Key features of Aurora Focus

Feature

Description

Analyze Aurora Focus data

You can use the management console to query the device data collected by the Aurora Focus agent to investigate security incidents and discover indicators of compromise. When Aurora Focus identifies a file as a potential threat, you can retrieve the file from the device for further analysis.

InstaQuery allows you to interrogate a set of devices about a specific type of forensic artifact, and allows you to determine whether an artifact exists on devices and how common that artifact is. Advanced query is an evolution of InstaQuery that provides more granular search capabilities using EQL syntax to enhance your ability to identify threats.

Visualize Aurora Focus data
You can use the following visualization features to assist your forensic analysis:
  • The InstaQuery facet breakdown provides an interactive visual display of the different facets involved in a query so that you can identify and follow their relational paths.
  • Focus data allows you to visualize and analyze the chain of events, and the associated artifacts and facets of those events, that resulted in a piece of malware or another security threat on a device.

Detect and respond to events

Aurora Focus uses the Context Analysis Engine (CAE) to analyze and correlate events as they occur on devices in near-real time. You can configure Aurora Focus to take automated response actions when the CAE identifies certain artifacts of interest (for example, display a notification or log off the current user), providing an additional layer of threat detection and prevention to complement the capabilities of Aurora Protect Desktop.

You can customize the detection capabilities of Aurora Focus to suit your organization's needs. You can create detection rule sets with your desired configuration of rules and responses, you can clone and modify existing detection rules or create your own custom rules, and you can create detection exceptions to exclude specific artifacts from detection.

Deploy packages to collect data

You can use the package deploy feature to remotely and securely run a process (for example, a Python script) on Aurora Focus devices to collect and store desired data in a specified location for further analysis. For example, you can run a process to collect browser data. You can use the Aurora Focus data collection packages that are available in the management console or you can create your own.

Lock devices to isolate threats

You can lock an infected or potentially infected device, disabling its LAN and Wi-Fi network capabilities to stop command and control activity, the exfiltration of data, or the lateral movement of malware. Various lockdown options are available to suit your organization's needs.

Send actions to devices

You can use the remote response feature to securely execute scripts and run commands on any Aurora Focus-enabled device directly from the management console, using a familiar command line interface.