How Aurora Focus collects and uses data

For complete information about this product, see the Aurora Endpoint Security docs.

Item

Data collection and use

Customer administration information

Arctic Wolf collects the following customer administration data to deliver customer support:

  • First name
  • Last name
  • Email address
  • Phone number

Collecting data to detect and respond to threats
  • Aurora Focus is an endpoint detection and response solution that collects and analyzes forensic data from devices to identify and resolve threats before they impact your organization’s users and data.
  • You enable a Windows, macOS, or Linux device for Aurora Focus by installing the Aurora Focus agent alongside the Aurora Protect Desktop agent. The Aurora Focus agent deploys sensors into the OS at various levels and subsystems to monitor and collect a diverse set of data that is aggregated and stored in the Aurora Focus cloud database.
  • You can leverage Aurora Focus data in several ways to protect your organization’s environment:
    • You can query device data to investigate security incidents and discover indicators of compromise.
    • You can view visual representations of device data to analyze a chain of events.
    • You can enable detection rules to specify the events that you want Aurora Focus to monitor and how you want Aurora Focus to respond to those events when they are detected.
  • The Aurora Focus agent sends the device data that it collects to the Aurora Focus cloud services. The data is aggregated and stored in the secure Aurora Focus cloud database. The Aurora Focus data analytics services offer rich interpretations of device data that you can access using the management console. For devices with agent version 2.x and earlier, the Aurora Focus database is stored locally on the device. Version 3.0 and later automatically aggregates, stores, compresses, and sends the data to the Aurora Focus cloud database at regular intervals.
  • Aurora Focus also offers features that enhance your ability to respond to potential threats. You can deploy packages that remotely and securely run processes to collect and store desired data, you can lock down devices temporarily to prevent the spread of malware, and you can use remote response sessions to execute device commands.

Collection of endpoint configuration data
Arctic Wolf collects the following on the configuration of a device endpoint to assess the impact of potentially malicious activity on customer endpoints:
  • Hostname
  • FQDN
  • IP addresses
  • MAC addresses
  • OS information

Collection of endpoint process artifacts
Arctic Wolf collects the following information about endpoint process artifacts to assess the impact of potentially malicious activity on customer endpoints:
  • Name
  • ID
  • Image file path
  • Owner
  • Command line parameters
  • Description
  • Start/end date and time
  • Parent process
  • Process attributes

Collection of endpoint file artifacts
Arctic Wolf collects the following information about endpoint file artifacts to assess the impact of potentially malicious activity on customer endpoints:
  • Path
  • Creation and last modified date and time
  • Owner
  • File hash (MD5 & SHA26)
  • Alternate data stream information
  • File attributes
  • File type

Collection of endpoint user artifacts
Arctic Wolf collects the following information about endpoint user artifacts to assess the impact of potentially malicious activity on customer endpoints:
  • Username
  • Username unique ID
  • Domain
  • Local group memberships
  • User privileges
  • Home directory path
  • Full name
  • Account status
  • Password age
  • Password status
  • Country code
  • Account type
  • Assigned workstations
  • Failed login attempts
  • Roaming configuration

Collection of endpoint registry artifacts (Windows OS only)
Arctic Wolf collects and processes the following information about endpoint registry artifacts to assess the impact of potentially malicious activity on customer endpoints:
  • Key path
  • Key values
  • Referenced file

Collection of endpoint network artifacts
Arctic Wolf collects and processes the following information about endpoint network artifacts to assess the impact of potentially malicious activity on customer endpoints:
  • DNS activity
  • Source and destination IP address
  • Source and destination port

Collection of endpoint event data
Arctic Wolf collects and processes the following information about endpoint event data to assess the impact of potentially malicious activity on customer endpoints:
  • File hash (MD5/SHA-256)
  • File read events
  • Logon activity
  • Windows event logs
  • All WMI events (for example, trace)
  • Removable media insertion events
  • Removable media file copy events
  • Script execution events (JScript, VBScript, VBA macro script, PowerShell)
  • Name of the user most recently logged in
  • PowerShell strings (for example, log/pass)
  • Aurora Protect Desktop events (threat protection, memory defense, script control)

Detections data
Arctic Wolf collects the following information on detection data to manage the resolution of detected events:
  • Alert details
  • Status
  • Date and time
  • Assigned user

Customer administrative login activity

Arctic Wolf collects and processes login activity from administrators or operators of a customer's tenant (includes date and time, a user's unique identifier, status, and account name) to manage authentication auditing and risk management.

Data storage
  • Arctic Wolf uses the data described above to facilitate the performance of the EULA under which Arctic Wolf’s services and products are offered. The data is shared only with necessary third-party services that are needed to fulfill the intended purpose of the services.
  • Arctic Wolf will not sell, lease, or otherwise distribute this information.
  • In Aurora Focus agent 3.0 and later, the data that is collected by the Aurora Focus sensors is cached locally before it is sent to the cloud database. If the device is offline, the data is cached until the device can connect to the cloud database. A maximum of 1 GB of data can be stored locally. If more than 1 GB of data is stored before it can be uploaded, the lowest priority data will be deleted so that higher priority data can be cached.
  • The endpoint data that is collected is stored in one of the following subprocessors:
    • Amazon Web Services; Asia Pacific (Australia, Japan), Europe (Germany), North America (United States), South America (Brazil).
    • Databricks: Asia Pacific (Australia, Japan), Europe (Germany), North America (United States).

Data retention

Personal data processed Data retention period

Customer administrator information

Personal data may be deleted upon request.

Endpoint configuration data

Data is removed 30 days after the end of the contract.

Endpoint artifacts and event data

Data is stored in the cloud and is accessible for 30 days by default. The customer can increase the data retention timeframe by purchasing a longer storage duration.

Backup data is stored for up to 15 months or 30 days after the end of contract, whichever is less.

Alert data

Data is stored in the cloud and accessible for 37 days. Customer can increase the data retention timeframe by purchasing a longer storage duration.

Detections data

Data is stored in the cloud and accessible for 30 days. Customer can increase the data retention timeframe by purchasing a longer storage duration.

Backup data is stored for up to 15 months or 30 days after the end of contract, whichever is less.

Focus view data

Data is stored for 30 days.

InstaQuery results data

Data is stored in the cloud and accessible for 60 days. The customer can increase the data retention timeframe by purchasing a longer storage duration.

Remote response transaction log

Data is stored for 30 days.

Customer administrative login activity

Data is stored for 1 year.