Data structures that Aurora Focus uses to identify threats
Events, artifacts, and facets are the three primary data structures that Aurora Focus uses to analyze, record, and investigate activities that occur on devices. Aurora Focus features rely on these data structures, including InstaQuery, focus data, and the Context Analysis Engine (CAE).
This section provides more information about how Aurora Focus interprets and interacts with activities on devices, to help you better understand and make use of detections, queries, and focus data.
Data sources by OS
The Aurora Focus agent uses the following data sources:
|
OS |
Data sources |
|---|---|
|
Windows |
|
|
macOS |
CyOpticsDrvOSX kernel driver |
|
Linux |
ZeroMQ |
For information about the types of network traffic that Aurora Focus excludes by default, see KB 42221282487835.
Events
Events are the components that result in an observable change or action on a device. Events consist of two primary artifacts: the instigating artifact that initiates an action, and the target artifact that is acted on.
The following tables provide details about the types of events that Aurora Focus can detect and interact with.
Event: Any
- Device policy option to enable: Aurora Focus check box
- Artifact type: Process, User
- Platform: Windows, macOS, Linux
|
Event type |
Description |
|---|---|
|
Any |
All events record the process that generated them and the user that is associated with the action. |
Event: Application
- Device policy option to enable: Advanced WMI Visibility
- Artifact type: WMI trace
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Create Filter-Consumer Binding |
A process used WMI persistence. |
|
Create Temporary Consumer |
A process subscribed to WMI events. |
|
Execute Operation |
A process performed a WMI operation. |
- Device policy option to enable: Enhanced Process and Hooking Visibility
- Artifact type: File
- Platform: Windows
|
Event type |
Description |
|---|---|
|
CBT |
The SetWindowsHookEx API installed a hook to receive notifications that are useful to a CBT application. |
|
DebugProc |
The SetWindowsHookEx API installed a hook to debug other hook procedures. |
|
Get Async Key State |
A process called the Win32 GetAsyncKeyState API. |
|
JournalPlayback |
The SetWindowsHookEx API installed a hook to monitor messages previously recorded by a WH_JOURNALRECORD hook procedure. |
|
JournalRecord |
The SetWindowsHookEx API installed a hook to monitor input messages posted to the system message queue. |
|
Keyboard |
The SetWindowsHookEx API installed a hook to monitor keystroke messages. |
|
LowLevel Keyboard |
The SetWindowsHookEx API installed a hook to monitor low-level keyboard input events. |
|
LowLevel Mouse |
The SetWindowsHookEx API installed a hook to monitor low-level mouse input events. |
|
Message |
The SetWindowsHookEx API installed a hook to monitor messages posted to a message queue. |
|
Mouse |
The SetWindowsHookEx API installed a hook to monitor mouse messages. |
|
Register Raw Input Devices |
A process called the Win32 RegisterRawInputDevices API. |
|
Set Windows Event Hook |
A process called the Win32 SetWinEventHook API. |
|
Set Windows Hook |
The SetWindowsHookEx API installed an unlisted hook type value. |
|
ShellProc |
The SetWindowsHookEx API installed a hook to receive notifications that are useful to shell applications. |
|
SysMsg |
The SetWindowsHookEx API installed a hook to monitor messages that are generated as a result of an input event in a dialog box, message box, or scroll bar. |
|
WindowProc |
The SetWindowsHookEx API installed a hook to monitor Windows procedure messages. |
- Device policy option to enable: API Sensor
- Artifact type: API Call
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Function |
A noteworthy function call has been made. |
- Device policy option to enable: Module Load Visibility
- Artifact type: File
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Load |
An application loaded a module. |
- Device policy option to enable: COM Object Visibility
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Created |
A COM object was created. |
Event: Device
- Device policy option to enable: Aurora Focus check box
- Artifact type: File
- Platform: macOS, Linux
|
Event type |
Description |
|---|---|
|
Mount |
The device is connected to a machine or folders are mounted to specific network locations. |
Event: File
- Device policy option to enable: Aurora Focus check box
- Artifact type: File
- Platform: Windows, macOS, Linux
|
Event type |
Description |
|---|---|
|
Create |
A file was created. |
|
Delete |
A file was deleted. |
|
Overwrite |
A file was overwritten. |
|
Rename |
A file was renamed. |
|
Write |
A file was modified. |
- Device policy option to enable: Enhanced File Read Visibility
- Artifact type: File
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Open |
A file was opened. |
Event: Memory
- Device policy option to enable: Aurora Focus check box
- Artifact type: Process
- Platform: macOS, Linux
|
Event type |
Description |
|---|---|
|
Mmap |
A region of memory was mapped for a specific purpose, typically allocated for a process. |
|
MProtect |
The metadata was changed for a region of memory, typically to change its status (for example, to make it executable). |
Event: Network
- Device policy option to enable: Aurora Focus check box
- Artifact type: Network
- Platform: Windows, macOS, Linux
|
Event type |
Description |
|---|---|
|
Connect |
A network connection was opened. By default, local traffic is not collected. |
- Device policy option to enable: Private Network Address Visibility
- Artifact type: Network
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Connect |
Connect events include local traffic. |
- Device policy option to enable: DNS Visibility
- Artifact type: DNS request
- Platform: Windows, Linux
|
Event type |
Description |
|---|---|
|
Request |
A process made a network DNS request that was not cached. |
|
Response |
A process received a DNS response. |
- Device policy option to enable: HTTP Visibility
- Artifact type: HTTP
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Get |
Windows used WinINet or WinHTTP to make an HTTP request. |
|
Post |
Windows used WinINet or WinHTTP to send data. |
Event: Process
- Device policy option to enable: Aurora Focus check box
- Artifact type: Process
|
Event type |
Platform |
Description |
|---|---|---|
|
Abnormal Exit |
macOS Linux |
Monitored by the preselect sensor, a process exited without completing (for example, an exception caused a process to exit). |
|
Exit |
Windows macOS Linux |
A process exited. |
|
Forced Exit |
macOS Linux |
Monitored by the preselect sensor, a process was forced to exit by another process. |
|
PTrace |
macOS Linux |
This is a Unix system tool that allows one process to monitor and control another process. |
|
Start |
Windows macOS Linux |
A process started. |
|
Suspend |
Linux |
Monitored by the preselect sensor, a process was suspended. |
|
Unknown Linux Process Event |
macOS Linux |
Monitored by the preselect sensor, an unknown event occurred with the process as a target. This can be a sign of malicious software masking its activity. |
- Device policy option to enable: Enhanced Process and Hooking Visibility
- Artifact type: Process
- Platform: Windows
|
Event type |
Description |
|---|---|
|
SetThreadContext |
A process called the SetThreadContext API. |
|
Terminate |
An instigating process terminated another target process. |
Event: Registry
- Device policy option to enable: Aurora Focus check box
- Artifact type: Registry, File (if the registry key references a specific file)
- Platform: Windows
|
Event type |
Description |
|---|---|
|
KeyCreated |
A registry key was created. |
|
KeyDeleting |
A registry key was deleted. |
|
ValueChanging |
The value of a registry key was changed. |
|
ValueDeleting |
A registry key value was deleted. |
Event: Scripting
- Device policy option to enable: Advanced Scripting Visibility
- Artifact type: Powershell Trace
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Execute Command |
Windows PowerShell executed a command. The parameters are unknown. |
|
Execute Script |
Windows PowerShell executed a script. |
|
Execute ScriptBlock |
Windows PowerShell executed a script block. |
|
Invoke Command |
Windows PowerShell invoked a command with bound parameters. |
|
Prevent Script |
An AMSI ScanBuffer result indicated that a script was detected or blocked by an administrator. |
Event: User
- Device policy option to enable: Advanced Scripting Visibility
- Artifact type: Windows Event
- Platform: Windows
|
Event type |
Description |
|---|---|
|
Batch Logoff |
The following Windows event ID occurred: 4634 (type 4). |
|
Batch Logon |
The following Windows event ID occurred: 4624 (type 4). |
|
CachedInteractive Logoff |
The following Windows event ID occurred: 4634 (type 11). |
|
CachedInteractive Logon |
The following Windows event ID occurred: 4624 (type 11). |
|
Interactive Logoff |
The following Windows event ID occurred: 4634 (type 2). |
|
Interactive Logon |
The following Windows event ID occurred: 4624 (type 2). |
|
Network Logoff |
The following Windows event ID occurred: 4634 (type 3). |
|
Network Logon |
The following Windows event ID occurred: 4624 (type 3). |
|
NetworkClearText Logoff |
The following Windows event ID occurred: 4634 (type 8). |
|
NetworkClearText Logon |
The following Windows event ID occurred: 4624 (type 8). |
|
NewCredentials Logoff |
The following Windows event ID occurred: 4634 (type 9). |
|
NewCredentials Logon |
The following Windows event ID occurred: 4624 (type 9). |
|
RemoteInteractive Logoff |
The following Windows event ID occurred: 4634 (type 10). |
|
RemoteInteractive Logon |
The following Windows event ID occurred: 4624 (type 10). |
|
Service Logoff |
The following Windows event ID occurred: 4634 (type 5). |
|
Service Logon |
The following Windows event ID occurred: 4624 (type 5). |
|
Unlock Logoff |
The following Windows event ID occurred: 4634 (type 7). |
|
Unlock Logon |
The following Windows event ID occurred: 4624 (type 7). |
|
User Logoff |
The following Windows event ID occurred: 4634 (unlisted type value). |
|
User Logon |
The following Windows event ID occurred: 4624 (unlisted type value). |
Artifacts and facets
Artifacts are complex pieces of information that Aurora Focus can use. The Context Analysis Engine (CAE) can identify artifacts on devices and use them to trigger automatic incident response and remediation actions. InstaQueries use artifacts as the foundation of a query.
Facets are the attributes of an artifact that can be used to identify the traits of an artifact that is associated with an event. Facets are correlated and combined during analysis to identify potentially malicious activity. For example, a file named "explorer.exe" may not be inherently suspicious, but if the file is not signed by Microsoft, and resides in a temporary directory, it may be identified as suspicious in some environments.
Aurora Focus uses the following artifacts and facets:
|
Artifact |
Facets |
|---|---|
|
API Call |
|
|
DNS |
|
|
Event |
|
|
File |
|
|
Network |
|
|
PowerShell trace |
|
|
Process |
|
|
Registry |
|
|
Users |
User artifacts can contain any of the following values; however, the data is not available on most devices:
|
|
Windows event |
|
|
WMI trace |
|
Registry keys and values
Aurora Focus monitors common persistence, process startup, and privilege escalation keys and values as well as the values shown in KB 42221237570843.
To learn more about how Aurora Focus monitors persistence points in the registry, see KB 42221282185883.