Custom Sigma-based Endpoint Agent

The AURORA Agent is a lightweight and customisable endpoint agent. It is based on Sigma and uses Event Tracing for Windows (ETW).

Slide Deck
Download
The AURORA Agent is a lightweight and customisable endpoint agent based on Sigma. It uses Event Tracing for Windows (ETW) to recreate events that are very similar to the events generated by Microsoft’s Sysmon and applies Sigma rules and IOCs to them. AURORA complements the open Sigma standard with “response actions” that allow users to react to a Sigma match.

It is everything that EDRs aren’t:

  • it is completely transparent and fully customisable due to the open Sigma rule set and configuration files
  • it saves 99% of the network bandwidth and storage
  • it works completely on-premises, no data leaves your network
  • it can be configured to use only a limited amount of resources

We offer an enterprise and a “Lite” version, which is free of charge. The free version uses only the open source rule set, lacks comfort features and a central management.

100%
Transparency

You always know exactly why a rule triggered and can adjust that rule to your needs. Every rule has descriptions and references that explain the author’s intentions. No machine learning magic that generates tons of false positives.

Highly
Customizable

AURORA features built-in detection rules for multiple stages of a kill chain, addressing different user requirements. However, unique enterprise environments might need additional rules and adjustments. Aurora allows users to modify and add new rules to meet these specific needs.

Minimal Network Load and Storage Costs

As the matching happens on the endpoint, AURORA transmits only a fraction of the data that EDRs generate and transmit to their backends. Usually you’ll see less than 1% of the usual network load and storage used by log data collected from AURORA agents.

Completely
On-Premises

Your confidential data never leaves your network.

Limited Resource
Usage

AURORA allows you to throttle its CPU usage and event output rate. These optional throttling options allow you to set priorities and put your system’s stability first.

Free
Version

AURORA Lite is a limited version of AURORA and free of charge. It’s a great way to give it a whirl.

Dashboard and Notifications

AURORA Agent Dashboard provides a way to review events and get notifications for them.

Learn More

What are the main differences to Sysmon?

AURORA reads data from many different ETW channels and enriches this data with live information to recreate events that are very similar to the events generated by Sysmon.

The relative log volume is very low as AURORA only submits the events on which a Sigma rule triggered.

AURORA supports different output channels: Windows event log, log file, UDP/TCP targets.

The integrated throttling features put the system’s stability first.

It requires no additional kernel driver and therefore poses a limited risk to the system’s stability.

AURORA Lite

Free Community Edition
  • Sigma-based event matching on ETW data
  • Open source rule set
  • Without Nextron’s Sigma rule set
  • Open source IOC set
  • Without Nextron’s IOC set (used in THOR)
  • Alert output channels: Eventlog, File, UDP/TCP
  • No comfortable management with ASGARD
  • No additional detection modules
  • 5 rules with response actions
  • No rule encryption
Download AURORA Lite

AURORA

Full-Featured Agent
  • Sigma-based event matching on ETW data
  • Open source rule set
  • Nextron’s Sigma rule set
  • Open source IOC set
  • Nextron’s IOC set (used in THOR)
  • Alert output channels: Eventlog, File, UDP/TCP
  • Comfortable management with ASGARD
  • Additional detection modules
  • Unlimited number of response actions
  • Rule encryption
Request a Trial

Not Included in the Free Version

No Nextron Sigma Rule Feed

AURORA Lite ships with the Open Source rule set and allows users to add custom rules. It does not contain Nextron’s private Sigma rules, developed and maintained by Florian Roth and his research team.

Without THOR's IOC Set

The full version includes the full IOC and filename pattern set used in our scanner THOR. The Lite version uses only the set published in the open source repository “signature-base“, which is about 4% of the original set.

No Comfortable Management

Our ASGARD platform allows you to manage a Sigma rule set, apply all or some of them to all or dedicated system groups, add simple false positive filters, activate blocking mode of certain rules and control updates.

No Extra Modules

A set of modules that detect certain techniques and behaviour that cannot be covered by Sigma rules. (e.g. CobaltStrike beaconing detection, LSASS dump detector, process tampering detector etc.)

Only 5 Response Actions

The Lite version allows in the initialised rule set only 5 rules with configured response actions (e.g. kill process, dump process memory, run command). This should be enough for anyone who plans to contain a special threat (e.g. Ransomware, Worms).

No Encrypted Rules

The full version is shipped with an encrypted rule set and allows the user to add encrypted custom rules. The Lite version only supports clear text rules.

Licensing Differences

You can use AURORA Lite for:

  • Use on any local, state, federal or international government agency.
  • Educational and research purposes.
  • Internal company use.

You need AURORA Enterprise for:

  • Use on third-party networks.
  • Use as part of a paid engagement.
Learn More