Feature Ideas

After creating a case if would be helpful to edit the filtering criteria: Add Conditions Refine Conditions Toggle "Assign newly incoming events based on ..."

Today the analysts need to jump a lot between the two servers if an event leads to the download of a file or directory. It would be beneficial if this could be accomplished by just click an icon next to the file/directory that triggers the download of that file/directory via ASGARD API on the affected asset. Also it would be nice if the analyst could trigger playbook like CyLR from within the Cockpit.

Please provide a setting on all ASGARD family servers to force users to use/register 2FA

I would like to propose several improvements/feature requests to the "Statistics Overview" in the Analysis Cockpit. With the "Statistics Overview" I'm referring to the 8 graphs above the Baseline events in the Analysis Cockpit Make the values copyable. E.g by right-click Make the width/height customizable, as some events have more text and are currently cut Make the number of graphs and the number of values per graphs customizable Give the ability to "flip" the values, i.e show the least frequent values instead of most frequent Make the x-axis scale dynamically instead of an fixed logarithmic x-axis Make the position and number of the graphs customizable. I.e maybe I want two small graphs at the top and one wide graph at the bottom

Tested with Asgard Analysis Cockpit V3.7.4 Issue: Unfortunately there currently is no option to cancel the creation of a report and the only status update given during the creation is "Running". Possible Use-cases: Cancel reports with a wrong configuration or ones that take too long. Proposed Improvement: Similar to scan tasks in the Management Center it would be helpful if reporting tasks in the AC had a "Stop" button and ideally a progress bar showing how far along the report creation is. Thanks in advance :)

It would be great to have a drag and drop ability in the dialogue of the case creation. My personal workflow is like this: I go through the events and have a finding to create a case of. I partially negate the filter to find more events but from different sourceimage (just an example). In the end I have the same finding from various sourceimages. When creating a case of the whole query, I have to copy&paste from the "logical and" to "logical or". With drag&drop it would be much more convenient.

If you could implement modern authentication methods like SAML or MFA. That would be great.

Often you need to move certain Events from Case A to Case B. Right now the workflow is to delete those Events from Case A and then re-add them to Case B. I would suggest adding a button to each case that moves the selected Events to another desired Case.

The full prioritization process doesnt work. The priority (low, medium, high, very high) does not have an effect on the assignment of events. For example: In ASGARD all incident cases get notified. In ASGARD we have an incident case for log4shell rules. The vulnerability scanner does active checks (exploitation) for log4shell. The destination server writes the request to the log files. Thor detects the pattern and reports it as Incident. We developed a new case with higher priority which detects the exploitation pattern from the vulnerability scanner. This case does not get all events. Our Notification workflow does not work correctly.

Each Event from the module Eventlog contains a field called Event_Time. An example of such Values is the following EVENT_TIME: Sun Oct 24 00:58:13 2021 As the value of the field begins with the name of the day, it is not possible to sort these Events by Event_Time, as they will be sorted alphabetically. By Sorting i refer to adding the field Event_Time to the columns in the Analysis Cockpit and sorting there Please change the format of these Events so that you can sort them chronologically.

Dear Nextron Development Team, I would like to submit a feature request to improve the usability of the ASGARD Management Center API. While ASGARD provides powerful central management capabilities, the current API implementation—especially its reliance on gRPC without reflection—creates significant barriers to integration for security analysts and automation engineers. Current Challenges gRPC Without Reflection • The ASGARD API does not support reflection, making service discovery impossible. • Users must have prior knowledge of service and method names, making API integration difficult. Lack of REST API Support • Many security teams use Python, PowerShell, and automation tools that work better with REST APIs (JSON over HTTP). • gRPC requires additional setup and tooling, limiting accessibility for less experienced users. No Public API Documentation • There is no official API documentation listing available endpoints, request formats, or authentication details. • Without .proto files or API schemas, even experienced users struggle to construct correct API requests. Proposed Improvements To enhance API usability and broaden adoption, I propose the following enhancements: Enable gRPC Reflection (Short-Term Improvement) • This would allow tools like grpcurl to list available services and methods dynamically. • Reflection is a standard feature in gRPC and should be relatively simple to enable. Provide .proto Files for API Consumers • Publish the .proto files in ASGARD’s web UI or API documentation. • This would allow users to generate their own client stubs instead of guessing service names. Introduce a REST API Alternative (Long-Term Improvement) • Add a RESTful API (e.g., /api/v1/systems, /api/v1/users) that returns JSON responses. • Provide standard authentication (e.g., API keys or OAuth). • This would make ASGARD’s API accessible to a much wider audience. Publish API Documentation • A simple OpenAPI (Swagger) spec or static documentation (Markdown, PDF) would greatly improve usability. • Even a list of available services, request formats, and example responses would be beneficial. Expected Benefits ✅ Broader adoption: Security teams can integrate ASGARD more easily into their workflows. ✅ Faster automation: JSON-based REST APIs allow quick integration with SIEMs, SOAR platforms, and custom scripts. ✅ Lower support burden: Users would no longer need to guess service names, reducing API-related support tickets. ✅ Competitive advantage: Many enterprise security tools offer REST APIs; adding one would make ASGARD more appealing to modern security teams. I appreciate your consideration of this request and would be happy to provide further details or participate in any discussions to refine these proposals. Best regards, Björn Köhl Nextron Systems GmbH

We would like to be able to use 2FA for LDAP users. The setup of 2FA should also be enforceable. Furthermore, it would be useful if we could activate individual LDAP users at the Management Centre instead of always going via the group. This way, we could also assign individual rights and use LDAP only as password management.

At the moment in the Analysis Cockpit 3.5.6, the count shown after "Baselining" is only for THOR Events, this is kind of misleading. An indicator that there are more events, so Aurora and LogWatcher events, to analyze would be great. An idea would be to show 3 counts, e.g. THOR Events (in that cool THOR green-blue color), Aurora in green and LogWatcher for example in a yellow-ish color, maybe separated by a pipe character.

As mentioned in the data dependency request, sometimes the explorative manner of investigation results in many try-revert situations. By try-revert it is meant that one selects a bar, changes their mind, and wants to rollback the selection. Currently, user has to leave the visualization section to remove a selected filter and revert to the previous state. As a user, I would like to remove a filter by clicking again on a selected bar, in order to keep exploring the data from the visualization section. Current behavior leave the visualization area and click "x" on There is an option to use alt/ctrl+click. However, if one of those is performed, a filter is added. In the above scenario, it would result in and being active as filters, leading to no results (understandably). The desired behavior is different from due to the total set of results displayed. Presumably, the total set of results with is less than with neither nor present in filters. Desired behavior add filter by clicking a bar in baselining click again on that same bar in the visualization removed from applied filters set of presented events+filters+bars goes back to what it was before was applied