Configuring the Aurora Focus Behavioral Detection Engine
The Behavioral Detection Engine is the new data collection and analysis engine that both powers and significantly enhances the capabilities of the Aurora Focus agent on your organization’s devices.
|
Item |
Description |
|---|---|
|
MITRE ATT&CK framework |
The Behavioral Detection Engine leverages the proven tactics and techniques of the MITRE ATT&CK framework as the foundation for analyzing and interpreting data to detect cyber threats. In operationalizing the MITRE ATT&CK framework, the Behavioral Detection Engine benefits from the latest and greatest cybersecurity knowledge sources and methods to keep your organization’s data and resources safe. When you configure a behavioral detection policy, you have direct and customizable control over a wide range of MITRE techniques that will operate on Aurora Focus devices. |
|
Enhanced data collection and processing |
The Behavioral Detection Engine retains the primary function of defining the data that the Aurora Focus agent will collect, the events that the agent will detect and generate alerts for, and the automated responses that the agent will carry out for specific detections.
The Behavioral Detection Engine adds new, transformative capabilities to Aurora Focus:
|
|
Easier to tune and customize your configuration |
The Behavioral Detection Engine offers easier methods to customize threat detection and response:
|
|
Easier to create exceptions |
It is now easier to create exceptions for certain types of detections that you want the Behavioral Detection Engine to disregard. The Behavioral Detection Engine will not collect or use telemetry data or generate alerts for detections that match the exception criteria that you specify. You can use existing alerts to create a new exception, prepopulating it with details from the alerts, or you can use a new, intuitive interface to create exceptions. You can also choose whether you want the exception to apply to specific devices, specific zones, or to the entire Aurora Endpoint Security tenant. |
|
New methods to evaluate alerts and hunt for threats |
You can use the Alerts view in the Endpoint Defense console to review and investigate the alerts generated by the Behavioral Detection Engine, and you can use the advanced query feature to search for specific detections. Both interfaces make it easier to locate and obtain useful data about the alerts generated by the Behavioral Detection Engine. |
|
Automatic updates to MITRE techniques |
Arctic Wolf Endpoint Defense can deploy dynamic updates to the MITRE techniques that power the Behavioral Detection Engine. This replaces the previous method of having to manually obtain and add new detection rule packages to the console. Seamless automatic updates ensure that your environment benefits from the latest and greatest detection rules, while also ensuring business continuity. You must manually accept new detection rules before the Aurora Focus agent can carry out automated responses to associated detections, ensuring that updates do not disrupt your workforce. New detection rules operate in Alert onlymode until you approve them. Updated detection rules that were previously approved continue to perform automated responses if they were configured. |
The Behavioral Detection Engine is compatible with all versions of the Aurora Focus agent that the Endpoint Defense console supports, but its data collection and analysis capabilities work best with agent versions 3.3 and later.
If the Aurora Focus agent is already installed on devices in your organization’s environment, follow the instructions in Transition Aurora Focus devices from detection rule sets to the Behavioral Detection Engine. For new deployments of the Aurora Focus agent, follow the instructions in Create a behavioral detection policy.
Once the Aurora Focus agent on devices is using the Behavioral Detection Engine, you can monitor detections and alerts over time and customize the configuration to meet your organization’s needs.