Frequently Asked Questions #
Argus FAQ’s #
- What is Argus?
Argus is your comprehensive SaaS security management platform that takes the concept of extended detection, response, and remediation to a whole new level.
- How good is Argus?
Argus is generally well-regarded in the cybersecurity community for several reasons:
- Comprehensive Security Monitoring: Argus offers a robust set of tools for threat detection, compliance monitoring, incident response, and more. It integrates well with various other security tools and platforms, making it a versatile option.
- Compliance and Reporting: Argus supports compliance with various regulations and standards, such as GDPR, PCI DSS, HIPAA, and NIST. This makes it a good choice for organizations that need to adhere to strict regulatory requirements.
- Scalability: Argus is designed to scale efficiently, making it suitable for both small businesses and large enterprises. It can manage thousands of agent across
different environments. - Integration Capabilities: Argus integrates with various third-party tools, including SIEMs like Splunk and Elastic Stack, which enhances its capabilities in security monitoring and analytics.
- Active Development: Argus is actively maintained and updated, with regular releases that add new features, improvements, and security patches.
- What is Argus used for?
Argus is a security platform used for a variety of cybersecurity tasks, including:
1. Threat Detection and Response: Argus helps detect threats in real-time by monitoring system activity, log files, network traffic, and other sources. It can alert security teams to suspicious activities, enabling quick responses to potential threats.
2. Security Information and Event Management (SIEM): Argus can be integrated with SIEM systems like the Elastic Stack, where it collects, aggregates, and analyzes security-related data from multiple sources. This helps in identifying security incidents and patterns of attacks.
3. Compliance Monitoring: Argus assists organizations in meeting regulatory compliance requirements (e.g., GDPR, PCI DSS, HIPAA). It provides continuous monitoring and reporting capabilities to ensure systems and processes adhere to specific security standards.
4. Vulnerability Detection: Argus can scan systems for vulnerabilities by analyzing software versions, configurations, and other factors. It helps organizations identify and remediate vulnerabilities before they can be exploited.
5. File Integrity Monitoring (FIM): Argus tracks changes to critical system files and directories, alerting administrators to unauthorized modifications that could indicate a security breach.
6. Configuration Assessment: Argus evaluates system configurations against best practices and security benchmarks, identifying misconfigurations that could lead to security vulnerabilities.
7. Incident Response: In case of a security incident, Argus provides tools for incident investigation, allowing security teams to analyze logs, correlate events, and determine the root cause of the issue.
8. Log Data Analysis: Argus collects and analyzes log data from various sources, helping organizations gain insights into their security posture and detect anomalies or suspicious activities.
9. Endpoint Security: Argus agents can be deployed on endpoints (e.g., servers, workstations) to monitor and secure them against threats. This includes detecting malware, unauthorized access, and other endpoint-specific risks.
- What are the system requirements for deploying Argus on-premises?
The minimum system requirements for deploying Argus on-premises include:
• CPU: At least 4 cores (more depending on the volume of data).
• Memory: At least 8 GB RAM (more recommended for large environments).
• Storage: Sufficient disk space to store logs and data (this varies based on retention and log volume).
• Operating System: Argus is compatible with various Linux distributions, including Ubuntu, CentOS, and Debian.
- How do I access the Argus web application?
The Argus web application is accessed via a web browser using the URL provided during the installation.
- How do I install Argus on-premises?
To install Argus on-premises, follow these general steps:
1. Install the Argus Manager: This is the core component that processes data.
2. Install Argus Index: This is used for storing and searching logs.
3. Install Filebeat: For forwarding and centralizing logs to Elasticsearch.
4. Install the Argus Dashboard: This is the web interface for monitoring and managing your Argus deployment.
- What are the available regions?
Available regions:
- North Virginia: us-east-1
- Ohio: us-east-2
- London: eu-west-2
- Frankfurt: eu-central-1
- Mumbai: ap-south-1
- Singapore: ap-southeast-1
- Sydney: ap-southeast-2
- Canada: ca-central-1
When selecting a region to host your environment, if you are not sure which one is the best option for you, select one that is the closest to your location since this typically reduces latency for indexing and search requests.
- Is my environment shared with other customers?
No, your environment is isolated from other customers. That means your account is the only one with access to your environment.
- Can I integrate Argus with Active Directory (AD) for user authentication?
Yes, Argus can be integrated with Active Directory for user authentication using LDAP. This allows centralized management of user access and permissions within the Argus web application.
- How do you get your zero-day covered? How do real-time updates occur for zero days? Where do you pull your data from, what’s your engine? How long does it take to detect the zero-day attack in your platform and begin monitoring and remediation?
Zero-day threats are a major focus for us, and we integrate threat intelligence feeds from multiple sources, including open-source threat intelligence (mitre att&ck tectnique), commercial sources(Virus total), and specific government databases(NIST) to identify new vulnerabilities and threat patterns. In Argus, these threat feeds are updated frequently in near real-time, allowing the platform to recognize new indicators of compromise (IOCs) associated with zero-day threats. When a zero-dayindicator or behavior is detected, Argus can generate an alert immediately, thanks to pre-defined rules and machine learning models for anomaly detection. While no tool can fully guarantee zero-day detection due to the nature of unknown exploits, Argus’s integrations and near-real-time feeds ensure that any known behaviors or patterns can be monitored and flagged quickly.
- How do you deploy an agent? How do you push an agent to a machine, especially in cases where Windows machines require administrator privileges to install?
Direct Installation: Administrators can manually install the Argus agent on each endpoint. This process involves downloading the agent package from the Argus server and executing the installer with administrative privileges.
- How are assets discovered before installing the agent?
Argus SOAR workflows can automate these preliminary scans, pulling in data from existing network management systems or vulnerability scanners to map out the environment before agents are rolled out.
- How do we look for a rootkit in Argus?
Argus has specific capabilities for rootkit detection. The Argus agent includes modules that scan for rootkits by checking for hidden files, processes, and network connections that are typically associated with rootkits. It uses techniques such as file integrity monitoring (FIM), which compares system states to detect changes, and cross-verifies system information from different sources to identify hidden modifications indicative of rootkits. Argus uses whitelisting and blacklisting to detect rootkits by allowing only trusted applications to run and flagging known malicious files. This helps Argus’s modules like Rootcheck and Syscheck detect unauthorized changes or hidden processes that may signal a rootkit. Additionally, it employs Context-Based Detection (CBD), which monitors behavior patterns and system contexts to identify suspicious activity even if the rootkit tries to evade detection. Together, these methods provide a layered approach to rootkit defense.
Alerts generated by these scans can be automated through Argus SOAR workflows to trigger an investigation, isolate the machine, or take additional security measures based on the detected risk.
- How do we get Argus on a Windows machine, and once it is there, how do we update it, manage it, and maintain it?
Argus can be deployed on Windows systems using the Argus agent, which can be installed manually or via automated deployment tools. In Argus, you can update a Windows machine’s agent using the Argus RESTful API, which allows you to send requests to check for updates, retrieve the current agent version, and push new updates remotely. The API can interact with the Argus manager to initiate updates and ensure the agent is up to date. Once the agent is updated, the agent version can be viewed on the Argus dashboard, allowing administrators to monitor and verify the status of all agents. This process helps maintain consistency and security across all managed systems.
- How can we track Gmail using Argus? How do we integrate email with Google (Gmail)?
Argus can monitor Gmail activity indirectly by analyzing logs and integrating with Google Workspace. Google Workspace provides audit logs and security alerts that can be ingested into Argus through APIs, giving insights into email activity, login events, and potential phishing attempts within Gmail.
Through Argus’s integration with Google Workspace, Argus can monitor suspicious login attempts, unusual email forwarding rules, and unauthorized access. Additionally, Argus SOAR workflows can be configured to respond to specific Gmail-related security events, like alerting suspicious access, locking accounts, or enforcing multi-factor authentication for high-risk users.
Technical FAQ’s #
- Is my environment shared with other customers?
No, your environment is isolated from other customers. That means your account is the only one with access to your environment.
- How can I forward my logs to another solution or SOC?
You can download your data from archive data. Then, you can push it to other solutions or Security Operations Center (SOC).
- Do I have access to Argus indexer API?
The Argus indexer API is not accessible by default. If you want to access it, contact the Argus team through the Help section of your Argus Cloud Console to authorize the connection from a specific IP address. After authorization is granted, you have access to the GET methods of the Argus indexer API.
- Do I have access to Argus API?
You have access to the Dev tools through your Argus dashboard, where you can use the API. The Argus API is not exposed, but you can contact the Argus team through the Help section of your Argus Cloud Console to allow Argus API access from a specific IP address.
- Can I integrate with my Single Sign-On (SSO) method (LDAP, Okta, Active Directories)?
Yes, you can access the Argus WUI of your environment through your SSO tool. To perform this action, you need to contact the Argus Support team through the Help section of your Argus Cloud Console.
- Can I send data directly to the Argus indexer of my environment?
No, all the communications are performed through Argus agents.
- Can I send syslog data directly to the environment?
No, all the communications are performed through Argus agents once they are registered into the environment. However, you have alternative options. For more information on how to forward syslog events to your environment.
- How can I update my environment?
Argus takes care of the updates, so your environment gets the latest version of Argus with no downtime.
- How do I get SSH access to my environment?
SSH access is not allowed for security reasons. Environments are managed from the Argus Cloud Console and Argus WUI.
- What should I do if I encounter an issue with Argus?
If you encounter an issue with Argus:
• Check the Logs: Review the Argus, Elasticsearch, and Filebeat logs for error messages or warnings.
• Consult the Documentation: The Argus documentation is a comprehensive resource for troubleshooting common issues.
• Seek Community Support: You can ask questions and find solutions in the Argus community forums or GitHub.
• Professional Support: If needed, Argus offers professional support services for more complex issues.