Home

5 min read

ARGUS

Argus is a security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments.

Argus helps organizations and individuals to protect their data assets against security threats. It is widely used by thousands of organizations worldwide, from small businesses to large enterprises.

HOME OVERVIEW

The home page acts as a central hub for monitoring and managing various aspects of security and compliance. It contains an overview of the Argus.

AGENTS SUMMARY: The Agents Summary section offers an overview of the status of Argus agents deployed throughout the infrastructure.

  • Total Agents: This represents the total number of agents that are configured or registered within the system. This typically show how many agents are being managed.
  • Active Agents: Indicates the number of active agents currently reporting to the Argus manager. The Purpose of  Active agents continuously monitor and analyze security data, offering real-time visibility into the security status of your endpoints.
  • Disconnected Agents: This shows the number of agents that are not currently communicating with the Argus manager. The Purpose of Disconnected agents may be due to network issues, the agent being stopped, or other reasons. Identifying and troubleshooting these disconnected agents is essential for maintaining comprehensive security monitoring.
  • Pending Agents: This represent agents that have been added but are waiting for approval or configuration before they become active. The number is 0, indicating no agents are in a pending state.
  • Never Connected Agents: This indicates the number of agents that were added to the system but have never successfully connected to the server. The value 0, means that there are no agents that have been configured but never connected

ALERT SUMMARY or ALERT DASHBOARD: It provides a categorized breakdown of alerts based on their severity levels for the selected time period.

Severity Levels Overview #

In Argus, incidents are categorized based on severity levels, which help in determining the urgency of response. These severity levels are mapped to rule levels that measure the potential impact and threat level of an event. Here, we break down incidents into Critical, High, Medium, and Low severities based on rule levels.

1. Critical Severity (Rule Level 15 and Above)

  • Definition: Critical severity refers to incidents with a rule level of 15 or more. These incidents pose the highest risk to the organization and demand immediate attention due to their potential to cause significant damage.
  • Examples:
    • Zero-Day Exploits: Attacks that exploit vulnerabilities unknown to the vendor.
    • Data Breaches: Unauthorized access to sensitive information.
    • Critical System Compromise: Compromise of vital infrastructure, such as domain controllers or database servers.

2. High Severity (Rule Level 12 to 14)

  • Definition: High severity incidents range from rule levels 12 to 14. These events represent significant risks but may not have an immediate impact on critical systems.
  • Examples:
    • Malware Infections: Detected malware that hasn’t yet fully executed or spread across the network.
    • Failed Login Attempts: Multiple login failures, indicating potential brute force attacks.
    • Unusual Privilege Changes: Unexplained or unauthorized changes in user privileges.
    • Network Scans: Scanning activities that may indicate early reconnaissance from an attacker.

3. Medium Severity (Rule Level 7 to 11)

  • Definition: Medium severity events are associated with rule levels 7 to 11. These incidents pose moderate risk but typically do not represent an immediate threat.
  • Examples:
    • Suspicious File Downloads: Downloading executable files from unknown or risky sources.
    • Outbound Connections: Connections to questionable IP addresses or domains.
    • Policy Violations: Actions taken that violate internal security policies but do not immediately compromise security.
    • Phishing Attempts: Detection of phishing emails that have not yet resulted in compromise.

4. Low Severity (Rule Level 0 to 6)

  • Definition: Low severity incidents have rule levels between 0 and 6. These events are minor and typically pose little to no risk to the organization.
  • Examples:
    • Single Failed Login Attempt: One-off login failures without repeated attempts.
    • Benign Software Downloads: Authorized software downloads that may trigger an alert but do not pose a risk.
    • Minor Policy Violations: Non-critical deviations from security policies, such as unauthorized use of certain applications.

The use cases consist of:

  • ENDPOINT SECURITY: Protects and secures endpoints such as computers, mobile devices, and servers from threats and vulnerabilities through monitoring, detection, and response measures.
  • Configuration Assessment: Performs scans of your assets as part of a configuration assessment audit. It ensures that systems are configured following best practices and security policies.
  • Malware Detection: Ensures your systems are configured according to your security policy baseline. It detects and give alerts on the presence of malware within your systems.
  • File Integrity Monitoring: It notifies about file changes, including modifications in permissions, content, ownership, and attributes. The Purpose of File Integrity Monitoring is to monitor critical files for unauthorized changes that may indicate a security breach.

THREAT INTELLIGENCE: It collects, analyzes, and applies data regarding current and emerging threats to enhance security measures and defenses. The purpose is to identify and respond to potential threats more effectively by leveraging up-to-date threat information.

  • Threat Hunting: Examines your security alerts to identify issues and threats in your environment. They Proactively searches for threats and indicators of compromise within the network.
  • Vulnerability Detection: It identifies applications in your environment affected by well-known vulnerabilities. It detects and reports vulnerabilities within applications to support remediation efforts.
  • Mitre Attack: Security events from the knowledge base of adversary tactics and techniques based on real-world observations. It Maps security events to the MITRE ATT&CK framework to understand the tactics and techniques used by adversaries.
  • VirusTotal: It generates alerts based on VirusTotal’s analysis of suspicious files through API integration. It uses VirusTotal’s extensive database to analyze and classify files as safe or malicious using collective threat intelligence.

COMPLIANCE MONITORING: Manages and coordinates all aspects of an organization’s security initiatives, including threat detection, incident response, and risk management, to safeguard assets and uphold security posture.

  • PCI DSS (Payment Card Industry Data Security Standard): PCI DSS is a comprehensive set of security standards designed to ensure that all companies processing, storing, or transmitting credit card information maintain a secure environment. It was created to enhance controls around cardholder data and reduce credit card fraud.
  • General Data Protection Regulation (GDPR): The GDPR is a regulation that establishes guidelines for processing personal data of individuals within the European Union (EU).
  • HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets data privacy and security standards for protecting medical information. It ensures the protection of medical data by maintaining the confidentiality, integrity, and availability of health information.
  • NIST 800-53: This also known as “Security and Privacy Controls for Information Systems and Organizations,” is a publication from the National Institute of Standards and Technology (NIST). It offers a detailed set of guidelines and best practices for safeguarding information systems used by federal agencies and organizations that interact with the U.S. government.
  • Trust Services Criteria (TSC): The TSC includes criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. It ensures that systems and data are protected and accessible, fostering trust in the services provided by organizations.

CLOUD SECURITY: Cloud security encompasses a wide range of policies, technologies, and controls designed to protect the data, applications, and infrastructure associated with cloud computing. It addresses both physical and logical security concerns across various service models (IaaS, PaaS, SaaS) and deployment models (public, private, hybrid, community).

  • Docker: Monitors and collects activity from Docker containers, such as creation, running, starting, stopping, or pausing events.
  • Amazon Web Services (AWS): Security events related to your Amazon AWS services, collected directly via AWS API.
  • Google Cloud: Security events related to your Google Cloud Platform services, collected directly via GCP API.
  • GitHub: Monitors events from audit logs of your GitHub organizations.
  • Office 365: Security events related to your Office 365 services.
What are your Feelings

Leave a Reply

Your email address will not be published. Required fields are marked *