Aurora Focus release notes

What's new in Aurora Focus (June 2025)

Feature

Description

Behavioral Detection Engine

The Behavioral Detection Engine is the new data collection and analysis engine that both powers and significantly enhances the capabilities of the Aurora Focus agent on your organization’s devices.

Previously, the Aurora Focus agent used detection rule sets to detect and respond to potential threats on devices. The Behavioral Detection Engine evolves the Aurora Focus threat detection and response mechanisms to make them easier to configure, more intuitive to use, and more expansive in their capabilities.

For more information, see Configuring the Aurora Focus Behavioral Detection Engine and Additional resources for BDE.

New Aurora FocusWindows agent

The Aurora Focus Agent for Windows version 3.4.x is now available in the management console.

  • The CylanceOPTICS agent is now known as Aurora Focus.
  • Aurora Focus Agent version 3.4 includes enhancements that improve its overall performance.
  • The Aurora Focus Agent now supports seamless interoperability with the Arctic Wolf Agent.

Aurora Focus Agent 3.4 requires Aurora Protect Agent 3.3.1001 or later.

After a successful upgrade to version 3.4, administrators cannot downgrade the agent using the updater.

What's new in Aurora Focus (December 2024)

Feature

Description

New Windows agent

The Aurora Focus agent for Windows version 3.3.3120 is now available in the management console.

For more information about the fixes in this release, see Aurora Focus fixed issues.

What's new in Aurora Focus (September 2024)

Feature

Description

New agents for macOS and Linux
The following versions of the Aurora Focus agent are now available in the management console:
  • macOS: 3.3.2708.5000
  • Linux RHEL/CentOS 8: 3.3.2758-23000
  • Linux RHEL/CentOS 7: 3.3.2758-7000
  • AmazonLinux 2: 3.3.2758-15000
  • Linux SLES15: 3.3.2758-29000
  • Linux SLES12: 3.3.2758-21000
  • Ubuntu 22.04: 3.3.2758-51000
  • Ubuntu 20.04: 3.3.2758-25000
  • Ubuntu 18.04: 3.3.2758-17000
  • Debian 11: 3.3.2758-49000
  • Debian 10: 3.3.2758-47000
  • OracleLinux Server 8 / UEK 8: 3.3.2758-37000
  • OracleLinux Server 7 / UEK 7: 3.3.2758-35000

Support for macOS 15 (Sequoia)

This release of the Aurora Focus agent for macOS adds support for macOS 15 (Sequoia).

What's new in Aurora Focus (August 2024)

Feature

Description

New Windows agents
The following versions of the Aurora Focus agent for Windows are now available in the management console:
  • Aurora Focus agent for Windows 3.3.2779
  • Aurora Focus agent for Windows 3.2.1327
Remarque : These releases of the Aurora Focus agent address a security vulnerability that is present in the .msi file for previous agent versions. For more information, see KB 139918. If you update the Aurora Focus agent to a version listed above using the standard update process available in the Cylance console, note that the .msi file with the security vulnerability will still be present on Aurora Focus devices. To update the agent and address the vulnerability, you must do one of the following:
  • Remove the Aurora Focus agent from devices, then install the latest 3.2 or 3.3 version listed above.
  • Use the Aurora Focus Patch Tool (see KB 139918) to remove the Aurora Focus agent and all associated files from the device and complete a new install of the latest 3.2 or 3.3 agent listed above. If you use the Patch Tool you to not need to manually remove and then install the agent, as the tool will complete these actions. Arctic Wolf recommends this update method as the Patch Tool has been built and tested with all the necessary security precautions and will work with any configuration of the Aurora Protect Desktop agent.

What's new in Aurora Focus (June 2024)

Feature

Description

New agents for macOS and Linux
  • macOS: 3.3.2570.5000
  • Linux RHEL/CentOS 8: 3.3.2570-23000
  • Linux RHEL/CentOS 7: 3.3.2570-7000
  • AmazonLinux 2: 3.3.2570-15000
  • Linux SLES15: 3.3.2570-29000
  • Linux SLES12: 3.3.2570-21000
  • Ubuntu 22.04: 3.3.2570-51000
  • Ubuntu 20.04: 3.3.2570-25000
  • Ubuntu 18.04: 3.3.2570-17000
  • Debian 11: 3.3.2570-49000
  • Debian 10: 3.3.2570-47000
  • OracleLinux Server 8 / UEK 8: 3.3.2570-37000
  • OracleLinux Server 7 / UEK 7: 3.3.2570-35000

For more information about supported operating systems, see the Cylance Endpoint Security compatibility matrix.

Changes to OS support
This release adds support for the following operating systems:
  • macOS 14 (Sonoma)
  • Ubuntu 22.04
  • OracleLinux Server UEK 7

Data collection enhancements for Linux

This release of the Aurora Focus agent adds support for Network Connect events and DNS Request and Response events for Linux operating systems.

For more information, see Data structures that Aurora Focus uses to identify threats in the Aurora Endpoint Security Setup content.

Protection features for the Aurora Focus agent for macOS
The following security features that previously were applicable only to the Aurora Protect Desktop agent are now extended to the Aurora Focus agent 3.3 and later for macOS:
  • Device policy > Protection Settings > Prevent service shutdown from device: When enabled, device users cannot stop the Aurora Focus agent service on the device.
  • Settings > Application > Require Password to Uninstall Agent: When enabled, users must specify a password that you define in the management console to uninstall the Aurora Focus agent.

These features require the Aurora Protect Desktop agent version 3.1 or later.

New Windows agents
The following versions of the Aurora Focus agent for Windows are now available in the management console. These versions include the latest stability enhancements:
  • Aurora Focus agent for Windows 3.3.2640
  • Aurora Focus agent for Windows 3.2.1322

Recommendation to disable the optional Cryptojacking Detection sensor

Arctic Wolf recommends disabling the optional Cryptojacking Detection sensor, as we are currently investigating stability issues that this sensor can cause with the device OS.

What's new in Aurora Focus (January 2024)

Feature

Description

Aurora Focus agent versions

This release includes the new Aurora Focus agent for Windows version 3.3.2311.0.

For more information about supported operating systems, see the Cylance Endpoint Security compatibility matrix.

Enhancements to the logic and methods that Aurora Focus uses to identify security threats
Aurora Focus 3.3 features significant enhancements to the underlying logic and methods that the Aurora Focus cloud services and the Aurora Focus agent use to identify security threats. These changes include:
  • Improvements to how the Aurora Focus agent collects context-relevant event data for a given detection.
  • Improved collection and identification of the processes and events that precede a given detection, and of the noteworthy processes and events that follow a given detection. This provides a more detailed and accurate picture of the factors that may have resulted in the detection and of the aftermath of that detection.
  • Improved data collection methodologies controlled by the Aurora Focus cloud services, enabling Aurora Focus to stay ahead of a threat landscape that is always evolving. These changes ensure that the agent can collect the most valuable telemetry while also tuning out data that is not relevant.

New sensors
This release of the Aurora Focus agent adds three new optional sensors for Windows devices:
  • COM Object Visibility: Allows the Aurora Focus agent to monitor COM objects.
  • HTTP Visibility: Allows the Aurora Focus agent to track Windows HTTP transactions.
  • Module Load Visibility: Allows the Aurora Focus agent to monitor module loads.

These sensors require the Aurora Protect Desktop agent version 3.2 or later.

For more information, see Aurora Focus optional sensors in the Aurora Endpoint Security Setup content.

Data enrichment for Windows events

Previously, the Aurora Focus agent collected the Provider Name, Class, and Event ID facets for Windows Event artifacts. This release adds significant data collection enhancements for Windows Events, with the agent collecting the data defined in the EventData facet of the artifact (for example, this can include ObjectServer, PrivilegeList, Process ID, Process Name, Service, or other facets).

For more information, see Data structures that Aurora Focus uses to identify threats in the Aurora Endpoint Security Setup content.

What's new in Aurora Focus (August 2023)

Feature

Description

Enhancements to advanced query
This release introduces the following enhancements to the advanced query feature in the management console:
  • As you type the EQL syntax for a query, syntax options and validation messages will display to help you build your query.
  • You can now schedule the execution of an advanced query for a specific date and time, and you can schedule a query to run on a regular interval.
  • When you set the scope of your query to specific devices, an icon displays indicating whether each device is online.
  • New options to filter query results.
  • When you select a result and open the fly-out menu, you can view additional event data and filter the query results to show matches for one or more facets.
  • Various UI improvements make it easier for you to add a query, copy a query, and apply and clear zones, devices, and filters for queries.
  • You can now export the results of a query to a CSV file.

For more information, see Create an advanced query in the Aurora Endpoint Security Administration content.

Considerations when upgrading from Aurora Focus 2.5.x to 3.x

  • For configuration requirements for macOS Big Sur (11.x) or later, see the setup instructions in the Cylance Endpoint Security Setup Guide.
  • If you do not set up a complete MDM profile for the Aurora Focus network extension on devices with macOS Big Sur (11.x) or later, data collection might not occur as expected. Verify that you satisfy the configuration requirements for MDM managed devices in the Cylance Endpoint Security Setup Guide.
  • Arctic Wolf recommends installing the latest available version of the Aurora Protect agent. For more information, see the Aurora Focus requirements.
  • On macOS devices, after you upgrade the Aurora Focus agent you need to restart the device.
  • If you upgrade the Aurora Focus agent on a CentOS/RHEL 8.0 or 8.1 device, you must restart the device after the upgrade is complete. (EDR-6750)
  • Upgrading the Aurora Focus agent on Linux from version 2.x to a newer version fails if Security-Enhanced Linux (SELinux) is enabled on the device. (EDR-6264)

    Workaround: Disable SELinux on the device before you upgrade the Aurora Focus agent and enable it again after the upgrade is complete.

  • When upgrading the Aurora Focus agent on Windows, to avoid an issue with the Aurora Focus shutdown time taking longer than usual, disable the TDT sensor in the device policy and enable it again after the upgrade is complete. This issue does not occur if you upgrade from Aurora Focus agent version 2.5.3010 or from Aurora Focus agent 3.0 to a later version. (EDR-6058)