Feat/4.3 to main after AAC release

administration/amc.rst

@@ -3,9 +3,10 @@
 Link ASGARD Management Center
 -----------------------------
 
-In order to receive log data from ASGARD Management Center(s), add
-them in the corresponding section in the system settings. You can find the
-settings in ``Settings`` > ``Connected Systems`` > ``Management Center``.
+``>Settings\Connected Systems\Management Center``
+
+In order to receive log data from your ASGARD Management Center(s), add
+them in the corresponding section in the system settings:
 
 .. figure:: ../images/cockpit_link_asgard_mc.png
    :alt: Link ASGARD Management Center
@@ -24,34 +25,37 @@ Cockpit.
 Asset View
 ----------
 
+``>Assets``
+
 In most cases working with the ``Baselining`` section and the ``Cases`` section
 can be seen as the best practice approach for setting baselines and
 dealing with alerts and warnings.
 
 However, in some cases it makes sense to change perspective and rather
 go for a host centric approach. The Analysis Cockpit will calculate
 numbers of lines in different case types (Incident, Suspicious, Anomaly,
-etc.) on a per host basis for a given time frame. Along with information
-from ASGARD on last scan dates, labels, host availability etc. this
-gives an entirely different perspective.
+etc.) on a per host basis for a given time frame. Information from the
+ASGARD, such as last scan dates, labels, host availability, and many more
+can allow for an entirely different perspective.
 
-By using the "Asset View" you can e.g., easily answer questions like:
+By using the "Asset View" you can easily answer questions like:
 
--  Which systems appear most often in “Incident” cases?
+-  Which systems appear most often in **Incident** cases?
 -  Which systems haven't reported a single event for more than a month?
 -  Which Domain Controllers have not been scanned yet?
--  Which systems with IP addresses starting "192.168." appear in
-   "Incident" cases?
+-  Which systems in the subnet "192.168.0.0/16" appear in
+   **Incident** cases?
 
 You can also set a time when an asset was compromised. This is useful
-for example when you want to see which systems were compromised in the
-last 30 days.
+when you want to see which systems were compromised in the last 30 days.
 
-In combination with the ``ASGARD Query`` and ``Labels``, which are identical
-to your ASGARD, you can even narrow down the events by system group
+In combination with the ``ASGARD Query`` and ``Labels``, which are pinned to your assets,
+you can even narrow down the events by system group
 (e.g., Domain Controllers, or certain locations).
 
-.. figure:: ../images/cockpit_asset_query.png
+.. figure:: ../images/cockpit_asgard_query.png
    :alt: Filtering within the Assets View 
 
    Filtering within the Assets view
+
+For more ``ASGARD Query`` examples, please open the Query Help on the right of the query input field (info icon).

administration/api.rst

@@ -10,3 +10,10 @@ You can find it in the top right corner's help menu.
    :alt: API Documentation
 
    API Documentation
+
+To test the API in the web interface, copy the API key from your user settings into the key field.
+
+.. figure:: ../images/cockpit_api_key.png
+   :alt: API Key
+
+   API Key

administration/case-recommendations.rst

@@ -1,9 +1,11 @@
-.. Index:: Canned Recommendations
+.. Index:: Case Recommendations
 
-Configure Canned Recommendations
---------------------------------
+Case Recommendations
+--------------------
 
-Canned recommendations are predefined actions that can be used within a
+``>Settings\Case Management\Recommendations``
+
+Case Recommendations are predefined actions that can be used within a
 case. The recommendations are fully configurable and are aimed to
 facilitate choice making regarding the action that should be applied for
 a specific case. There is no need to set this up, but we suggest doing
@@ -16,4 +18,4 @@ Recommendations can also be added by any user from within a case.
 .. figure:: ../images/cockpit_case_recommendations.png
    :alt: Case Management - Recommendations
 
-   Case Management- Recommendations
+   Case Management - Recommendations

administration/index.rst

@@ -26,5 +26,6 @@ These steps are described in detail in the following sections.
     syslog
     system-settings
     log-file
+    thor-cloud
     sandbox
     api

administration/log-file.rst

@@ -6,22 +6,23 @@ Log File Import
 Basic Concepts
 ^^^^^^^^^^^^^^
 
-In general, all logs show up in the Events section. Additionally, all
-Alerts and Warnings that are not matching a particular case will show up
+All imported THOR logs can be found in the ``Events`` section. All
+Alerts and Warnings that are not matching a particular case will be visible
 in the ``Baselining`` section. Notices and informational events will NOT
 show up in the Baselining Section as they match the predefined default
-cases for these events.
+cases for these events. We strongly advise to **not** delete those
+cases, as those event levels contribute to the majority of THOR events.
 
 All logs are tagged with a specific scan id – regardless of how the log
 was integrated. This enables filtering down to all logs contained in a
 specific scan.
 
-If ASGARD Management Center is connected and the events was generated as
-part of a group scan the event is also tagged with this particular group
-scan id. This allows for filtering down to all logs a particular group
+If an ASGARD Management Center is connected and the events were generated as
+part of a group scan, those events are also tagged with this particular group
+scan id. This allows for filtering down to all logs of particular group
 scan.
 
-Assets are identified through the asset ID that was issued by ASGARD
+Assets are identified through the asset ID that was issued by the ASGARD
 Management Center during the setup of the ASGARD Agent. If this ID is
 not available to the Analysis Cockpit (e.g. log has been uploaded
 manually or sent through syslog) the hostname (NOT the FQDN) will be
@@ -30,63 +31,55 @@ used instead.
 Direct Integration with ASGARD Management Center
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+``>Scans\Scans``
+
 If the Analysis Cockpit is linked to one or more ASGARD Management
-Centers, all THOR logs get integrated automatically and will show up in
-the Baselining and/or the Events section. Aurora Events will also
-automatically show up.
+Center, all THOR logs get integrated automatically and can be found
+in your Baselining and Events section. The same is true for Aurora
+events.
 
 To see how to connect an ASGARD Management Center with your Analysis
 Cockpit, follow the instructions in the chapter
 :ref:`administration/amc:link asgard management center`.
 
-You can retrieve old scans performed by ASGARD Management Center before
-you connected it to Analysis Cockpit using the ``Request Events`` button in
-the ``Scans`` section.
-
-.. figure:: ../images/cockpit_scan_request_events.png
-   :alt: Request Events from Scan
-
-   Request Events from Scan
-
 Syslog Input
 ^^^^^^^^^^^^
 
-Another way to import log data is by using SYSLOG messages.
-
-The ANALYSIS COCKPIT listens on port 514/udp and 514/tcp for incoming
-log data and all logs will show up in the Baselining and/or the Events
-section.
+Another way to import log data is by using SYSLOG.
 
-Incoming syslog messages get assigned to single scan using the "ScanID"
-value that's unique in each scan.
+The Analysis Cockpit listens on port 514/udp and 514/tcp for incoming
+log data. Incoming syslog messages get assigned to a single scan using
+the "ScanID" value, which is unique per default.
 
 File Import Through Web-Based GUI
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Alternatively, logs can be uploaded through the web-based interface by
-selecting the particular log file (must be the .txt format, html import
-is not supported) and clicking the ``Upload Scans`` button within the
-Scans section.
+``>Scans\Scans``
+
+THOR logs can be uploaded through the web-based interface. You can upload
+a particular log file (**.txt**) or multiple log files compressed into
+a gzip archive (**.gz**). Clicking the ``Upload Scans`` button will open
+the upload dialog and show you the available file formats.
 
 .. note::
    You can upload one or more THOR scans in one or more text files.
    The Analysis Cockpit will automatically generate scans in the database,
-   based on the scanned assets and the SCAN_IDs in the events. Only .txt,
-   .log, .txt.gz and .log.gz files are supported.
+   based on the scanned assets and the SCAN_IDs in the events.
 
 .. figure:: ../images/cockpit_upload_scan_logs.png
    :alt: Upload logs using the web-based interface 
 
    Upload logs using the web-based interface
 
-After a successful upload, the scans should appear in the list below.
+After a successful upload, the scans should appear in **Scans** table.
 
 .. important::
-   If you can not see events in the ``Events`` or ``Baselining`` views,
+   If you can not see events in the ``Events`` or ``Baselining`` view,
    please make sure that you've selected the correct time frame as filter.
    Often times manually uploaded scans happened days or weeks before the
    upload. The log data gets indexed with the timestamp of their creation
-   and not the import, and can therefore be hidden in the default view.
+   and not the import time, and can therefore be outside of your defined
+   time range of your table.
 
 After the upload, you're able to link the recently uploaded scans with
 an existing or new group scan. You can also unlink scans from a group scan.
@@ -95,42 +88,3 @@ an existing or new group scan. You can also unlink scans from a group scan.
    :alt: Link/Unlink scans with an existing or new group scan
 
    Link/Unlink scans with an existing or new group scan
-
-File Import Using the Command Line
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-This option can be helpful in an environment where you scan without
-ASGARD Management Center but want to automate analysis by dropping the
-log data into that import directory.
-
-Log files can be imported by placing the files in the following
-directory:
-
-``/var/lib/asgard-analysis-cockpit/events``
-
-Make sure that user and group of these files is set to ``cockpit``.
-
-You can change the owner and group manually by using:
-
-.. code:: console
-
-   nextron@asgard-ac:~$ sudo chown analysiscockpit:analysiscockpit <file>
-
-Successfully imported files get a new extension named ``.ok``.
-
-When the file is moved to that folder with the wrong permissions,
-Analysis Cockpit tries to handle these situations in the appropriate way.
-If the Analysis cockpit had read access but no rights to
-write/delete/rotate/rename the file, the file gets blacklisted in memory
-and will not be imported as long as the service doesn't get restarted. A
-restart of the service would cause the service to re-index the log data
-placed in that folder.
-
-.. important::
-   We highly recommend not to directly copy (scp, rsync) files
-   into that folder, but use a staging folder in which you set the right
-   permissions and then copy the files to the import folder.
-
-Copying files directly to that folder has many problematic side effects,
-e.g. files partly composed of binary zeros because the file transfer is
-still in progress.

administration/sandbox.rst

@@ -4,8 +4,7 @@ Sandbox Integration
 -------------------
 
 You can configure your Analysis Cockpit to upload files to a local sandbox.
-Currently you can use `CAPEv2 <https://github.com/kevoreilly/CAPEv2>`_
-(recommended) or `Cuckoo <https://github.com/cuckoosandbox/cuckoo>`_.
+Currently you can use `CAPEv2 <https://github.com/kevoreilly/CAPEv2>`_ only.
 
 Additionally, you can look at the following ``python`` file and write
 your own connector, for a different sandbox, if you need to:
@@ -21,8 +20,9 @@ your own connector, for a different sandbox, if you need to:
 Analysis Cockpit Sandbox Configuration
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-In the web view of your Analysis Cockpit, navigate to ``Settings`` > ``Connected
-Systems`` > ``Sandboxes``. Click ``Add Sandbox`` in the top right corner. Keep the
+``>Settings\Connected Systems\Sandboxes``
+
+Click ``Add Sandbox`` in the top right corner to add a new sandbox. Keep the 
 ``Name`` short and add a proper ``Description``.
 
 .. figure:: ../images/cockpit_add_sandbox.png
@@ -34,7 +34,7 @@ If you wish to enable automatic scanning for uploaded files
 (`Bifrost <https://asgard-manual.nextron-systems.com/en/latest/administration/evidence.html>`_),
 you can do so by checking the ``Automatic Mode``.
 
-Once you click ``Add`` the page will display an API token. Copy this token, we will need it later.
+Once you click ``Add`` the page will display an API token. Copy this token, you will need it later.
 
 .. figure:: ../images/cockpit_sandbox_token.png
    :alt: Sandbox API Token
@@ -206,16 +206,13 @@ The connection to your sandbox should work now. You can see the ``capev2.log`` f
 Analysis Cockpit Sandbox Usage
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Once your sandbox is set up and running, you can see the status of it in the
-sandbox view (Last Seen):
-
-.. figure:: ../images/cockpit_sandbox_view.png
-   :alt: Sandbox View in the Analysis Cockpit
+| ``>Evidence Collection\Collected Evidences``
+| ``>Evidence Collection\Sandbox Reports``
 
 In the ``Collected Evidences`` view you can see previously analyzed files or
 upload files for analysis by yourself:
 
-.. figure:: ../images/cockpit_evidence-file-upload.png
+.. figure:: ../images/cockpit_evidence_file_upload.png
    :alt: File View in the Analysis Cockpit
 
 After your file has been uploaded, you have to wait until your sandbox

administration/syslog.rst

@@ -1,15 +1,16 @@
 Syslog Forwarding
 -----------------
 
-The ``Rsyslog`` tab in the ``Settings`` menu allows forwarding of all
-incoming THOR events, along with all audit logs and all other Cockpit
-related logs.
+``>Settings\System\Rsyslog``
 
-Please note, that forwarding THOR Logs through syslog might lead to a
-certain loss of information as THOR events might exceed syslog length
-restrictions.
+The Analysis Cockpit allows forwarding of all incoming THOR events,
+along with all audit logs and all other Cockpit related logs.
 
 .. figure:: ../images/cockpit_rsyslog_forwarding.png
-   :alt: Add Rsyslog Forwarding II 
+   :alt: Add Rsyslog Forwarding
 
-   Add Rsyslog Forwarding II
+   Add Rsyslog Forwarding
+
+.. note::
+   Forwarding THOR logs via syslog might lead to a loss of information,
+   since THOR events could exceed syslog length restrictions.