Alerts

You can use the Alerts view to conduct detailed investigations into the alerts generated by the Behavioural Detection Engine:

• Alerts generated by the Behavioral Detection Engine will be aggregated by common criteria and collected into alert groups.
• Aurora Focus alert groups generated by the Behavioral Detection Engine will list the associated MITRE tactic in the classification column and the applicable techniques and sub-techniques in the sub-classification column. These details distinguish the alerts that are generated by the Behavioral Detection Engine from other Aurora Focus alert groups that are generated by the previous mechanism of detection rule sets. Alerts from detection rule sets will have a classification of "Custom" or "MitreCA".
• You can use the new filtering options to the left of the list of alert groups to filter the results by specific MITRE tactics, in addition to other criteria such as threat classifications and artifact and event types.
• Click a Behavioral Detection Engine alert group to access details to aid your investigations, including links to MITRE resources for the associated tactics and techniques, a visual depiction of the relationship between instigating and target objects, and details for each individual alert in the group. Where applicable, you can also generate an analysis of process and script artifacts by the AI-powered Aurora Security Assistant. For more information, see View and manage aggregated alerts.

Focus > Advanced Query

You can use the advanced query to build and run EQL queries to hunt for specific detections:

• New columns in the advanced query results will indicate corollary alerts and the associated MITRE tactics and techniques.
• When you click a result, the Event Details tab provides links to MITRE resources to learn more about the associated tactics and techniques.
• The Alerts tab displays generated and related alerts with filtering options to facilitate your threat hunting activities.