Your Custom Sigma-based Endpoint Agent
The AURORA Agent is a lightweight and customisable EDR agent based on Sigma. It uses Event Tracing for Windows (ETW).
The AURORA Agent is a lightweight and customisable endpoint agent based on Sigma. It uses Event Tracing for Windows (ETW) to recreate events that are very similar to the events generated by Microsoft’s Sysmon and applies Sigma rules and IOCs to them. AURORA complements the open Sigma standard with “response actions” that allow users to react to a Sigma match.
It is everything that EDRs aren’t.
- it is completely transparent and fully customisable due to the open Sigma rule set and configuration files
- it saves 99% of the network bandwidth and storage
- it works completely on-premises, no data leaves your network
- it can be configured to use only a limited amount of resources
We offer an enterprise and a “Lite” version, which is free of charge. The free version uses only the open source rule set, lacks comfort features and a central management.
100% Transparency
You always know exactly why a rule triggered and can adjust that rule to your needs. Every rule has descriptions and references that explain the author’s intentions. No machine learning magic that generates tons of false positives.
Highly Customizable
Aurora features built-in detection rules for multiple stages of a kill chain, addressing different user requirements. However, unique enterprise environments might need additional rules and adjustments. Aurora allows users to modify and add new rules to meet these specific needs.
Minimal Network Load and Storage Costs
As the matching happens on the endpoint, AURORA transmits only a fraction of the data that other EDRs generate and transmit to their backends. Usually you’ll see less than 1% of the usual network load and storage used by log data collected from AURORA agents.
Completely On-Premises
Your confidential data never leaves your network.
Limited Resource Usage
AURORA allows you to throttle its CPU usage and event output rate. These optional throttling options allow you to set priorities and put your system’s stability first.
Free Version
AURORA Lite is a limited version of AURORA and free of charge. It’s a great way to give it a whirl. All we ask for is a newsletter subscription.
What are the main differences to Sysmon?
- AURORA reads data from many different ETW channels and enriches this data with live information to recreate events that are very similar to the events generated by Sysmon
- The relative log volume is very low as AURORA only submits the events on which a Sigma rule triggered
- AURORA supports different output channels: Windows event log, log file, UDP/TCP targets
- The integrated throttling features put the system’s stability first
- It requires no additional kernel driver and therefore poses a limited risk to the system’s stability
AURORA Lite
Free Community Edition- Sigma-based event matching on ETW data
- Open source rule set (1300+ rules)
- Without Nextron’s Sigma rule set
- Open source IOC set
- Without Nextron’s IOC set (used in THOR)
- Alert output channels: Eventlog, File, UDP/TCP
- No comfortable management with ASGARD
- No additional detection modules
- 5 rules with response actions
- No rule encryption
AURORA
Full-Featured Agent- Sigma-based event matching on ETW data
- Open source rule set (1300+ rules)
- Nextron’s Sigma rule set
- Open source IOC set
- Nextron’s IOC set (used in THOR)
- Alert output channels: Eventlog, File, UDP/TCP
- Comfortable management with ASGARD
- Additional detection modules
- Unlimited number of response actions
- Rule encryption
Not Included in the Lite Version
No Comfortable Management
Our ASGARD platform allows you to manage a Sigma rule set, apply all or some of them to all or dedicated system groups, add simple false positive filters, activate blocking mode of certain rules and control updates.
No Nextron Sigma Rule Feed
AURORA Lite ships with the Open Source rule set and allows users to add custom rules. I does not contain Nextron’s private Sigma rules, developed and maintained by Florian Roth and his research team.
Without THOR's IOC Set
The full version includes the full IOC and filename pattern set used in our scanner THOR. The Lite version uses only the set published in the open source repository “signature-base“, which is about 4% of the original set.
No Extra Modules
A set of modules that detect certain techniques and behaviour that cannot be covered by Sigma rules. (e.g. CobaltStrike beaconing detection, LSASS dump detector, process tampering detector etc.)
Only 5 Response Actions
The Lite version allows in the initialised rule set only 5 rules with configured response actions (e.g. kill process, dump process memory, run command). This should be enough for anyone who plans to contain a special threat (e.g. Ransomware, Worms).
No Encrypted Rules
The full version is shipped with an encrypted rule set and allows the user to add encrypted custom rules. The Lite version only supports clear text rules.
Newsletter and Download Subscription
Subscribe with the form below. We will send you a license and download link via email.