Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis™ NGAV Agent

integrations endpoints ngav taegis

Taegis™ NGAV is an optional add-on to Taegis™ XDR and ManagedXDR that adds advanced endpoint prevention to the detection, investigation, and response capabilities of Taegis™ XDR and ManagedXDR. The Taegis™ NGAV agent looks for zero-day and prevalent malware attacks from malicious applications trying to execute on the endpoint. Weaponized script, document, and macro attacks are detected by analyzing both file-based and fileless scripts as well as documents and embedded macros before they can run on the system.


This feature is not supported in the EU region and not available in APJ.

Advantages of Taegis™ NGAV’s AI Protection


This add-on license provides you access to the Taegis™ NGAV Management Console in addition to Taegis™ XDR. You must download and deploy the Taegis™ NGAV endpoint agent after your Red Cloak™ Endpoint Agent is deployed. Currently this is a dual agent deployment, but you only need the NGAV Management Console during setup.

Onboarding with Taegis™ XDR and Taegis™ NGAV

If you are implementing Taegis™ NGAV, you will receive two provisioning emails with login instructions for Taegis™ XDR and Taegis™ NGAV. If you already have Taegis™ XDR and add Taegis™ NGAV, you will just receive an email for Taegis™ NGAV.

Setting up the Taegis™ NGAV Agent

After completing the setup of Taegis™ XDR and deployment of the endpoint agent, log in to the Taegis™ NGAV Management Console from the link provided in the provisioning email.


For more details on the Taegis NGAV Enterprise product, its installation, use, and management, please see the Taegis NGAV Enterprise Administration Guide .

Taegis™ NGAV Management Console Features

From the Taegis™ NGAV Management Console you can perform actions like adding necessary users, configuring the security policies, and downloading/deploying the Taegis™ NGAV agent.

System Requirements

Supported Operating Systems

Taegis™ NGAV supports all of the operating systems supported by the Red Cloak™ Endpoint Agent. For more information, see Red Cloak™ Endpoint Agent Supported Operating Systems and System Requirements.


  • Taegis NGAV does NOT support non-persistent VDI environments or Remote Desktop environments.
  • Taegis NGAV deployments are NOT supported in network proxy environments.

Connectivity Requirements

Source Destination Port/Protocol
Red Cloak Agent Host https://ngav.taegis.secureworks.com/ TCP/443
Red Cloak Agent Host https://listener.logz.io TCP/8071
Red Cloak Agent Host https://storage.googleapis.com TCP/443

For information on the Red Cloak™ Endpoint Agent, see FAQ: Red Cloak™ Endpoint Agent.


Your Taegis™ NGAV agent data automatically appears in Taegis™ XDR. All alerts and event data from Taegis™ NGAV are forwarded to Secureworks® Taegis™ XDR, and then filtered and correlated in real-time for various security event observations. Daily usage of the Taegis™ NGAV Management Console is not needed after the initial setup is completed.

Third-Party Antivirus Exclusions

Due to potential performance impacts and conflicts, recursively allow the following folders/directories in the Allow list of your third-party antivirus:

Windows Clients (32-bit and 64-bit)

Linux Clients

Taegis™ NGAV Alerts on Taegis™ XDR

Advanced Search using the Query Language

NGAV Advanced Search

NGAV Advanced Search

Example Query Language Searches

To search for antivirus events from the last 24 hours:

FROM antivirus where sensor_type='TaegisNGAV' EARLIEST =-24h

To search for antivirus events from the last 4 days:

FROM antivirus where sensor_type='TaegisNGAV' EARLIEST=-4d

To search for antivirus events from a specific host:

FROM antivirus WHERE sensor_type='TaegisNGAV' AND event_metadata.record.key='DeviceName' AND event_metadata.record.value='Server01'

To search for antivirus Trojan events:

FROM antivirus WHERE sensor_type='TaegisNGAV' AND threat_category='trojan'

To search for antivirus quarantined events:

FROM antivirus WHERE sensor_type='TaegisNGAV' AND action_taken='quarantined'

To search for antivirus critical alerts:

FROM alert WHERE sensor_types='TaegisNGAV' AND severity=0.8

Event Details

NGAV Event Details

NGAV Event Details

Data Normalized by Taegis™ XDR

NGAV Normalized Data

NGAV Normalized Data

Alert Details

NGAV Alert Details

NGAV Alert Details


On this page: