Create a detection rule set

Note: In early 2025 the Behavioral Detection Engine was introduced as the new data collection and analysis engine that both powers and significantly enhances the capabilities of the Aurora Focus agent on your organization’s devices. The Behavioral Detection Engine replaces the previous method of detection rule sets that are detailed in this section. For information and instructions, see Transition Aurora Focus devices from detection rule sets to the Behavioral Detection Engine. The Behavioral Detection Engine is highly tuned to provide a more efficient experience that improves the accuracy of detections while reducing "alert noise", so it is the recommended mechanism going forward. Advance notice will be provided before detection rule sets are deprecated.
Create and apply a detection rule set to configure the types of events that you want Aurora Focus to detect and how you want Aurora Focus to respond to those events. A default detection rule set is available to help you test and evaluate how you want to use detection rules. In the default rule set, all detection rules are turned on and automated responses and user notifications are turned off.

When you create a detection rule set, it is a best practice initially to turn on the desired detection rules without response actions and desktop notifications. After you evaluate the detections data, you can configure the appropriate response actions and user notifications for each rule.

  • To view a rule set, you require an administrator role with the View ruleset and Edit ruleset permissions from the Endpoint Detection Response section.
  • For more information about the optional Aurora Focus rules that you can import for your organization’s environment, see KB 42221115562011.
  1. In the management console, on the menu bar, click Focus > Configurations.
  2. On the Rule Sets tab, click Create New.
  3. Type a name and description.
  4. If you want the Aurora Focus agent to display a message when a rule is triggered on the device, in the Detection Notification Message field, type the message.
  5. Review the available rules. For each rule, you can hover over the information icon to view a description. Click ON to enable an entire rule group or a specific rule.
  6. If you want to display a desktop notification when a rule is trigged on a device, select the Display Detection Notification on Device check box for the rule.
  7. If you want the Aurora Focus agent to execute a response action when a rule is triggered on a device, in the Response drop-down list for the rule, select one or more actions. You can hover over the information icon for each action to view a description.
  8. In the Device Policy drop-down list, click one or more device policies that you want to assign the detection rule set to.
    You can also assign a detection rule set to a device policy when you create or change a device policy.
  9. Click Confirm. Review the summary then click Confirm again.
After you assign the detection rule set to a device policy, you can view and manage detections. You can also do any of the following optional tasks: