Merge pull request #25 from NextronSystems/v4

V4

administration/amc.rst

@@ -1,12 +1,11 @@
-.. Index:: Management Center Integration
+.. Index:: Link Management Center
 
-Connect to ASGARD Management Center
------------------------------------
+Link ASGARD Management Center
+-----------------------------
 
-In order to receive log data from ASGARD Management Center systems, add
-them in the corresponding section in the system settings.
-
-``Settings`` > ``Link Products`` > ``Management Center``
+In order to receive log data from ASGARD Management Center(s), add
+them in the corresponding section in the system settings. You can find the
+settings in ``Settings`` > ``Connected Systems`` > ``Management Center``.
 
 .. figure:: ../images/cockpit_link_asgard_mc.png
    :alt: Link ASGARD Management Center
@@ -44,6 +43,10 @@ By using the "Asset View" you can e.g., easily answer questions like:
 -  Which systems with IP addresses starting "192.168." appear in
    "Incident" cases?
 
+You can also set a time when an asset was compromised. This is useful
+for example when you want to see which systems were compromised in the
+last 30 days.
+
 In combination with the ``ASGARD Query`` and ``Labels``, which are identical
 to your ASGARD, you can even narrow down the events by system group
 (e.g., Domain Controllers, or certain locations).

administration/log-file.rst

@@ -37,7 +37,7 @@ automatically show up.
 
 To see how to connect an ASGARD Management Center with your Analysis
 Cockpit, follow the instructions in the chapter
-:ref:`administration/amc:connect to asgard management center`.
+:ref:`administration/amc:link asgard management center`.
 
 You can retrieve old scans performed by ASGARD Management Center before
 you connected it to Analysis Cockpit using the ``Request Events`` button in

administration/sandbox.rst

@@ -21,9 +21,9 @@ your own connector, for a different sandbox, if you need to:
 Analysis Cockpit Sandbox Configuration
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-In the web view of your Analysis Cockpit, navigate to ``Sandbox`` > ``Sandboxes``.
-Click ``Add Sandbox`` in the top right corner. Keep the ``Name`` short and add a
-proper ``Description``.
+In the web view of your Analysis Cockpit, navigate to ``Settings`` > ``Connected
+Systems`` > ``Sandboxes``. Click ``Add Sandbox`` in the top right corner. Keep the
+``Name`` short and add a proper ``Description``.
 
 .. figure:: ../images/cockpit_add_sandbox.png
    :alt: Adding a new Sandbox
@@ -206,23 +206,20 @@ The connection to your sandbox should work now. You can see the ``capev2.log`` f
 Analysis Cockpit Sandbox Usage
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Once your sandbox is set up and running, you can see the status of it in the sandbox view (Last Seen):
+Once your sandbox is set up and running, you can see the status of it in the
+sandbox view (Last Seen):
 
 .. figure:: ../images/cockpit_sandbox_view.png
    :alt: Sandbox View in the Analysis Cockpit
 
-In the ``Files`` view you can see previously analyzed files or upload files for analysis by yourself:
+In the ``Collected Evidences`` view you can see previously analyzed files or
+upload files for analysis by yourself:
 
-.. figure:: ../images/cockpit_sandbox_file_upload.png
+.. figure:: ../images/cockpit_evidence-file-upload.png
    :alt: File View in the Analysis Cockpit
 
-.. note:: 
-   If you did not enable ``auto mode`` of your configured sandbox, you have
-   to manually add the file for scanning in here. You can do this by pressing
-   the ``Scan file with sandbox`` button to the right of your file.
-
 After your file has been uploaded, you have to wait until your sandbox
-is finished with analyzing the file. Change to the ``Reports`` view
+is finished with analyzing the file. Change to the ``Sandbox Reports`` view
 to see the status of the files.
 
 .. figure:: ../images/cockpit_sandbox_reports.png

baselining/case-creation1.rst

@@ -16,7 +16,6 @@ Case Creation Basics
 Create a new case following these steps: 
 
 1. Select on which conditions the case should be built. ``Search Result``
-
    will take your filters from the baselining view into consideration, and 
    build a case with the condition of your search.
 
@@ -35,7 +34,8 @@ Create a new case following these steps:
 6. Choose one or more **recommendations**
 7. Select a **case type** (see the :ref:`glossary/case-glossary:case types` for a detailed description of every case type)
 8. Select a **case status** (usually used to mark it as 'work in progress' or to forward it to the next team)
-9. Submit case by clicking the **Create Case** button
+9. Select a **case priority** (usually used to mark the importance of the case)
+10. Submit case by clicking the **Create Case** button
 
 .. figure:: ../images/cockpit_case_creation3.png
 
@@ -183,3 +183,102 @@ removed from the log management view.
 .. warning:: 
    It is recommended to use regular expressions only rarely and with
    caution. This feature can severely impact the performance of the system.
+
+ChatGPT Integration
+^^^^^^^^^^^^^^^^^^^
+
+You can use our ChatGPT integration to help with case creation. To do this
+you need to have a ChatGPT API key. Navigate to ``Settings`` > ``Advanced`` >
+``ChatGPT Integration``. Here you can enter your API key. You can test the
+ChatGPT integration in the prompt at the bottom, to make sure everything is
+working.
+
+.. figure:: ../images/cockpit_chatgpt-integration.png
+   :alt: ChatGPT Integration
+
+   ChatGPT Integration
+
+.. hint::
+   If you wish to interact with ChatGPT while safeguarding sensitive information,
+   consider using the :ref:`baselining/case-creation1:event anonymization` feature.
+
+ChatGPT Case Creation Insights
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+After you configured the ChatGPT integration, you can use it in the case creation
+dialog. Click on the ChatGPT icon in the case creation dialog to gain more insights
+regarding the events you are working with.
+
+.. figure:: ../images/cockpit_chatgpt-case-creation.png
+   :alt: ChatGPT Case Creation
+
+   ChatGPT Case Creation
+
+Once you clicked the button, a new dialog will open. Here you can see which information
+will be send to ChatGPT. Once you are confident with the information, click on the
+``Approve`` button. The Analysis Cockpit will now send the information to ChatGPT and
+display the results after a short moment.
+
+.. figure:: ../images/cockpit_chatgpt-case-confirmation.png
+   :alt: ChatGPT Case Confirmation
+
+   ChatGPT Case Confirmation
+
+Once the analysis is done, you will see the results in the dialog. You can now use the
+information to create a case.
+
+.. figure:: ../images/cockpit_chatgpt-case-results.png
+   :alt: ChatGPT Case Results
+
+   ChatGPT Case Results
+
+.. hint::
+   Please note that ChatGPT will give you a summary and recommendations based on the
+   information you provided. It is always recommended to review the information and
+   adjust it if necessary.
+
+ChatGPT Event Explanation
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can use ChatGPT in your Baselining or All Events view to get more insights
+regarding the events you are working with. To do this you can either:
+
+- Mark the selected information within your event (for example ``MATCHED_1``) and
+  right click on it. You will see an option in the context menu called ``Chat with ChatGPT``
+- Just right click an event and select ``Chat with ChatGPT (whole event)`` from the context
+  menu
+
+You will see a sidebar which has alreay the information you selected or the whole event
+filled in. You can now click on the ``Send`` button to send the information to ChatGPT.
+If you need further information you can interact with ChatGPT in the sidebar.
+
+.. figure:: ../images/cockpit_chat-with-chatgpt.png
+   :alt: Chat with ChatGPT
+
+   Chat with ChatGPT
+
+The results will look something like this:
+
+.. figure:: ../images/cockpit_chat-with-chatgpt-results.png
+   :alt: ChatGPT Event Explanation
+
+   ChatGPT Event Explanation
+
+Please make sure to either review the information before sending it to ChatGPT or
+use the :ref:`baselining/case-creation1:event anonymization` feature to safeguard
+sensitive information.
+
+Event Anonymization
+~~~~~~~~~~~~~~~~~~~
+
+Event Anonymization Rules can be used to replace any text in your events when
+sending a request to ChatGPT. This is useful when you want to interact with
+ChatGPT while safeguarding sensitive information. You can create a new rule by
+clicking on the ``Create Rule`` button in ``Settings`` > ``Advanced`` > ``Event
+Anonymization``. You can add multiple rules and test them in the prompt at the
+bottom.
+
+.. figure:: ../images/cockpit_event-anon-rule.png
+   :alt: Event Anonymization Rule
+
+   Event Anonymization Rule

baselining/view.rst

@@ -3,6 +3,12 @@
 Customize Your View
 -------------------
 
+.. hint:: 
+   All views are personalized and changes will only affect your user.
+   Please see :ref:`basic-concepts/baselining:dashboards`
+   if you want to share your Baselining view with other users, or if you
+   want to have multiple views for different scenarios.
+
 By default, the Analysis Cockpit ``Baselining`` view ships with multiple bar
 charts and a table with the most relevant columns in order to help you find
 meaningful groups of logs. You can add additional bar charts by clicking on
@@ -40,6 +46,3 @@ Click the ``Columns`` button to manage which columns are shown.
 Since the column preferences have an overvelming amount of
 fields you can choose from, we made looking for specific
 columns easier by integrating a search into the top right corner.
-
-.. hint:: 
-   All views are personalized and changes will only affect your user.

basic-concepts/baselining.rst

@@ -10,7 +10,6 @@ will suggest cases based on predefined :ref:`basic-concepts/cases:case templates
 
 - THOR Events
 - Aurora Events
-- Log Watcher Events (deprecated)
 - Suggested Cases
 
 .. figure:: ../images/cockpit_baselining_overview.png
@@ -52,21 +51,45 @@ In an ideal organization, the Baselining section should always be empty
 at the end of a day, as these logs represent suspicious elements that
 have not yet been looked at.
 
-Baselining Views
+Baselining Modes
 ~~~~~~~~~~~~~~~~
 
-In the ``Baselining`` section there are two main views, the ``Compromise Assessment Mode``
-and the ``Deep Inspection Mode``. Additionally, you can find the ``Custom Signatures
-Only Mode``, which will only show events found by custom signatures. This can
-be helpful if you scanned your environment with customer signatures, for example
-during or after an incident.
-
-By default, the Analysis Cockpit Baselining Mode is set to ``Compromise Assessment``.
+The ``Baselining`` section contains three predefined modes, the ``Compromise Assessment``
+mode, the ``Deep Inspection`` mode, and the ``Custom Signatures Only`` mode. By default,
+the Analysis Cockpit Baselining Mode is set to ``Compromise Assessment``.
 
 .. figure:: ../images/cockpit_baselining_view.png
    :alt: Select your view
 
-   Select your view
+   Select your Baselining Mode
+
+The three modes are used for different scenarios, which depend on how
+you are using your Analysis Cockpit. The **Compromise Assessment** mode
+filters out "background noise" and only shows you the most relevant
+events - this is a good mode of operation for day to day tasks. The
+**Deep Inspection** mode shows you all events which might be relevant -
+this mode is often used in Incident Response scenarios. The **Custom
+Signatures Only** mode shows you only events that were found by your custom
+signatures. This mode is helpful if you want to see only those
+events and nothing else.
+
+Dashboards
+~~~~~~~~~~
+
+Depending on what you are currently looking for in the Baselining (or Events)
+view, you can modify the view by using Dashboards. The default Dashboard is
+the Dashboard of your user. This Dashboard is your personal view in the
+Baselining and Events section. You can create additional Dashboards
+by clicking on the ``Select Dashboard`` button.
+
+.. figure:: ../images/cockpit_baselining-dashboard-button.png
+   :alt: Baselining Dashboards
+
+   Select Dashboard
+
+You can create multiple Dashboards and also share them with other users.
+Dashboards are shared accross the ``Baselining`` view and the ``Events`` view,
+meaning you can use one Dashboard for both views.
 
 Compromise Assessment Mode
 ~~~~~~~~~~~~~~~~~~~~~~~~~~

basic-concepts/cases.rst

@@ -11,7 +11,6 @@ The Cases Section is split into the different sources of your Cases:
 
 - THOR Cases
 - Aurora Cases
-- Log Watcher Cases (deprecated)
 
 Additionally, you can find more information regarding:
 

basic-concepts/events.rst

@@ -11,9 +11,20 @@ Section is split into the different sources of your Events:
 
 - THOR Events
 - Aurora Events
-- Log Watcher Events (deprecated)
 
 .. figure:: ../images/cockpit_events_overview.png
    :alt: Events Section 
 
    Events Section
+
+Matched Signatures
+~~~~~~~~~~~~~~~~~~
+
+The ``Matched Signatures`` section shows all signatures that have been
+matched by the events in your Analysis Cockpit. The section provides
+swift identification of new issues.
+
+.. figure:: ../images/cockpit_matched-signatures.png
+   :alt: Matched Signatures Section
+
+   Matched Signatures Section

case-management/workflow.rst

@@ -57,3 +57,26 @@ status is changed to ``closed`` and the case gets updated.
 .. note::
   The Analysis Cockpit provides interfacing to action-request and
   external ticketing systems using the API.
+
+Grouping Criteria
+-----------------
+
+The Grouping Criteria of cases are the fields that are used to assign
+events to cases. There are three types of grouping criteria:
+
+- Auto Case IDs
+- Conditions
+- Regex
+
+One Case can have multiple grouping criteria. Auto Case IDs are the most
+performant way to group events into cases. Conditions are used to group
+events into cases based on the values of the fields in the event - Conditions
+are slower and should only be used if Auto Case IDs are too broad. Regex
+should be your last resort and used only if the other two options are not
+possible, as this is the most performance intensive way to group events into
+cases.
+
+.. figure:: ../images/cockpit_grouping-criteria.png
+   :alt: Grouping Criteria
+
+   Grouping Criteria

changelog/index.rst

@@ -10,4 +10,5 @@ Cockpit version 4.
 .. toctree::
     :caption: Contents
 
-    log
+    log1
+    log0

changelog/log.rst → changelog/log0.rst

@@ -1,7 +1,7 @@
 .. Index:: AC4 Changes
 
-Analysis Cockpit v4
--------------------
+Analysis Cockpit v4.0
+---------------------
 
 Analysis Cockpit 4.0.13
 #######################