Default Aurora Endpoint Security tenant settings

When you create a new Aurora Endpoint Security tenant from the Arctic Wolf Unified Portal it includes preconfigured zones and device policies to help you tune your environment.

New Aurora Endpoint Security tenants have these default settings:

Default zones
Default device policies

Default zones


Default zone	Assigned device policy	Preconfigured zone rules
Windows Zone	Stage 1	Automatic zone assignment to move all new Windows devices into this zone.
Mac Zone	Stage 1	Automatic zone assignment to move all new macOS devices into this zone.
Linux Zone	Stage 1	Automatic zone assignment to move all new Linux devices into this zone.

Default device policies


Device policy setting	Stage 1 policy	Stage 2 policy	Stage 3 policy
File Actions
Auto Quarantine with Execution Control: Unsafe	Off	On	On
Auto Quarantine with Execution Control: Abnormal	Off	Off	On
Enable auto-delete for quarantined files	Off	On	On
Auto Upload: Executable	On	On	On
Memory Actions
Memory Protection	Off	On	On
Exploitation: Stack Pivot	Off	Ignore	Ignore
Exploitation: Stack Protect	Off	Ignore	Ignore
Exploitation: Overwrite Code	Off	Ignore	Ignore
Exploitation: RAM Scraping	Off	Alert	Block
Exploitation: Malicious Payload	Off	Ignore	Ignore
Exploitation: System Call Monitoring	Off	Ignore	Ignore
Exploitation: Direct System Calls	Off	Ignore	Ignore
Exploitation: System DLL Overwrite	Off	Ignore	Ignore
Exploitation: Dangerous COM Object	Off	Ignore	Ignore
Exploitation: Injection via APC	Off	Ignore	Ignore
Exploitation: Dangerous VBA Macro	Off	Ignore	Ignore
Process Injection: Remote Allocation of Memory	Off	Alert	Block
Process Injection: Remote Mapping of Memory	Off	Alert	Block
Process Injection: Remote Write to Memory	Off	Alert	Block
Process Injection: Remote Write PE to Memory	Off	Alert	Block
Process Injection: Remote Overwrite Code	Off	Ignore	Ignore
Process Injection: Remote Unmap of Memory	Off	Ignore	Ignore
Process Injection: Remote Thread Creation	Off	Ignore	Ignore
Process Injection: Remote APC Scheduled	Off	Ignore	Ignore
Process Injection: DYLD Injection	Off	Ignore	Ignore
Process Injection: Doppelganger	Off	Ignore	Ignore
Process Injection: Dangerous Environmental Variable	Off	Ignore	Ignore
Escalation: LSASS Read	Off	Alert	Block
Escalation: Zero Allocate	Off	Alert	Block
Escalation: Memory Permission Changes In Other Processes	Off	Ignore	Ignore
Escalation: Memory Permission Changes In Child Processes	Off	Ignore	Ignore
Escalation: Stolen System Token	Off	Ignore	Ignore
Escalation: Low Integrity Process Start	Off	Ignore	Ignore
Protection Settings
Prevent service shutdown from device	On	On	On
Kill unsafe running processes and their sub processes	Off	Off	Off
Background Threat Detection	On	On	On
Run setting	Recurring	Recurring	Recurring
Days	10	10	10
Watch For New Files	On	On	On
MB	150	150	150
Exclude Specific Folders	Off	Off	Off
Copy File Samples	Off	Off	Off
Focus Settings
Focus	Off	Off	Off
Desktop notifications	Off	Off	Off
Detection settings	None	None	None
Application Control
Application Control	Off	Off	Off
Agent Settings
Enable auto-upload of log files	Off	Off	Off
Enable Desktop Notifications	Off	Off	Off
Enable Software Inventory	On	On	On
Script Control
Script Control	Off	On	On
Active Script	Off	Alert	Block Unsafe
PowerShell Script	Off	Alert	Block Unsafe
PowerShell Console	Off	Disabled	Disabled
Macros	Off	Disabled	Disabled
Python	Off	Disabled	Disabled
.NET DLR	Off	Disabled	Disabled
XLM Macros	Off	Disabled	Disabled
Advanced: Score All Scripts	Off	On	On
Advanced: Upload Script to Cloud	Off	On	On
Advanced: Alert On Suspicious Scripts Execution Only	Off	On	On
Device Control
Windows Device Control	On	On	On
Android	Full Access	Full Access	Full Access
iOS	Full Access	Full Access	Full Access
Still Image	Full Access	Full Access	Full Access
USB CD DVD RW	Full Access	Full Access	Full Access
USB Drive	Full Access	Full Access	Full Access
VMWare USB Passthrough	Full Access	Full Access	Full Access
Windows Portable Device	Full Access	Full Access	Full Access