Frequently asked Questions

Signing up to ARGOS is done in three simple steps.

• Browse to https://app.argos-security.io/register
  • You'll be asked to log in with your Entra ID / Gmail account first.
• Add your details (no credit card required!)
• Click sign-up

When logging in to ARGOS for the first time using a Microsoft Entra ID account, depending on your company's Entra ID configuration, you might be prompted for admin consent. This is an Entra ID configuration and a normal process when logging in to any SaaS for the first time.

If presented with the option to request for admin consent, an Entra ID administrator can grant users access to log in to ARGOS.

If the option is not available, ask an Entra ID administrator to browse to https://login.microsoftonline.com/{entra-tenant-id}/adminconsent?client_id=2f1d30d4-feb5-4743-879a-f192ef3eeeb4 (ensure they replace "{entra-tenant-id}" with the actual Entra ID Tenant id). Once they granted access, log in to ARGOS will be possible.

The following identities are supported by ARGOS:

• Microsoft Entra ID
• Google / Gmail

The account you log into ARGOS with must have a valid email address.

If you have MFA configured on the user account you are logging in with, then ARGOS will also prompt you based on that configuration.

We highly recommend you enable MFA (ideally with a FIDO key) on the user account you access ARGOS with.

Definitely not!

We will never end up on The SSO Wall of Shame. Promise!

Yes! ARGOS provides its users with two different kinds of cloud diagrams that are available after a successful scan is completed.

1. Unified ARGOS diagram
   1. This diagram is available on the Summary page and can display for example "All Azure VMs with a public IP and all the resources in the environment" or "Show me all Azure Virtual Networks in the environment."
2. Detection diagram
   1. This diagram is created for each specific detection and can be found when browsing to an individual detection. It shows the immediate environment around a misconfigured and vulnerable resource.

ARGOS gives deep insights into a cloud environment (Azure, Entra ID, or AWS) on all diagrams.

These insights include:

• lateral movement paths via network or cloud identities
• security and compliance issues
• relationships between resources usually hidden at scale in cloud-native products

The "ARGOS Cloud Security AI" feature is available on an individual detection's page.

Browse to https://app.argos-security.io/detections , select a detection, wait for the diagram to load and then click the purple button.

ARGOS AI will then analyze the environment for you and offer its interpretation including attack paths and remediation advice.

Yes, ARGOS automatically ignores cloud resources with the following tag:

`argos-ignore = true`

Learn more about how to tag resources:

• Azure
• AWS

Applies to "continuous scanning" feature only.

Yes, individual detections can be ignored by an ARGOS user if they are expected on a resource.

Simply find the rule violation in question and click the "ignore" button.

A user can easily revert this by finding the ignored resource and selecting "unignore" at which point the resource will again be included in graphs and scoring.

This action is logged and visible in the audit logs.

Upon completion of a one-off scan ARGOS will send you an email with access to a Word report with all the results from the scan, including executive summary, compliance overview and individual diagrams for each detection.

You can download sample reports from here.

Yes, absolutely. ARGOS exposes secure APIs to its customers so that day to day actions can be executed using tools like curl, bash, PowerShell or Postman.

Check out https://dev.argos-security.io to access our developer portal and API definitions.

Each ARGOS user will receive their own API key they can use to interact with ARGOS.

APIs available include (amongst others):

• Start one-off scan Azure / AWS / Entra ID
• Get all / single Detections
• Get all / single Inventory
• Add / remove Azure Subscription / Entra ID Tenant / AWS Account for continuous scanning

Awesome. If you already have a SIEM like Azure Sentinel, Splunk, or similar, then you are already doing amazing things and you likely have great insights into what is happening in your environment.

ARGOS won't replace your existing tools. ARGOS complements.

If you get an incident in your SIEM, instead of manually researching what else could be impacted by an issue just have a quick look at ARGOS's diagram for that resource. It includes all the important information like Attack Path Analysis, Lateral Movement Paths, other related cloud resources and even their issues.

Instead of spending hours without context, just spend a minute or two interpreting the ARGOS diagrams.

Awesome. If you already have a CSPM, then you should already have a list of issues in your environment.

ARGOS won't replace your existing tools. ARGOS complements.

In order to prioritise issues you find in your CSPM just have a quick look at ARGOS's diagram for that resource. It includes all the important information like Attack Path Analysis, Lateral Movement Paths, other related cloud resources and even their issues.

Instead of spending hours or days without context, just spend a minute or two interpreting the ARGOS diagrams.

Almost nothing.

Two options:

• Read-only access to Azure / Entra ID / AWS to run a one-off, ad-hoc Scan.
• For continuous scans: You'll only have to add an Azure Service Principal / Entra ID App Registration (for Azure), an AWS IAM role (for AWS) to ARGOS.

That's it. You do not need to deploy any agents or infrastructure into your cloud environment to get the full benefits of running ARGOS. ARGOS does not expect any particular cloud services to be enabled, activated, configured or paid for, like Microsoft Defender for Cloud. 

Besides the subscription cost there is no other cost associated with ARGOS on Azure.

Be aware that the increase in API calls on AWS might have cost implications for your AWS CloudTrail service. Please reach out to support@argos-security.io to discuss this.

Note: Using ARGOS to remediate rule violations may have effects on resource cost.

One-off scan:

• You only need to have Reader access with your user to the Subscription(s) you want to scan. ARGOS will ask you to sign in and ARGOS will use your access to create a temporary connection to Azure.
• If you are a Guest in an Azure tenant or user permissions in a tenant are restricted, then you might need to request access to ARGOS from an Entra ID admin. The process for this is explained in the ARGOS dashboard.

Continuous scans:

• ARGOS requires an Entra ID Application to authenticate to a customer's Azure cloud. You can create one in a few simple steps:
• https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
• Once you created the Application, go to "API Permissions" and apply the "Organization.Read.All" permissions of "Application" type (not "delegated"). This requires you to grant admin consent for that permission. This permission is used to read basic information about the Entra ID tenant. In the end it will look like this:
  
• Once that is created ARGOS requires at least Reader permissions to each Azure subscription you want to monitor.
• Follow these steps to assign Reader permissions to the Entra ID application from above:
• https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment

If you want to use ARGOS's remediation feature, then ARGOS also requires the appropriate "write" permissions to the Azure subscription.

One-off scan:

Follow the instructions in this short video: https://argos-security.io/videos/#aws-one-off

The permissions recommended are:

• ViewOnlyAccess
• SecurityAudit
• AWSLambda_ReadOnlyAccess (recommended in order to check Lambda Function code for secrets)
• A custom "inline policy" is required to query Backup Plans. "backup:GetBackupPlan" is needed.

Continuous Scans:

ARGOS requires an AWS IAM Role to be created in every AWS account you want ARGOS to monitor.

Follow these steps here to create a role:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html#roles-creatingrole-user-console

In your "My Account" page you can find all required information to create the roles, including the ARGOS AWS Account ID and ExternalId for the IAM role's trust policy. The process behind these information is described in this AWS article.

The role requires access to at least the following IAM policies:

• ViewOnlyAccess
• SecurityAudit
• AWSLambda_ReadOnlyAccess (recommended in order to check Lambda Function code for secrets)
• A custom "inline policy" is required to query Backup Plans. "backup:GetBackupPlan" is needed.

If remediation is used from within ARGOS then the IAM role needs access to make required changes. The policies in this case depend on the services being remediated.

In your "My Account" page you can now add an AWS account specifying the following information.

• AWS Account ID(s)
• AWS IAM Role name
• AWS regions to be monitored

Similar to Azure, for Entra ID / M365 one-off scans ARGOS requires an Access Token from Microsoft's Graph API. This token will allow ARGOS to scan the Entra ID tenant with only the minimal permissions required.

The user should have the "Global Reader" role assigned.
For Exchange Online, the user should also have permissions from the "View-Only Organization Management" Exchange Online role.

Using the Graph PowerShell module it's only 3 lines to get the token:

Connect-MgGraph -Scopes "Application.Read.All", "Directory.AccessAsUser.All", "Domain.Read.All", "openid", "profile", "User.Read.All", "Policy.Read.All", "AuditLog.Read.All", "EntitlementManagement.Read.All", "Synchronization.Read.All", "IdentityRiskEvent.Read.All", "OnPremDirectorySynchronization.Read.All", "RoleAssignmentSchedule.Read.Directory", "RoleEligibilitySchedule.Read.Directory", "RoleManagementPolicy.Read.Directory", "SharePointTenantSettings.Read.All", "TeamworkAppSettings.Read.All", "SecurityEvents.Read.All", "DeviceManagementConfiguration.Read.All", "DeviceManagementManagedDevices.Read.All"
$data = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/me" -Method GET -OutputType HttpResponseMessage
$data.RequestMessage.Headers.Authorization.Parameter | Set-Clipboard

When signing up to ARGOS customers have the choice of regions they want to have their data stored.

Currently ARGOS supports the following regions:

• Australia
• Europe (EU)
• more regions by customer demand

ARGOS encrypts sensitive data like the Azure, AWS or Entra ID credentials with AES-256 GCM in our database.

Please refer to our Terms & Conditions and Privacy Policy for more detail.

ARGOS does not store any customer passwords as every customer tenant is automatically enabled for SSO (Single Sign On).

Customer data is automatically marked for deletion 30 days after the end of the subscription.

You are in complete control over the data in your ARGOS tenant.

If you decide to click "remove data" for scanned cloud environments then we will follow that wish right away and delete the data from all systems.

Otherwise, the data will be retained as long as you have an active ARGOS subscription. After which we delete data within 30 days.

ARGOS AI uses a private instance of Azure OpenAI and a mix of multiple large language models (LLMs).

Under no circumstances is any customer data used to train a model.

No. Customer data is never used to train any AI models.

ARGOS can send notifications of new detections into a customer-owned Slack channel.

All we require a webhook to this channel. A Slack incoming webhook can be created by clicking the "Add to Slack" button on https://app.argos-security.io/account/notifications

ARGOS can send notifications of new detections into a customer-owned Teams channel.

All we require is the webhook URI to this channel. A Teams incoming webhook can be created by following this process here.

Add the webhook URI to the "Notifications" tab on https://app.argos-security.io/account/notifications .

ARGOS can easily create Jira tickets in order to assign detections to the right members of your team.

• browse to https://app.argos-security.io/account/jira 
• Add your JIRA user account's email address
• Create a JIRA API token at https://id.atlassian.com/manage-profile/security/api-tokens.
• Provide the URI to your JIRA workspace in the format "https://yourworkspace.atlassian.net/"
• Select the default project to connect ARGOS to
• Select the issue type you want ARGOS to create when exporting

Once configured, a new button will appear when browsing to any detection. Test it out by browsing to https://app.argos-security.io/detections and select any detection. You will now see the "Export to Jira" button.

The export can optionally also be automated. Whenever a new detection is created by ARGOS it is automatically added to Jira.

ARGOS can easily create Service Now tickets in order to assign detections to the right members of your team.

• browse to https://app.argos-security.io/account/service-now 
• Add your Service Now instance name.
• Add a user name and password of a Service Now user with permissions to create incidents in Service Now.

Once configured, a new button will appear when browsing to any detection. Test it out by browsing to https://app.argos-security.io/detections and select any detection. You will now see the "Export to Service Now" button.

ARGOS can send data about detections to your Microsoft Sentinel workspace. 

In order to configure this integration follow these simple steps:

1. Browse to https://app.argos-security.io/account/sentinel
2. Paste the Sentinel Workspace ID and Sentinel Primary Key into the dialogue.

New detections will automatically be sent to Sentinel and can be queried from the "ARGOS_CL" table.