Aurora Focus optional sensors

You can enable any of the following Aurora Focus sensors to collect additional data beyond standard process, file, network, and registry events. Enabling optional sensors can impact performance and resource usage on devices, as well as the amount of data stored in the Aurora Focus database. Arctic Wolf recommends enabling optional sensors on a small number of devices initially to assess the impact.

The optional sensors are supported for Windows 64-bit operating systems only, unless otherwise noted.

Sensor

Description

Best practices

Notes

Advanced Portable Executable Parsing

The Aurora Focus agent records data fields associated with portable executable files, such as file version, import functions, and packer types.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • The data gathered by this sensor is passed into the Context Analysis Engine to aid with advanced executable file analysis and is not stored in the Aurora Focus database.
  • Enabling this sensor will have little to no impact on Aurora Focus data retention.
  • If you add and enable a detection rule that analyzes string resources, the Aurora Focus agent might consume significant CPU and memory resources.

Advanced PowerShell Visibility

The Aurora Focus agent records commands, arguments, scripts, and content from JScript, PowerShell (console and integrated scripting environment), VBScript, and VBA macro script execution.

Signal to noise ratio: High

Potential data retention and performance impact: Low to moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers

Not recommended for Microsoft Exchange and email servers.
  • Tools provided by Microsoft or other third-party solutions may rely heavily on PowerShell to conduct operations.
  • To allow for increased data retention, Arctic Wolf recommends that you configure detection exceptions for trusted tools that make heavy use of PowerShell.

Advanced WMI Visibility

The Aurora Focus agent records additional WMI attributes and parameters.

Signal to noise ratio: High

Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some Windows background and maintenance processes use WMI to schedule tasks or execute commands, which can result in bursts of high WMI activity.
  • Arctic Wolf recommends analyzing your environment’s WMI usage before you enable this sensor.

API Sensor

The Aurora Focus agent monitors an identified set of Windows API calls.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Enabling this sensor may impact a device's CPU performance
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Supported on x86 or x64 Windows operating systems.
  • Requires the Aurora Protect Desktop agent version 3.0.1003 or later.
  • Requires the Aurora Focus agent version 3.2 or later.

COM Object Visibility

The Aurora Focus agent monitors COM interface and API calls to detect malicious behaviors such as scheduled task creation.

Signal to noise ratio: High

Potential data retention and performance impact: Enabling this sensor may impact CPU performance.
Recommended for:
  • Desktops
  • Laptops

Not recommended for servers.
  • Requires Aurora Protect Desktop agent version 3.2 or later.
  • Requires the Aurora Focus agent version 3.3 or later.

DNS Visibility

The Aurora Focus agent records DNS requests, responses, and associated data fields such as Domain Name, Resolved Addresses, and Record Type.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops

Not recommended for DNS servers.
  • Note that this sensor can gather a significant amount of data, but can also provide visibility into data that other tools have difficulty recording.
  • To allow for increased data retention, Arctic Wolf recommends that you configure detection exceptions for trusted tools that make heavy use of cloud-based services.

Enhanced File Read Visibility

The Aurora Focus agent monitors file reads within an identified set of directories.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the Windows APIs that this sensor collects data from. In some cases, Aurora Focus might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio, Arctic Wolf recommends that you configure detection exceptions for trusted security tools.

Enhanced Process and Hooking Visibility

The Aurora Focus agent records process information from the Win32 API and Kernel Audit messages to detect forms of process hooking and injection.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Some third-party security tools may use the Windows APIs that this sensor collects data from. In some cases, Aurora Focus might record irrelevant or trusted data.
  • To allow for increased data retention and a higher signal to noise ratio, Arctic Wolf recommends that you configure detection exceptions for trusted security tools.

HTTP Visibility

The Aurora Focus agent tracks Windows HTTP transactions, including Event Tracing for Windows, WinINet APIs, and WinHTTP APIs.

Signal to noise ratio: High

Potential data retention and performance impact: Enabling this sensor may impact CPU performance.
Recommended for:
  • Desktops
  • Laptops

Not recommended for servers.
  • Requires Aurora Protect Desktop agent version 3.2 or later.
  • Requires the Aurora Focus agent version 3.3 or later.

Module Load Visibility

The Aurora Focus agent monitors module loads.

Signal to noise ratio: High

Potential data retention and performance impact: Enabling this sensor may impact CPU performance.
Recommended for:
  • Desktops
  • Laptops
  • Servers
  • Requires Aurora Protect Desktop agent version 3.2 or later.
  • Requires the Aurora Focus agent version 3.3 or later.

Private Network Address Visibility

The Aurora Focus agent records network connections within the RFC 1918 and RFC 4193 address spaces.

Signal to noise ratio: Low

Potential data retention and performance impact: Low

Recommended for desktops.

Not recommended for:
  • DNS servers
  • Low or under resourced systems
  • Systems that use RDP or other remote access software
  • This sensor gathers a significant amount of data and can impact the length of time that data is stored in the Aurora Focus database.
  • Arctic Wolf recommends that you enable this sensor only in environments where full visibility into private network address communication is a requirement.

Windows Advanced Audit Visibility

The Aurora Focus agent monitors additional Windows event types and categories.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Low
Recommended for:
  • Desktops
  • Laptops
  • Servers
This sensor enables monitoring of the following event IDs:
  • 4769 kerberos ticket request
  • 4662 operation on active directory object
  • 4624 successful logon
  • 4702 scheduled task creation

Windows Event Log Visibility

The Aurora Focus agent records Windows security events and their associated attributes.

Signal to noise ratio: Moderate

Potential data retention and performance impact: Moderate
Recommended for:
  • Desktops
  • Laptops
  • Servers
Not recommended for:
  • Domain controllers
  • Microsoft Exchange and email servers
  • The Windows event logs that this sensor collects data from will be generated frequently during normal system usage.
  • To reduce duplicate data and to allow for increased data retention, determine if your organization already has tools in place that collect data from Windows event logs.