Behavioral Analysis
The behavioral analysis engine provides ML-driven risk scoring for endpoints with fully explainable risk factors. Unlike commercial EDR products that show opaque risk scores, AuroraSOC explains exactly why an endpoint is flagged.
Risk Factors
Each risk factor includes:
- Name: Human-readable factor name (e.g., "Unusual Process Execution")
- Weight: Contribution to overall risk (0.0 - 1.0)
- Description: What triggered this factor
- Indicator: The specific observable that triggered the factor
Factor Categories
| Category | Examples | Weight Range |
|---|---|---|
| Process Anomalies | Unusual parent-child, rare binary, suspicious command line | 0.3 - 0.8 |
| Network Anomalies | Beaconing, C2 patterns, data exfiltration | 0.4 - 0.9 |
| File Anomalies | Suspicious file modifications, ransomware patterns | 0.3 - 0.7 |
| Persistence Anomalies | New scheduled tasks, registry modifications | 0.2 - 0.6 |
| Behavioral Patterns | Credential dumping, lateral movement | 0.5 - 0.9 |
Explainability
Every risk factor has a human-readable explanation:
Risk Score: 78/100 (High)
Contributing Factors:
1. Unusual Process Execution (weight: 0.8)
Description: powershell.exe spawned from svchost.exe, which is unusual
Indicator: ppid=1234, cmdline="powershell -enc <base64>"
2. Suspicious Network Connection (weight: 0.6)
Description: Outbound connection to known C2 IP
Indicator: remote_addr=185.220.101.1:443
3. New Persistence Mechanism (weight: 0.4)
Description: New scheduled task created via schtasks.exe
Indicator: path="C:\Windows\System32\Tasks\UpdateService"
Comparison
| Feature | CrowdStrike | SentinelOne | AuroraSOC |
|---|---|---|---|
| Risk scoring | ✅ | ✅ | ✅ |
| Explainable factors | ❌ Black box | ❌ Opaque | ✅ Full explanation |
| Factor weights | ❌ | ❌ | ✅ |
| Click to investigate | ❌ | ❌ | ✅ Agent dispatch |
| Air-gapped | ❌ | ❌ | ✅ |
API
GET /api/v1/edr/investigation/{sensor_id}/behavioral
Returns a BehavioralVerdict with risk score, factors, and explanation.