Your Custom Sigma-based Endpoint Agent

The AURORA Agent is a lightweight and customisable EDR agent based on Sigma. It uses Event Tracing for Windows (ETW).

The AURORA Agent is a lightweight and customisable endpoint agent based on Sigma. It uses Event Tracing for Windows (ETW) to recreate events that are very similar to the events generated by Microsoft’s Sysmon and applies Sigma rules and IOCs to them. AURORA complements the open Sigma standard with “response actions” that allow users to react to a Sigma match.

It is everything that EDRs aren’t.

  • it is completely transparent and fully customisable due to the open Sigma rule set and configuration files
  • it saves 99% of the network bandwidth and storage
  • it works completely on-premises, no data leaves your network
  • it can be configured to use only a limited amount of resources

We offer an enterprise and a “Lite” version, which is free of charge. The free version uses only the open source rule set, lacks comfort features and a central management. 


100% Transparency

You always know exactly why a rule triggered and can adjust that rule to your needs. Every rule has descriptions and references that explain the author’s intentions. No machine learning magic that generates tons of false positives.

Highly Customizable

Aurora features built-in detection rules for multiple stages of a kill chain, addressing different user requirements. However, unique enterprise environments might need additional rules and adjustments. Aurora allows users to modify and add new rules to meet these specific needs.


Minimal Network Load and Storage Costs

As the matching happens on the endpoint, AURORA transmits only a fraction of the data that other EDRs generate and transmit to their backends. Usually you’ll see less than 1% of the usual network load and storage used by log data collected from AURORA agents.

Completely On-Premises

Your confidential data never leaves your network.

Limited Resource Usage

AURORA allows you to throttle its CPU usage and event output rate. These optional throttling options allow you to set priorities and put your system’s stability first.

Free Version

AURORA Lite is a limited version of AURORA and free of charge. It’s a great way to give it a whirl.

What are the main differences to Sysmon?

  • AURORA reads data from many different ETW channels and enriches this data with live information to recreate events that are very similar to the events generated by Sysmon
  • The relative log volume is very low as AURORA only submits the events on which a Sigma rule triggered
  • AURORA supports different output channels: Windows event log, log file, UDP/TCP targets
  • The integrated throttling features put the system’s stability first
  • It requires no additional kernel driver and therefore poses a limited risk to the system’s stability

Not Included in the Lite Version

No Comfortable Management

Our ASGARD platform allows you to manage a Sigma rule set, apply all or some of them to all or dedicated system groups, add simple false positive filters, activate blocking mode of certain rules and control updates.

No Nextron Sigma Rule Feed

AURORA Lite ships with the Open Source rule set and allows users to add custom rules. I does not contain Nextron’s private Sigma rules, developed and maintained by Florian Roth and his research team.

Without THOR's IOC Set

The full version includes the full IOC and filename pattern set used in our scanner THOR. The Lite version uses only the set published in the open source repository “signature-base“, which is about 4% of the original set.

No Extra Modules

A set of modules that detect certain techniques and behaviour that cannot be covered by Sigma rules. (e.g. CobaltStrike beaconing detection, LSASS dump detector, process tampering detector etc.)

Only 5 Response Actions

The Lite version allows in the initialised rule set only 5 rules with configured response actions (e.g. kill process, dump process memory, run command). This should be enough for anyone who plans to contain a special threat (e.g. Ransomware, Worms).

No Encrypted Rules

The full version is shipped with an encrypted rule set and allows the user to add encrypted custom rules. The Lite version only supports clear text rules.

GDPR Cookie Consent with Real Cookie Banner