ETW is a great resource that is often untapped by many providers - Giải pháp bảo mật thông tin tối ưu

The AURORA agent is a lightweight and customizable endpoint agent based on Sigma. It uses Event Tracing for Windows (ETW) to recreate events very similar to those generated by Microsoft’s Sysmon and applies Sigma rules and IOCs to them. AURORA complements the open Sigma standard with “reaction actions” that allow users to react to a Sigma match. It is everything that EDR is not. It is completely transparent and fully customizable thanks to open Sigma ruleset and configuration files it saves 99% of network bandwidth and storage it operates entirely on-premises, no data leaves from your network it can be configured to only use a limited amount of resources. We offer a business version and a “Lite” version for free. The free version uses only the open source ruleset, lacking convenience features and centralized management.

100% transparency: Always know exactly why a rule is triggered and you can tailor it to your needs. Every rule has a description and reference that explains the author’s intent. There is no machine learning magic that produces a series of false positives.
Highly customizable: Aurora has built-in detection rules for multiple stages of the kill chain, addressing different user requirements. However, special corporate environments may require additional rules and adjustments. Aurora allows users to modify and add new rules to meet these specific needs.
Minimal network load and storage overhead: When matching occurs at the endpoint, AURORA transmits only a portion of the data that other EDRs generate and transmit to their backend. Typically, you will see less than 1% of the typical network and storage load used by log data collected from AURORA agents.
Completely on-site: Your confidential data never leaves your network.
Limited resource usage: AURORA allows you to throttle CPU usage and event output rates. These custom tuning options allow you to set priorities and put system stability first.
Free version: AURORA Lite is a limited version of AURORA and is free. It’s a great way to try your hand at it. All we ask is to sign up for the newsletter.

What are the main differences of Sysmon?

AURORA reads data from various ETW channels and enriches this data with live information to recreate events very similar to those generated by Sysmon. Log volume is relatively very low because AURORA only sends events where Sigma rules are triggered. AURORA supports different output channels: Windows event log, log files, UDP/TCP targets. Built-in throttling features put system stability first. It does not require additional kernel drivers and therefore poses limited risk to system stability.