Transition Aurora Focus devices from detection rule sets to the Behavioral Detection Engine
|
Step |
Action |
|---|---|
|
|
Copy the device policy that is currently assigned to Aurora Focus devices. |
|
|
Create a behavioral detection policy and assign it to the new device policy that you copied. Assigning the behavioral detection policy to a device policy from the Assigned Device Policies tab will automatically change the detection engine source in the device policy from Detection rule set to BDE policy. You can also edit the new device policy (CylanceOPTICS Settings > Detection settings) to change the detection engine source to BDE policy and select the behavioral detection policy that you created. |
|
|
Assign Aurora Focus devices to the new device policy. |
You can assign devices back to the policy that uses detection rule sets if required, but it is recommended that once you transition Aurora Focus devices to the Behavioral Detection Engine, those devices should remain on that configuration going forward. The Behavioral Detection Engine is highly tuned to provide a more efficient experience that improves the accuracy of detections while reducing "alert noise", so it is the recommended mechanism going forward. Arctic WolfEndpoint Defense will provide advance notice before deprecating detection rule sets.