In the Endpoint Defense console, behavioral detection policies are in the Aurora Focus > Behavioral Detection Engine menu, in the Behavioral Detection Policies tab.

The BDE policy defines which MITRE detections to apply to devices, which severity level to alert on, and when to apply automated responses. All tenants have a default policy configured which has all the MITRE detections with Alerts and Observations features enabled. The default policy is configured with an alert threshold of medium and above.

Alert thresholding is a new concept introduced with BDE. It allows easy suppression of alerts that are below a certain level of severity. This means that only alerts at or above the specified threshold level display in the Alerts screen and through external interfaces like syslog or the public API. To ensure that there is no loss in information fidelity, the BDE includes support for observations. When Observations are enabled, the BDE instructs the Aurora Focus agent (version 3.3 or later) to watch for all behaviors that are below the alert threshold, collect any data associated with it, collect any correlated elements along the attack chain, and add the appropriate MITRE TTP tagging to that collected data. Using Alert Thresholds and Observations, the BDE can enact policies with a much lower level of noise without missing important data that may be hiding in low efficacy signal.