{"id":18830769,"url":"https://github.com/nextronsystems/ta-aurora","last_synced_at":"2025-08-15T20:41:15.373Z","repository":{"id":60723095,"uuid":"477785550","full_name":"NextronSystems/TA-aurora","owner":"NextronSystems","description":"Splunk Technology-AddOn for Aurora Sigma-Based EDR Agent. It helps parse and configure the necessary inputs to neatly consume Aurora EDR Agent Alerts into Splunk.","archived":false,"fork":false,"pushed_at":"2022-09-27T16:58:02.000Z","size":35,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-02-15T19:42:55.890Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NextronSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2022-04-04T16:34:06.000Z","updated_at":"2024-04-27T08:51:14.000Z","dependencies_parsed_at":"2022-10-03T21:17:44.671Z","dependency_job_id":null,"html_url":"https://github.com/NextronSystems/TA-aurora","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FTA-aurora","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FTA-aurora/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FTA-aurora/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FTA-aurora/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NextronSystems","download_url":"https://codeload.github.com/NextronSystems/TA-aurora/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239768952,"owners_count":19693760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:50:32.888Z","updated_at":"2025-02-20T02:42:12.761Z","avatar_url":"https://github.com/NextronSystems.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# TA-aurora\n\n![aurora-logo](static/appIcon_2x.png)\n\n## Overview\n\n### About the Nextron Systems Aurora EDR Add-on for Splunk\n\n|                       |                                                                 |\n|-----------------------|-----------------------------------------------------------------|\n| Version               | 0.2.0                                                           |\n| Vendor Products       | Nextron Systems Aurora EDR Agent                                |\n| Visible in Splunk Web | No.                                                             |\n\nThis add-on helps parse and configure the necessary inputs to neatly consume Aurora Sigma-Based EDR Agent Alerts into Splunk.\nIt also provides basic mapping to the Splunk Common Information Model (CIM) for use in Splunk Enterprise Security (and others).\n\nThe **Nextron Systems Aurora EDR Add-on for Splunk** provides search-time and CIM normalization for EDR events in the following formats:\n\n| Source Type                | Description                                             | CIM Data Models                 |\n|----------------------------|---------------------------------------------------------|---------------------------------|\n| nextron:aurora:edr         | Aurora EDR events (JSON)                                | Endpoint, Intrusion Detection   |\n\n- Has index-time configurations: false\n\n### Change Log\n\n\u003e Version 0.2.0\n\n- Renamed sourcetype from `aurora-edr` to `nextron:aurora:edr` as per Splunk best practice\n- Reworked sourcetype configuration to extract file hash (SHA256 only at the moment - adapt if required) and use search time field extractions (as opposed to index-time) for flexibility\n- Added CIM compliance/mapping to the `Endpoint.Processes` and `Intrusion Detection` data models for use in [Splunk Enterprise Security](https://www.splunk.com/en_us/products/enterprise-security.html)\n\n## Installation/Configuration\n\n1. Visit [https://www.nextron-systems.com/aurora/](https://www.nextron-systems.com/aurora/) and request an Aurora Lite package by submitting the download form\n2. Follow the quick start guide for the Aurora EDR Agent [here](https://aurora-agent-manual.nextron-systems.com/en/latest/usage/installation.html#quick-start) and copy the `*.lic` file in your aurora directory.\n3. Install Aurora with the following flags to make it log to a file in json format: `.\\aurora-agent-64.exe --install -c agent-config-standard.yml --json --logfile aurora_alerts.json.log`  \n4. Copy inputs.conf to local/inputs.conf, adapt as required (for example, set a destination index).\n5. Copy the TA on the Search Head(s), Heavy Forwarder, and Universal Forwarder to $SPLUNK_HOME/etc/apps/ directory.\n\n## Authors\n\n- [Jose Hernandez](https://github.com/d1vious/)\n- [Florian Roth](https://twitter.com/cyb3rops)\n\n## Contributor(s)\n\n- [Christian Cloutier](https://github.com/ccl0utier)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fta-aurora","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextronsystems%2Fta-aurora","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fta-aurora/lists"}