Data flow: Detecting and responding to events and storing event data (Aurora Focus 3.x and later)
An administrator uses the management console to configure detection rules and assigns the rules to a device policy.
The Aurora Focus cloud services send the detection rules over a secure WebSocket connection to a device with the Aurora Focus agent. The rule data also includes the configured responses for each event (for example, log off all users, suspend processes, and so on).
The Aurora Focus agent factors the detection rules into the Context Analysis Engine (CAE) that it uses to analyze and correlate events.
The Aurora Focus sensors detect an event.
The CAE determines whether the event satisfies a detection rule. If it does, one of the following occurs:
If the Aurora Focus agent is already configured with the event response, the agent executes the response.
If the agent requires additional data to execute the response (for example, if the response requires a playbook package that the device does not have yet), the agent sends the detection data to the Aurora Focus cloud services over a secure WebSocket connection. The Aurora Focus cloud services process the detection and provide the data that the agent requires to execute the response.
The agent prioritizes and sends the event data to the Aurora Focus cloud services over a dedicated event channel using a secure TLS connection. The Aurora Focus cloud services receive and process the event data, storing it in the secure Aurora Focus cloud database.
An administrator uses the management console to request detections data or to initiate an InstaQuery, advanced query, or focus view request. The management console interacts with the Aurora Focus cloud services using HTTP over TLS.
The Aurora Focus cloud services validate and process the request, retrieve the requested data from the Aurora Focus cloud database, and return the data to the management console.
The detection data, query result, or focus data is displayed in the management console.
