Management console and platform services

This section contains information about updates to the management console and platform services that impact more than one Aurora Endpoint Security service or the general experience of the console. Console changes that impact specific Aurora Endpoint Security services are described in the respective sections of this guide.

What's new in the management console

Feature

Description

Date added

Indicator in the console for when the target agent version could not be installed on a device

If a device is assigned an update rule with a target version of the Aurora Protect or Aurora Focus agent that could not be installed due to compatibility or update restrictions, an indicator () appears in the Target Protect Version field when you view device details. The indicator appears if the device does not meet the system requirements or if the update does not follow the supported upgrade path. For example, if a device is in a zone that is assigned Aurora Protect agent 3.4.1000, but the device does not meet the system requirements, the agent on the device will remain on its current version and the indicator appears in the console.

To display the Target Protect Version field in the legacy device grid, click on the right side and select it.

For OS compatibility information for each version of the agent, see Compatibility Matrix: Aurora Protect Desktop agent.

For supported upgrade paths, see Supported upgrade paths for Aurora Protect Desktop Agent 3.x.

July 2025

Quick filters in Alerts view

In the Alerts view, you can now quickly filter the alerts by Aurora Protect threat classifications (malware threats, memory protection, and script control) or Aurora Focus detections.

To access the quick filters, click on the left side of the Alerts view. After you select a quick filter, you can further filter the results using the column headers.

July 2025

Management console (bug fixes only)

Bug fixes only. See Management console and platform services fixed issues.

June 2025

Update restrictions for Aurora Protect Desktop

When you use update rules to manage agent updates in the Endpoint Defense console, updates (upgrades or downgrades) to the Aurora Protect Desktop agent are now restricted to supported versions and upgrade paths. If you are upgrading the agent, you must set the update option to follow the supported upgrade path, one version at a time, until you reach the desired version. Verify which version of the agent is installed and reboot the device after each upgrade, and then set the update rule to the next version in the upgrade path.

The supported upgrade paths are:

  • 2.0.154x or 2.0.156x → 2.1.157x → 3.0.1005 → 3.4.1000
  • 2.1.157x or 2.1.158x → 3.0.1005 → 3.4.1000
  • 3.0.1005 → 3.4.1000
  • 3.1 → 3.4.1000
  • 3.2 → 3.4.1000
  • 3.3 → 3.4.1000

For example, if you have devices in a zone running agent 2.1.157x that you want to upgrade the agent to version 3.4.1000, you must first set the zone's update rule to update the agents to 3.0.1005, verify that the agents are updated on the devices, restart the devices, then finally set it to update the to agent 3.4.1000.

注: After the agent successfully upgrades to version 3.4 or later, you cannot downgrade to an older version using update rules.

For OS compatibility information for each version of the agent, see Compatibility Matrix: Aurora Protect Desktop agent.

For supported upgrade paths, see Supported upgrade paths for Aurora Protect Desktop Agent 3.x.

May 2025

Windows Security Center integration

In the device policy, administrators can now control whether to allow Windows Defender to run as the primary antivirus while the Aurora Protect Desktop Agent is secondary. This setting requires Aurora Protect Desktop Agent version 3.4 or later.

To allow Windows Defender to run as the primary antivirus, in the agent settings menu of a device policy, select the "Disable integration with Windows Security Center" option.

May 2025

New look and feel to the Endpoint Security Console

We’re excited to share that the Endpoint Security console has been renamed to the Aurora Endpoint Defense Console. It has a new look and feel to represent the transition to Arctic Wolf.

All existing features and workflows remain the same, and you do not have to uninstall and reinstall your agents. However, you will see new branding and some updated names. New names include Aurora Protect (formerly CylancePROTECT) and Aurora Focus (formerly CylanceOPTICS).

April 2025

Alerts view enhancements for Aurora Focus (formerly CylanceOPTICS)

When you open an alert group from the Alerts view, you can:

  • View the rule ID and description details from the Overview pane.
  • Create an exception for Focus detections from the Actions menu.

When you click a specific alert from within an alert group, in the right pane, you can:

  • Export a full detections record of the alert in .json format.
  • View the IP address, logged on user, and device policy name.
  • Perform actions specific to an artifact associated with an alert (such as request process focus, file focus, file download, or quarantine the file).
  • Lock down the device.
  • View a more detailed event description

April 2025

Device policy UI redesign

The UI for creating and configuring a device policy has been redesigned to make it easier and more intuitive to create and update device policies.

For more information, see Create and manage a device policy.

January 2025

Device lifecycle management enhancement

In environments that have not configured the device lifecycle management feature in the management console (Settings > Device Lifecycle), the feature is enabled by default and is set to update the device statuses to Inactive after they have been offline for 60 days or more. Inactive devices are permanently removed from the console 60 days later.

This change does not affect environments that have enabled and fully configured the device lifecycle management.

For more information, see the following:

January 2025

Updates to focus view

Previously in Assets > Devices, you could click the option to create focus data for alerts older than 30 days, even though focus data could not be generated due to the age of the alert. In this update, the option to create focus data can no longer be selected for alerts older than 30 days.

For focus data you have already generated, you cannot access the focus data after 90 days have passed.

November 2024

Updates to zone policies

You can now choose to not assign an associated device policy to a zone in the Zones screen. Administrators can use zones to manage devices without an associated device policy while making sure that a device's currently assigned device policy remains unchanged. When devices are added to a zone with the device policy set to None, they will no longer be automatically assigned to an associated device policy.

For more information, see Add and configure a zone.

November 2024

Improvements to the Devices grid view

The Devices grid (Assets > Devices) has been improved for an enhanced search experience for managing devices.

  • Ability to easily specify one or more ranges of IP address when filtering the list of devices. The range of IP addresses can also be used for zone rules.
  • A standardized date picker now appears when specifying date fields.
  • Saved queries that can be applied as zone rules are now indicated with an asterisk (*).
  • Ability to specify a field more than once in a query.
  • The Display Name column is now available to search for a named device.
  • Ability to delete recent queries from the list.

October 2024

Duo Universal MFA

You can now add Duo Universal MFA for multi-factor authentication.

Duo has ended support for their Duo Traditional Prompt. For more information, see the Duo Knowledge Base. If you already have the now deprecated Duo MFA authenticator configured, you must add the new Duo Universal MFA authenticator or users might not authenticate successfully. The configured Duo MFA authenticator will be displayed as read only in the Endpoint Defense console.

For more information, see Add an authenticator in the Cylance Endpoint Security Setup content.

July 2024

New Devices grid view for managing devices

This is a preview of changes to come for the Devices grid that is fully functional and can be used as an alternate way to manage your devices. Enhancements will continue in the near future to add more filter criteria and new experiences. The following features can be used today:

  • Search for your devices using a query-based experience with multiple expressions, giving you more flexibility to find the devices you want.
  • Save your frequently used queries with a friendly name that is easy to remember so that you can quickly load them later.
  • Saved queries are used to automatically add devices to a zone when you add a zone rule.
  • Adjust the density of information displayed on the grid as well as pin columns for improved legibility.
  • Export a list of more than 10,000 devices at once.
  • Switch between the legacy view and the new view from the top right corner of the (Assets > Devices) screen.

For more information, see Manage Aurora Protext Desktop and Aurora Focus devices.

July 2024

Automated zone management

Devices can now be automatically added to a zone when they match the zone rules criteria and also be automatically removed from a zone when they don't match the criteria.

When you add a zone rule to a new zone, you need to specify a saved query (from the new Devices grid view) and whether you want devices to be automatically removed. The list of devices in the results of the saved query indicates the devices that will be automatically added to the zone. It is recommended to run a saved query and verify the list of devices in the results before using it for zone rules.

By default, devices that are added automatically to the zone will follow the zone rules. If the automatic device removal option is selected in the zone rules, devices that follow the zone rules will be automatically removed from the zone when they don't meet the zone rules criteria. You can also manually add devices that ignore the zone rules so they aren't automatically removed from the zone. When managing a zone, you can change whether a device follows or ignores the zone rules.

With the introduction of automated zones, you cannot modify the zone rules of legacy zones that were created prior to this update, but the legacy zones will continue to function as before. To take advantage of the automated zones, you can migrate devices from legacy zones by copying devices to a newly created zone or by creating a new saved query filter using the new device grid and using it for the zone rule. In the new zone, you can change the associated policy and ensure it works properly according to your needs before you remove the legacy zone.

For more information, see Setting up zones to manage Aurora Protect Desktop and Aurora Focus.

July 2024

Simplify the configuration of a new tenant

When you create a new Aurora Endpoint Security tenant, the tenant now includes preconfigured zones and preconfigured device policies that are designed to help you tune your environment to the desired security posture.

You also have the option to export the configuration of an existing tenant and import it to a new tenant, or to reset a new tenant to use preconfigured zones and preconfigured device policies.

For more information, see Configuring a new Cylance Endpoint Security tenant.

July 2024

Reset password enhancement

When users reset their password, a confirmation message that includes the email address that a reset password email is sent to will be displayed.

June 2024

Aurora Managed Endpoint Defense On-Demand

The Aurora Managed Endpoint Defense On-Demand subscription is a convenient and helpful option if your organization monitors the alerts that are reported to the Aurora Managed Endpoint Defense console. With this subscription, you can request Aurora Managed Endpoint Defense support on demand for any alerts that you think might be a threat but you need the time and expertise of an Aurora Managed Endpoint Defense analyst to help you resolve it. You can request support from an alert group in the Alerts view in the Endpoint Defense console. Aurora Managed Endpoint Defense analysts are immediately notified with the alert details and can start their investigation and assess the threat. To follow up on the investigation (for example, to share additional details), you can log in to the Aurora Managed Endpoint Defense (CylanceGUARD) portal and find the alert in the Escalations screen.

For more information, see View and manage aggregated alerts.

May 2024

Alerts view enhancement: Aurora Security Assistant for Aurora Focus alert groups

In the Alerts view, you can use the AI-powered Aurora Security Assistant to provide a summary analysis of an Aurora Focus alert group, and detailed analysis for process artifacts within the group (for example, command line processes). The Aurora Security Assistant leverages rich cybersecurity knowledge sources to provide valuable information to aid you in your threat investigations.

注:
  • To access the Aurora Security Assistant in the Alerts view, you must contact your Arctic Wolf account representative to request enablement of this feature.
  • Currently, the Aurora Security Assistant is available for Aurora Focus alerts only. Future updates will extend this functionality to other Endpoint Defense products and services.
  • Arctic Wolf does not use any customer data to train the AI that powers the Aurora Security Assistant.

For more information, see Use the AI-powered Cylance Assistant to investigate alerts.

May 2024

Alerts view enhancement: Support for script control alerts

The Alerts view now supports Aurora Protect Desktop script control alerts, including the ability to add a file associated with a script control alert to the global safe list.

For more information, see Managing alerts across Cylance Endpoint Security services.

April 2024

Alerts view enhancements
  • After you filter alert groups by the desired criteria, you can now select and bulk delete all of the alert groups in the filter results, or select alert groups.
  • You can now export alert groups or the alerts within a group in JSON format.

For more information, seeManaging alerts across Cylance Endpoint Security services Managing alerts across Cylance Endpoint Security services.

March 2024

Console sign in enhancement

By default, new tenants now require administrators to enter a one-time password, in addition to the Endpoint Defense console password, each time that they try to access the console. Existing customers can update the authentication policy to add the One-Time Password requirement. New tenants can remove the One-Time Password requirement after an administrator sign-in to the console for the first time.

For more information, see Enhanced authentication sign in.

March 2024

User Policy enhancements
The following enhancements have been made to the "Add User or Group" setting (Policies > User Policy) in the management console:
  • You can now search for users and user groups under separate tabs.
  • The search results are displayed in alphabetical order based on a user's or user group's name.
  • By default, a maximum of 50 search results are returned for users and groups, respectively. Administrators must refine their search criteria when more than 50 search results are returned.

February 2024

BlackBerry Protect Connectivity Node version

BlackBerry Protect Connectivity Node version 2.14.0. To download the latest version of the BlackBerry Protect Connectivity Node, click here.