V4

administration/additional.rst

@@ -67,10 +67,6 @@ Subsequently, this TLS Certificate can be uploaded in the ``Settings`` > ``TLS``
 
    Upload a TLS Certificate
 
-.. note:: 
-   Please see :ref:`appendix/tls:install tls certificates on asgard and master asgard`
-   for a guide on how to sign the CSR and install it in your ASGARD.
-
 Manage Services
 ^^^^^^^^^^^^^^^
 
@@ -98,40 +94,6 @@ You can add or delete NTP servers by adding/changing the values
 in the text fields. After you are done with your changes, click
 ``Save and Restart NTP`` to save your changes.
 
-Settings for Bifrost
-^^^^^^^^^^^^^^^^^^^^
-
-Bifrost allows you to automatically upload suspicious files to your
-ASGARD during a THOR scan. If an Analysis Cockpit is connected,
-these files get automatically forwarded to the Analysis Cockpit
-in order to drop them into a connected Sandbox system. However,
-the collected files will stay on ASGARD for the amount of time
-specified in ``Retention time`` (0 days represent an indefinite amount of time). 
-
-.. figure:: ../images/mc_bifrost-settings.png
-   :alt: Settings for Bifrost
-
-   Settings for Bifrost
-
-The collected files can be downloaded in the ``Evidence Collection``
-section. All files are zip archived and password protected with the password ``infected``.
-
-In order to automatically collect suspicious files, you have to
-create a scan with Bifrost enabled. Check the ``Send Suspicious Files to ASGARD``
-option to send samples to the system set as ``bifrost2Server``. Use the placeholder 
-``%asgard-host%`` to use the hostname of you ASGARD instance as the Bifrost server.
-
-.. figure:: ../images/mc_thor-bifrost-flag.png
-   :alt: Bifrost Options
-
-   Scan option for Bifrost 
-
-This will collect all files with a score of 60 or higher and make
-them available for download in ASGARDs ``Collected Files`` section.
-
-For Details on how to automatically forward to a sandbox system please
-refer to the `Analysis Cockpit Manual <https://analysis-cockpit-manual.nextron-systems.com/>`_ .
-
 Link Analysis Cockpit
 ^^^^^^^^^^^^^^^^^^^^^
 

administration/advanced.rst

@@ -17,30 +17,32 @@ by setting a suitable threshold for ``Hide inactive Assets``.
 
    Advanced Settings
 
-SigDev Signatures
------------------
+Preview Signatures
+------------------
 
-We offer a "preview" of our newest signatures, which contains our newest
-rules. Those signatures have been processed by our automated pipeline and
-passed the quality check - however our manual testing of those new rules
-did not take place yet.
+We offer a "preview" (formerly known as ``SigDev``) of our newest
+signatures, which contains our newest rules. Those signatures have
+been processed by our automated pipeline and passed the quality
+check - however our manual testing of those new rules did not take place yet.
 
 We have those signatures to offer the newest rules to our customers in time
 critical engagements. You have to carefully consider if the potential higher
 rate of false positive warrants the usage of those rules. We generally recommend
 to only use those rules if the currently available signatures are a few days old.
 
-To enable the ``SigDev`` / ``Preview`` Signatures, simply activate the checkbox
-``Show Signature SigDev Option`` and submit your changes.
+To enable the ``Preview`` Channel for THOR Signatures in the ``Version Pinning``
+section, simply activate the checkbox ``Show Signature Preview Channel`` and
+submit your changes.
 
-.. figure:: ../images/mc_sigdev-signatures.png
-   :alt: Sigdev / Preview Signatures
+.. figure:: ../images/mc_preview-signatures.png
+   :alt: Preview Signatures
 
-   Sigdev / Preview Signatures
+   Preview Signatures
 
-Once you enabled the signatures, you can select them when creating a new (Group) Scan:
+Once you enabled the option, you can create a version constraint in the
+Version Pinning section:
 
-.. figure:: ../images/mc_sigdev-thor.png
-   :alt: Sigdev / Preview Signatures Scanning
+.. figure:: ../images/mc_preview-constraint.png
+   :alt: Preview Signatures Scanning
 
-   Sigdev / Preview Signatures Scanning
+   Preview Signatures Scanning

administration/agent.rst

@@ -97,7 +97,7 @@ To install the agent on macOS, you can just run the PKG file or execute the foll
 Starting with macOS Big Sur (v11.0), Apple requires software developers
 to notarize applications. Our ``asgard2-agent`` installer is notarized.
 
-You can test it, by executing the following command in Terminal:
+You can test it by executing the following command in Terminal:
 
 .. code-block:: console
 
@@ -131,9 +131,6 @@ following tasks.
 If you need to grant Full Disk Access via MDM, please have a look at the chapter
 :ref:`appendix/mdm-fulldiskaccess:Full Disk Access for macOS asgard2-agent-service via MDM`.
 
-Prior to macos Tahoe 26
-"""""""""""""""""""""""
-
 To do this, navigate on your Mac to ``System Settings`` > ``Privacy &
 Security`` > ``Full Disk Access``:
 
@@ -147,70 +144,6 @@ You need to enable the ``asgard2-agent-service`` slider:
    :scale: 40
    :alt: macOS 13 Full Disk Access
 
-Starting with macOS Tahoe 26
-""""""""""""""""""""""""""""
-Starting with version 26, we noticed that macOS no longer displays the entry ``asgard2-agent-service`` in the Full Disk Access UI.
-
-.. figure:: ../images/macos_missing_asgard2-agent_service.png
-   :scale: 50
-   :alt: Missing asgard2-agent.service
-
-If you have updated from macOS 15 Sequoia you should check in ASGARD the THOR scan protocol for a warning about Full Disk Access or query your operating system's ``TCC.db`` database.
-
-To query the database, open the Terminal App and perform the following SQL command:
-
-.. code-block:: console
-   :emphasize-lines: 2
-
-   MacBook-Pro:~ nextron$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep asgard
-   kTCCServiceSystemPolicyAllFiles|/private/var/lib/asgard2-agent/asgard2-agent-service|1|2|4|1|??||0|UNUSED|0|176962327|||UNUSED|0
-   MacBook-Pro:~ nextron$
-
-This value section must match:
-
-.. code-block:: console
-   :emphasize-lines: 1
-
-   |1|2|4|1|
-
-If the values do NOT match at this point, or if you originally installed our agent on macOS 26, please proceed with the following instructions.
-
-Temporarily adjust the permissions for the directory /private/var/lib/asgard2-agent via Terminal:
-
-.. code-block:: console
-
-   MacBook-Pro:~ nextron$ sudo chmod 777 -R /private/var/lib/asgard2-agent/
-   MacBook-Pro:~ nextron$
-
-Open the Full Disk Access UI (``System Settings`` > ``Privacy &
-Security`` > ``Full Disk Access``) and click on the ``+ Symbol`` bottom left. Enter the admin credentials.
-
-Open the search window by clicking on ``Command + SHIFT + G`` and enter the path to the service binary, ``/private/var/lib/asgard2-agent``.
-
-.. figure:: ../images/macos_path_asgard2-agent_service.png
-   :scale: 45
-   :alt: Path to asgard2-agent-service
-
-Choose the ``asgard2-agent-service`` and click ``Open``.
-
-.. figure:: ../images/macos_choose_asgard2-agent_service.png
-   :scale: 45
-   :alt: Path to asgard2-agent-service
-
-Check that the permissions have now been granted correctly by reopening the Terminal App and executing the following SQL command:
-
-.. code-block:: console
-   :emphasize-lines: 2
-
-   MacBook-Pro:~ nextron$ sudo sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'select * from access' | grep asgard
-   kTCCServiceSystemPolicyAllFiles|/private/var/lib/asgard2-agent/asgard2-agent-service|1|2|4|1|??||0|UNUSED|0|176962327|||UNUSED|0
-   MacBook-Pro:~ nextron$
-
-Please note that ``asgard2-agent-service`` is still not displayed in the UI.
-
-Finally adjust the permissions again:
-
-.. code-block:: console
-
-   MacBook-Pro:~ nextron$ sudo chmod 700 -R /private/var/lib/asgard2-agent/
-   MacBook-Pro:~ nextron$
+.. note:: 
+   Starting with version Tahoe 26, we noticed that macOS no longer displays the entry ``asgard2-agent-service`` in the Full Disk Access UI.
+   This has been fixed with version Tahoe 26.3.

administration/assets.rst

@@ -43,7 +43,7 @@ remote file system.
     * The ``Run Scan`` button might be greyed out in new installations - this is
       because the ASGARD Management Center did not download the THOR packages yet.
       You can either wait for a few minutes, or see the chapter
-      :ref:`administration/updates:updates of thor and thor signatures`,
+      :ref:`administration/updates:version pinning`,
       to trigger a download manually.
 
 Asset Labels

administration/evidence.rst

@@ -3,28 +3,12 @@
 Evidence Collection 
 ===================
 
-ASGARD provides two forms of collected evidence: 
+The ``Evidence Collection`` section contains Playbook output such as
+collected files or command output (stdout).
 
-1. Playbook output (file or memory collection, command output)
-2. Sample quarantine (sent by THOR via Bifrost protocol during the scan)
-
-All collected evidence can be downloaded in the ``Collected Evidence`` section.
+All collected evidence can be downloaded.
 
 .. figure:: ../images/mc_evidences-table.png
    :alt: Collected Evidence List
 
-   Collected Evidence List
-
-Bifrost Quarantine
-^^^^^^^^^^^^^^^^^^
-
-If Bifrost is used with your THOR scans, all collected samples show up here.
-You will need the "ResponseControl" permission in order to view or download
-the samples. See section :ref:`administration/users:roles` and
-:ref:`administration/users:rights` for details.
-
-
-.. figure:: ../images/mc_bifrost-quarantine.png
-   :alt: Bifrost Collections
-
-   Bifrost Collections
+   Collected Evidence List

administration/updates.rst

@@ -19,36 +19,42 @@ re-login. Generally update MASTER ASGARD before the connected ASGARDs.
 
    Updating ASGARD
 
-Updates of THOR and THOR Signatures
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Version Pinning
+^^^^^^^^^^^^^^^
 
-By default, ASGARD will search for signature updates and THOR
-updates on an hourly basis. These updates will be set to active
-automatically. Therefore, a triggered scan will always employ the
-current THOR version and current signature version. You may disable
-or modify the automatic THOR and Signature updates by deleting or
-modifying the entries in this section.
+The ``Version Pinning`` section allows you to create constraints
+to "pin" a specific version of THOR, Aurora, or any signatures.
+This allows you to stick with certain major or minor versions
+of our products.
 
-.. figure:: ../images/mc_update-thor-and-sigs.png
-   :alt: Automatic Scanner and Signature Updates
+By default, ASGARD will search for signature updates every hour
+and for THOR/Aurora updates every day. You can change the update
+interval if needed, though the default values are usually sufficient
+for most cases.
 
-   Automatic Scanner and Signature Updates
+If you want to manually check if a new update is available, you can
+do so by clicking ``Check for Updates``. This will not download new
+versions, but only check if new versions - according to your pinning
+constraints - are available.
 
-It is possible to intentionally scan with an old scanner version by
-clicking on the pencil icon and selecting the respective version
-from the drop-down menu. 
+If new updates are available, you can manually download them via the
+``Update Products now`` button.
 
-Please be aware, that this is a global setting and will affect all scans!
+.. figure:: ../images/mc_version-pinning.png
+   :alt: Version Pinning
 
-.. figure:: ../images/mc_update-thor-manually.png
-   :alt: Selecting a Scanner Version manually
+   Version Pinning
 
-   Selecting a Scanner Version manually
+Setting a new version pinning configuration is straight forward:
 
-.. hint:: 
-   You can trigger a Manual Check and download new THOR packages by clicking
-   ``Manually Check for Updates``. This can also be used in new ASGARD 
-   installations, as sometimes it takes a while until ASGARD does this automatically.
+- Select your Product
+- Select the Channel
+- Select a Constraint
+
+.. figure:: ../images/mc_version-constraint.png
+   :alt: Version Constraint
+
+   Version Constraint
 
 Agent Updates
 ^^^^^^^^^^^^^

administration/user-settings.rst

@@ -59,9 +59,12 @@ and click ``Deactivate Two Factor Authentication``.
 .. figure:: ../images/mc_deactivate-2fa.png
    :alt: Deactivate 2FA
 
-.. note:: 
-   If a user is unable to log into ASGARD to disable their own 2FA,
-   follow the instructions at :ref:`troubleshooting/2fa:resetting two factor authentication`
+If you have admin permissions and want to disable 2FA for another user, navigate to
+``Settings`` > ``Authentication`` > ``Users`` and click "Edit" on the user
+you want to disable 2FA for. Untick ``2FA Active`` and click "Edit User"
+
+.. figure:: ../images/mc_admin-deactivate-2fa.png
+   :alt: Deactivate 2FA as administrative user
 
 API Key
 ^^^^^^^

administration/users.rst

@@ -9,6 +9,12 @@ allows administrators to add or edit user accounts.
 The field ``2FA`` in the overview indicates if a
 user has ``Two Factor Authentication`` enabled or not.
 
+When creating a user, you can enforce a password change
+and the usage of 2FA. If those options are selected, the
+user can only use the Management Center with very limited
+functionality as long as the password was not changed and/or
+2FA was enabled.
+
 .. figure:: ../images/mc_add-user.png
    :alt: Add User Account
 
@@ -22,6 +28,19 @@ Access the user roles in ``Settings`` > ``Roles``.
 
 You can download a list of all users in CSV format.
 
+User Defaults
+^^^^^^^^^^^^^
+
+You can set user defaults to pre-select certain options when
+a new user is created. Those are not strict enforcements, but
+rather are options which set the default value when the User
+Creation modal is opened.
+
+.. figure:: ../images/mc_user-defaults.png
+   :alt: User Defaults
+
+   User Defaults
+
 Roles
 ^^^^^
 

appendix/index.rst

@@ -15,6 +15,5 @@ modify them accordingly to your needs.
     scripts
     permissions
     golden-image
-    tls
     gatekeeper
     mdm-fulldiskaccess