Configure Aurora Endpoint Defense for Arctic Wolf Active Response

With the Active Response service, Arctic Wolf® can perform host-based response actions in your network using Aurora Endpoint Defense® (formerly known as CylancePROTECT and CylanceOPTICS products).

Aurora Endpoint Defense supports these response actions:
  • Contain a host/Remove from containment
  • Quarantine a file/Remove from quarantine

For more information, see Response action descriptions.

These resources are required:

  • Administrator access to the Aurora Endpoint Defense console
    Note: To configure Aurora Endpoint Defense, you require Aurora Protect and endpoint defense capabilities.This full software package is called Aurora Endpoint Defense. For more information about how to determine which SKUs your organization has, see Accessing the management console and configuring authentication .

These actions are required:

  • Make sure that Aurora Focus is installed on the target devices.
  • Contact your CST to validate the Active Response integration. Have a device or environment ready that Arctic Wolf can use to validate the desired response actions without causing interruptions.

Add an application to Aurora Endpoint Defense

  1. Sign in to the Aurora Endpoint Defense console.
  2. Navigate to Settings > Integrations.
  3. In the Tenant ID field, click Copy and save it to a safe, encrypted location.
    You will provide it to Arctic Wolf later.
  4. Click Add Application.
  5. In the Add Application dialog, enter a name for the application, for example, Arctic Wolf Active Response.
  6. Select the checkboxes for these permissions:
    • Devices > Read
    • Focus Commands > Read
    • Focus Commands > Write
    • Focus Commands > Delete
  7. Click Save.
  8. In the Application Saved dialog, click Copy and save the Application ID and Application Secret values to a safe, encrypted location.
    You will provide them to Arctic Wolf later.

Provide Aurora Endpoint Defense Active Response credentials to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Organization Profile > Integrations.
  3. On the Active Response tab, click New Active Response Integration +.
  4. Click Aurora Endpoint Defense.
  5. On the New Active Response Integration page, configure these settings:
  6. Click Save Integration.