Create a behavioral detection policy

When you create a behavioral detection policy, every MITRE technique within the policy has a default configuration that is designed to collect useful data and generate meaningful observations and alerts. You can customize and tune the configuration of the policy to suit your organization’s security posture and needs.

  1. In the management console, on the menu bar, click Focus > Behavioral Detection Engine.
  2. Click Add a Detection Configuration.
  3. Specify a name and description for the policy.
  4. In the Minimum severity to alert drop-down list, select the level of detections that the Aurora Focus agent will generate alerts for. For any detections with a severity lower than the selected level, the agent can collect and analyze data but will not generate alerts in the console.
    For example, if you select a level of Medium and above, the agent will generate alerts for detections with a severity level of medium or high. Detections with a severity level of info or low will not generate alerts.
  5. In the Detection notification message field, specify the message that you want the agent to display to the device user when a detection meets the selected severity level.
  6. Click Add.
  7. Do one of the following:
    • If you want to associate the behavioral detection policy with a device policy later after you configure the policy, click Not Now.
    • If you want to associate the behavioral detection policy with a device policy now, click Yes. Click Assign Device Policy, select one or more device policy and operating mode, and click Assign.
  8. On the Behavioral Detection Policies tab, click the policy that you created.
    The view is organized by categories of MITRE tactics (for example, Initial Access, Execution, Persistence, and so on). Under each MITRE tactic category are cards representing MITRE techniques. Each card provides the following information at a glance:
    • Icons indicate whether alerts, observations, and notifications are enabled for the technique.
    • A color-coded Rules section indicates how many rules are included in the technique for each severity level. The red number represents high severity rules, orange represents medium, yellow represents low, and blue represents info.
    • The number next to the lightning icon indicates the number of automated responses that are configured for that technique, and a color-coded label (high, medium, low, info) indicates the minimum severity level that must be met for those responses to be executed.

    When you click the card for a MITRE technique, a fly out menu provides details about the technique and its detection rules, a list of associated MITRE sub-techniques, links to MITRE resources for more information, and the configuration settings for the technique.

  9. On the Detection and Response tab, do any of the following:

    Task

    Steps

    Search for a MITRE technique

    In the search field, type the name of a MITRE technique or sub-technique. The techniques that match the search term are displayed.

    Filter the list of MITRE techniques

    In the left pane, select the desired filter criteria. The techniques that match the filter criteria are displayed.

    Review or change the configuration of a MITRE technique

    By default, for all MITRE techniques, alerts and observations are enabled and automated responses are not configured. Monitor and fine-tune the configuration of the behavioral detection policy before you configure automated responses.

    1. Click the card for a MITRE technique.
    2. Configure any of the following:
      1. Enable detection alerts: Enable if you want Aurora Focus to collect telemetry data and generate alerts in the management console for detections that meet the minimum severity level for the policy.
      2. Enable observations: Enable if you want Aurora Focus to collect, interpret, and analyze telemetry data for all detections, regardless of whether detections meet the minimum severity level for the policy, and regardless of the alert configuration.

        If you turn on Enable detection alerts and turn off Enable observations, Aurora Focus will collect and analyze telemetry data and generate alerts only for detections that meet the minimum severity for the policy. If you turn off Enable detection alerts and you turn on Enable observations, Aurora Focus will collect and analyze telemetry data for all detections but will not generate any alerts.

      3. Automated response: Select the minimum severity level that must be met for detections to trigger an automated response by the agent. Click Add > Remediate action to select one or more automated responses that you want the agent to execute.

        Each type of automated response only applies to certain detection types. For more information, see Automated responses by detection type.
  10. If you want to assign the behavioral detection policy to a device policy at this point, complete the following steps. When you assign the behavioral detection policy to a device policy, if the detection engine source in the device policy were previously set to Detection rule set or None, it will be changed to BDE policy automatically. Devices will transition to the Behavioral Detection Engine when they receive the updated device policy.
    1. On the Assigned Device Policies tab, click Assign Device Policy.
    2. In the Device policy drop-down list, click one or more device policies that you want to assign the behavioral detection policy to.
    3. If you do not want the agent to execute automated responses, select Alert only.
    4. If you want the agent to execute automated responses, click Full enforcement.
    5. Click Assign.
  11. Click Save.
You can edit a device policy at any time to change the detection engine source (BDE policy, Detection rule set, or None), to change the assigned behavioral detection policy, or to change the operating mode (Alert only or Full enforcement).