☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Taegis NGAV Agent

Secureworks® Taegis™ NGAV is an optional add-on to Secureworks® Taegis™ XDR and Secureworks® Taegis™ ManagedXDR that adds advanced endpoint prevention to the detection, investigation, and response capabilities of XDR and ManagedXDR. The Taegis NGAV agent looks for zero-day and prevalent malware attacks from malicious applications trying to execute on the endpoint. Weaponized script, document, and macro attacks are detected by analyzing both file-based and fileless scripts as well as documents and embedded macros before they can run on the system.

Regions

This feature is not supported in the EU region and not available in APJ.

Advantages of Taegis NGAV's AI Protection ⫘

Low resource usage: all machine learning runs locally on the endpoint
Does not require signature updates to offer protection
AI models are designed for specific use cases
Performs with high efficacy

Note

This add-on license provides you access to the Taegis NGAV Management Console in addition to XDR. You must download and deploy the Taegis NGAV endpoint agent after your Red Cloak™ Endpoint Agent is deployed. Currently this is a dual agent deployment, but you only need the NGAV Management Console during setup.

Onboarding with XDR and Taegis NGAV ⫘

If you are implementing Taegis NGAV, you will receive two provisioning emails with login instructions for XDR and Taegis NGAV. If you already have XDR and add Taegis NGAV, you will just receive an email for Taegis NGAV.

Setting up the Taegis NGAV Agent ⫘

After completing the setup of XDR and deployment of the endpoint agent, log in to the Taegis NGAV Management Console from the link provided in the provisioning email.

Note

For more details on the Taegis NGAV Enterprise product, its installation, use, and management, please see the Taegis NGAV Enterprise Administration Guide .

Taegis NGAV Management Console Features ⫘

From the Taegis NGAV Management Console you can perform actions like adding necessary users, configuring the security policies, and downloading/deploying the Taegis NGAV agent.

System Requirements ⫘

Supported Operating Systems ⫘

Taegis NGAV supports all of the operating systems supported by the Red Cloak Endpoint Agent. For more information, see Red Cloak Endpoint Agent Supported Operating Systems and System Requirements.

Notes

Taegis NGAV does NOT support non-persistent VDI environments or Remote Desktop environments.
Taegis NGAV deployments are NOT supported in network proxy environments.

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Red Cloak Agent Host	https://ngav.taegis.secureworks.com/	TCP/443
Red Cloak Agent Host	https://listener.logz.io	TCP/8071
Red Cloak Agent Host	https://storage.googleapis.com	TCP/443

For information on the Red Cloak Endpoint Agent, see FAQ: Red Cloak Endpoint Agent.

Note

Your Taegis NGAV agent data automatically appears in XDR. All alerts and event data from Taegis NGAV are forwarded to XDR, and then filtered and correlated in real-time for various security event observations. Daily usage of the Taegis NGAV Management Console is not needed after the initial setup is completed.

Third-Party Antivirus Exclusions ⫘

Due to potential performance impacts and conflicts, recursively allow the following folders/directories in the Allow list of your third-party antivirus:

Windows Clients (32-bit and 64-bit) ⫘

C:\Program Files (x86)\SecureWorks\Taegis NGAV*
C:\ProgramData\SecureWorks\Taegis_NGAV\system*

Linux Clients ⫘

/usr/bin/secureworks/taegis-ngav
/etc/secureworks/taegis-ngav
/var/log/secureworks/taegis-ngav

Taegis NGAV Alerts on XDR ⫘

Advanced Search using the Query Language ⫘

NGAV Advanced Search

Example Query Language Searches ⫘

To search for antivirus events from the last 24 hours:

FROM antivirus where sensor_type='TaegisNGAV' EARLIEST =-24h

To search for antivirus events from the last 4 days:

FROM antivirus where sensor_type='TaegisNGAV' EARLIEST=-4d

To search for antivirus events from a specific host:

FROM antivirus WHERE sensor_type='TaegisNGAV' AND event_metadata.record.key='DeviceName' AND event_metadata.record.value='Server01'

To search for antivirus Trojan events:

FROM antivirus WHERE sensor_type='TaegisNGAV' AND threat_category='trojan'

To search for antivirus quarantined events:

FROM antivirus WHERE sensor_type='TaegisNGAV' AND action_taken='quarantined'

To search for antivirus critical alerts:

FROM alert WHERE sensor_types='TaegisNGAV' AND severity=0.8

Event Details ⫘

NGAV Event Details

Data Normalized by XDR ⫘

NGAV Normalized Data

Alert Details ⫘

NGAV Alert Details

Advantages of Taegis NGAV's AI Protection
Onboarding with XDR and Taegis NGAV
Setting up the Taegis NGAV Agent
Taegis NGAV Management Console Features
System Requirements
Supported Operating Systems
Connectivity Requirements
Third-Party Antivirus Exclusions
Windows Clients (32-bit and 64-bit)
Linux Clients
Taegis NGAV Alerts on XDR
Advanced Search using the Query Language
Event Details
Data Normalized by XDR
Alert Details

Taegis NGAV Agent

Advantages of Taegis NGAV's AI Protection ⫘

Onboarding with XDR and Taegis NGAV ⫘

Setting up the Taegis NGAV Agent ⫘

Taegis NGAV Management Console Features ⫘

System Requirements ⫘

Supported Operating Systems ⫘

Connectivity Requirements ⫘

Third-Party Antivirus Exclusions ⫘

Windows Clients (32-bit and 64-bit) ⫘

Linux Clients ⫘

Taegis NGAV Alerts on XDR ⫘

Advanced Search using the Query Language ⫘

Example Query Language Searches ⫘

Event Details ⫘

Data Normalized by XDR ⫘

Alert Details ⫘

On this page: