://asgard2.nextron:8443/api/v1/downloads/thor?os=windows&type=$($Type)&scanner=thor10%4010.6&signatures=signatures&hostname=$($Hostname)&token=$($Token)"

administration/evidence.rst

@@ -3,9 +3,6 @@
 Evidence Collection 
 ===================
 
-Collected Evidences
-^^^^^^^^^^^^^^^^^^^
-
 ASGARD provides two forms of collected evidence: 
 
 1. Playbook output (file or memory collection, command output)

administration/index.rst

@@ -19,11 +19,11 @@ installing agents and performing routine tasks in the Web UI.
     scheduled-scan
     syslog
     response-control
-    service-control
     aurora
     sigma
     iocs
     evidence
+    thunderstorm
     download
     license
     updates

administration/iocs.rst

@@ -3,69 +3,45 @@
 IOC Management
 ==============
 
-Integrating Custom IOCs
-^^^^^^^^^^^^^^^^^^^^^^^
-
-The menu ``IOC Management`` gives you the opportunity to easily integrate custom signatures into your scans. 
-
-In order to create your own custom IOC Group, navigate to ``IOC Management`` > ``IOCs``
-and click ``Add IOC Group`` in the upper right corner. Select a name and optionally a description for your IOC Group.
-
-.. figure:: ../images/mc_add-ioc-group.png
-   :alt: Add IOC Group
-
-   Add IOC Group
-
-To add IOCs to this group, use the ``Show and edit IOCs in this IOC group``
-action. A side pane opens where you can click the ``Import IOCs`` button
-to import your own signatures in any of THOR's IOC formats as files (e.g.
-files for keyword IOCs, YARA files and SIGMA files). Refer to the  
-`THOR manual (custom signatures) <https://thor-manual.nextron-systems.com/en/latest/usage/custom-signatures.html>`_
-for a complete list and file formats. Browse to the file you want
-to add and click upload. This adds your IOC file to the default ruleset. 
+The ASGARD Management Center allows you to create and manage your own IOCs.
+Those IOCs can be used with THOR and Aurora.
 
-.. figure:: ../images/mc_import-iocs.png
-   :alt: Imported IOCs Overview
+What's the difference between IOCs, IOC Groups, IOC Rulesets, and IOC Files?
 
-   Imported IOCs Overview
+- IOCs: Define specific indicators that represent potential threats. Supports different
+  types of IOC detection, such as filenames like “some_malware.exe”, hashes like "4fef5e34…”,
+  YARA and Sigma rules, etc.
 
-However, you can also click the ``Add IOC(s)`` button to add some IOCs
-interactively. Select the type, score and description, enter some values
-and click the ``Add IOC`` button.
+- IOC Groups: Organise related individual IOCs into easily manageable groups. For example,
+  you can group various individual IOCs related to a "Mimikatz" attack (such as an IOC
+  that detects the presence of a file called “mm64c.exe”) under a single category.
 
-.. figure:: ../images/mc_add-iocs.png
-   :alt: Add IOCs
+- IOC Rulesets: IOC Rulesets combines multiple IOC Groups into a comprehensive set of rules.
+  With this, you can assemble a set of indicator groups to represent a specific threat
+  scenario. You can also apply your changes to your rulesets for streamlined and efficient threat detection.
 
-   Add IOCs
+- IOC Files: Upload files containing your own IOCs that you can later use to add them
+  onto your own IOC Rulesets.
 
-You can add those IOC Groups to IOC Rulesets which can be created in
-the ``IOC Management`` > ``IOC Rulesets`` tab by clicking the  ``Add Ruleset``
-button in the upper right corner. Select name and description and click the 
-``Add Ruleset`` button.
-
-.. figure:: ../images/mc_add-ioc-ruleset.png
-   :alt: Add Ruleset
-
-   Add Ruleset
-
-After that, click on an entry in the table to expand it. There you
-get information about all IOC Groups which have been added to this
-ruleset. Additionally you can add or remove selected IOC Groups in
-``IOC Management: IOCs`` by clicking one of the three buttons shown below.
-
-.. figure:: ../images/mc_add-remove-ioc-group.png
-   :alt: Buttons to Add/Remove IOC Groups
+Integrating Custom IOCs
+^^^^^^^^^^^^^^^^^^^^^^^
 
-   Buttons to Add/Remove IOC Groups
+The menu ``IOC Management`` gives you the opportunity to easily integrate custom signatures into your scans. 
 
-You can now add your IOC Group to the newly created IOC Ruleset.
+In order to create your own custom IOC Group, navigate to ``IOC Management`` > ``IOCs``
+and click ``Add IOC`` in the upper right corner. Select a name and optionally a description for your IOC Group.
+This will open a dialog which guides you through the creation of IOCs.
 
-.. figure:: ../images/mc_add-ioc-group-to-ruleset.png
-   :alt: Add IOC Group to Ruleset
+Every IOC has to belong to one IOC Group. One IOC Group can contain multiple IOCs. And finally,
+one IOC Ruleset can contain many IOC Groups.
 
-   Add IOC Group to Ruleset
+After you are finished with the creation of your IOCs, you will have to apply the
+changes to the IOC Ruleset. You can do so by checking the box towards the end
+of the dialog ("Apply changes on all affected rulesets immediately"), or by
+setting the IOC Ruleset to "autocompile" (this can also be done during the dialog,
+if you create a new IOC Ruleset).
 
-This Ruleset can now be used in THOR scans.
+Once you created a IOC Ruleset which contains IOCs, it can be used for scanning with THOR.
 
 .. figure:: ../images/mc_ioc-ruleset-thor-scan.png
    :alt: IOC Ruleset in THOR Scan
@@ -74,7 +50,8 @@ This Ruleset can now be used in THOR scans.
 
 Anytime you add, remove or change IOCs within one of your IOC Groups,
 you have to recompile the IOC Ruleset. To do this, navigate to the
-``IOC Rulesets`` page and click the "geard" icon in the Ruleset's row
+``IOC Rulesets`` page and click the "gear" icon in the Ruleset's row.
+You can optionally set IOS Rulesets to "Autocompile".
 
 .. figure:: ../images/mc_compile-ioc-ruleset.png
    :alt: Compile IOC Ruleset

administration/license.rst

@@ -13,7 +13,7 @@ particular system during its initial THOR scan.
 
 The screenshot below shows the licensing section of an ASGARD.
 
-.. figure:: ../images/mc_asgard-licensing.png
+.. figure:: ../images/mc_licensing.png
    :alt: ASGARD licensing
 
    ASGARD licensing
@@ -39,4 +39,11 @@ The following systems require a server license in order to be scanned:
 
 The licenses are hostname based except for asset licenses. Asset
 licenses are issued for each accepted asset as soon as a response
-action is performed (playbook or remote console access).
+action is performed (playbook or remote console access).
+
+Thunderstorm
+^^^^^^^^^^^^
+
+You can upload your THOR Thunderstorm license lower box of the
+``Licenses`` view. Please note that the Thunderstorm license
+needs to have the same hostname as the ASGARD system.

administration/response-control.rst

@@ -16,6 +16,16 @@ tasks can be:
   - Configure the asset's proxy
   - Move asset to another ASGARD
 
+There are several other tasks which will appear in the Response Control
+section, those include:
+
+* Directory Listing (Browse the file system)
+* Log (view the ASGARD Agent Log)
+* System Stats (view the system load)
+
+Those tasks can only be started from the Details view of an asset,
+but appear here for audit purposes.
+
 Opening a Remote Console on an endpoint
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
@@ -27,10 +37,8 @@ Management section and click the "command line" button in the Actions column.
 
    Opening a Remote Console from the Asset View
 
-Depending on your configuration it may take between 10 seconds and 10
-minutes for the remote console to open. Please note that all actions
-within the remote console are recorded and can be audited. All consoles
-open with root or system privileges.
+Please note that all actions within the remote console are recorded and
+can be audited. All consoles open with root or system privileges.
 
 .. figure:: ../images/mc_open-remote-console.png
    :alt: Remote Shell

administration/sigma.rst

@@ -3,7 +3,7 @@
 Sigma
 =====
 
-Aurora is using Sigma in order to define detections.
+THOR and Aurora are using Sigma in order to improve detections.
 
 What is Sigma
 ~~~~~~~~~~~~~

administration/status.rst

@@ -73,10 +73,10 @@ Available logs and their content:
      - Overall status of the Management Center, general errors and warnings
    * - Audit
      - Containing user login/logout and changes done over the UI
-   * - ASGARD Agent and Service Controller
+   * - ASGARD Agent
      - Status of the agents deployed on assets
-   * - ASGARD Agent and Service Controller Access Log
-     - Logs of agents and service controllers communicating with the Management Center
+   * - ASGARD Agent Access Log
+     - Logs of agents communicating with the Management Center
    * - THOR via Syslog
      - Received syslog events of THOR scans. Partial results if a scan did not complete
    * - THOR via Syslog (Scan Start, Licensing, Completion only)
@@ -90,4 +90,8 @@ Available logs and their content:
    * - Aurora Simulated Response Actions
      - Only simulated response action events of Aurora
    * - Diagnostic Pack
-     - Button for generating and downloading a diagnostic pack that may be asked for by support
+     - Button for generating and downloading a diagnostic pack that may be asked for by support
+   * - Backup & Restore
+     - Logs related to Backup & Restore activities
+   * - Thunderstorm
+     - Full Log output of the Thunderstorm service, including matches