Arctic Wolf Endpoint Defense can deploy dynamic updates to the MITRE techniques that power the Behavioral Detection Engine. When new or updated detection rules are deployed to your organization’s Aurora Endpoint Defense tenant, they are automatically added to MITRE techniques in behavioral detection policies and sent to the Aurora Focus agent on devices, and will observe your configuration of the MITRE techniques in each policy.

New detection rules operate in Alert only mode to monitor, collect, use, and analyze telemetry data and generate alerts. The agent does not perform any automated responses configured for the technique under the new rules until you manually approve them in the management console.

Updated detection rules that already have automated responses configured continue to be enforced according to the update, without manually accepting them. Rule updates are for informational purposes and accepting them serves as acknowledgment only.

Automatic updates to the Behavioral Detection Engine do not change the behavior of an Aurora Focus sensor. Sensor changes can be delivered only in new releases of the Aurora Focus agent. Automatic updates to the Behavioral Detection Engine and MITRE techniques can change only how telemetry data is analyzed, used, and interpreted to more accurately detect and isolate potential threats. The manual acceptance mechanism ensures that automatic updates do not disrupt business operations, as automated responses cannot be executed by the agent until you manually review and accept the new detection rules.