From 141ce8ebbd46f70356e87e6665f1ac36117c6af1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 9 Dec 2021 09:30:33 +0100 Subject: [PATCH] docs: update some sections --- usage/installation.rst | 3 +++ usage/usage.rst | 4 ++-- usage/what-is-aurora.rst | 15 +++++++-------- 3 files changed, 12 insertions(+), 10 deletions(-) diff --git a/usage/installation.rst b/usage/installation.rst index 9fbd1dd..75d6d9b 100644 --- a/usage/installation.rst +++ b/usage/installation.rst @@ -1,6 +1,9 @@ Installation ============ +Install Aurora +-------------- + You can install the agent using the following command line from command line terminal that has been started "As Administrator". .. code:: winbatch diff --git a/usage/usage.rst b/usage/usage.rst index f5c874a..4e9b195 100644 --- a/usage/usage.rst +++ b/usage/usage.rst @@ -16,13 +16,13 @@ An existing config file can be used with the respective flag. .. code:: winbatch - aurora-agent-64.exe -c my-config-file.yml + aurora-agent-64.exe -c agent-config-reduced.yml A typical command line that runs Aurora and prints messages and matches to the command line and the Windows ``Application`` eventlog looks like this: .. code:: winbatch - aurora-agent-64.exe --minimum-level medium + aurora-agent-64.exe --minimum-level low Run Aurora as Service --------------------- diff --git a/usage/what-is-aurora.rst b/usage/what-is-aurora.rst index 7a18cb5..d07a606 100644 --- a/usage/what-is-aurora.rst +++ b/usage/what-is-aurora.rst @@ -5,7 +5,6 @@ What is Aurora? - It uses Event Tracing for Windows (ETW) to subscribe to certain event channels. - It extends the Sigma standard with so-called "response actions" that can get executed after a rule match - It supports multiple output channels: the Windows Eventlog, a log file and remote UDP targets -- What is Aurora Lite? -------------------- @@ -14,11 +13,11 @@ Aurora Lite is our free version of Aurora which is free for private and commerci It has a few technical limitations, doesn't use our private Sigma rule set, lacks resource control features and special modules. -Additional features in the full version: +Features and services that are not included in the Aurora Lite version: -- Comfortable Aurora Agent and Sigma rule management via ASGARD Management Center -- Additional detection modules (not Sigma-based; e.g. Cobalt Strike beaconing, LSASS dumping) -- Nextron Sigma rule feed -- Encrypted Sigma rules (protect rules from spying eyes or the AV) -- Log output rate throttling -- CPU load limiting +- No comfortable Sigma rule management via ASGARD Management Center +- No additional detection modules (non-Sigma-based detection; e.g. Cobalt Strike beaconing, LSASS dumping) +- No private Nextron Sigma rule feed +- No encrypted Sigma rules (protect rules from spying eyes or the AV) +- No UDP/TCP Output +- Only 2 rules with response actions allowed