Taegis NGAV Agent
integrations endpoints ngav taegis
Secureworks® Taegis™ NGAV is an optional add-on to Secureworks® Taegis™ XDR and Secureworks® Taegis™ ManagedXDR that adds advanced endpoint prevention to the detection, investigation, and response capabilities of XDR and ManagedXDR. The Taegis NGAV agent looks for zero-day and prevalent malware attacks from malicious applications trying to execute on the endpoint. Weaponized script, document, and macro attacks are detected by analyzing both file-based and fileless scripts as well as documents and embedded macros before they can run on the system.
Regions
This feature is not supported in the EU region and not available in APJ.
Advantages of Taegis NGAV's AI Protection ⫘
- Low resource usage: all machine learning runs locally on the endpoint
- Does not require signature updates to offer protection
- AI models are designed for specific use cases
- Performs with high efficacy
Note
This add-on license provides you access to the Taegis NGAV Management Console in addition to XDR. You must download and deploy the Taegis NGAV endpoint agent after your Red Cloak™ Endpoint Agent is deployed. Currently this is a dual agent deployment, but you only need the NGAV Management Console during setup.
Onboarding with XDR and Taegis NGAV ⫘
If you are implementing Taegis NGAV, you will receive two provisioning emails with login instructions for XDR and Taegis NGAV. If you already have XDR and add Taegis NGAV, you will just receive an email for Taegis NGAV.
Setting up the Taegis NGAV Agent ⫘
After completing the setup of XDR and deployment of the endpoint agent, log in to the Taegis NGAV Management Console from the link provided in the provisioning email.
Note
For more details on the Taegis NGAV Enterprise product, its installation, use, and management, please see the Taegis NGAV Enterprise Administration Guide .
Taegis NGAV Management Console Features ⫘
From the Taegis NGAV Management Console you can perform actions like adding necessary users, configuring the security policies, and downloading/deploying the Taegis NGAV agent.
System Requirements ⫘
Supported Operating Systems ⫘
Taegis NGAV supports all of the operating systems supported by the Red Cloak Endpoint Agent. For more information, see Red Cloak Endpoint Agent Supported Operating Systems and System Requirements.
Notes
- Taegis NGAV does NOT support non-persistent VDI environments or Remote Desktop environments.
- Taegis NGAV deployments are NOT supported in network proxy environments.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Red Cloak Agent Host | https://ngav.taegis.secureworks.com/ | TCP/443 |
Red Cloak Agent Host | https://listener.logz.io | TCP/8071 |
Red Cloak Agent Host | https://storage.googleapis.com | TCP/443 |
For information on the Red Cloak Endpoint Agent, see FAQ: Red Cloak Endpoint Agent.
Note
Your Taegis NGAV agent data automatically appears in XDR. All alerts and event data from Taegis NGAV are forwarded to XDR, and then filtered and correlated in real-time for various security event observations. Daily usage of the Taegis NGAV Management Console is not needed after the initial setup is completed.
Third-Party Antivirus Exclusions ⫘
Due to potential performance impacts and conflicts, recursively allow the following folders/directories in the Allow list of your third-party antivirus:
Windows Clients (32-bit and 64-bit) ⫘
- C:\Program Files (x86)\SecureWorks\Taegis NGAV*
- C:\ProgramData\SecureWorks\Taegis_NGAV\system*
Linux Clients ⫘
- /usr/bin/secureworks/taegis-ngav
- /etc/secureworks/taegis-ngav
- /var/log/secureworks/taegis-ngav
Taegis NGAV Alerts on XDR ⫘
Advanced Search using the Query Language ⫘
NGAV Advanced Search
Example Query Language Searches ⫘
To search for antivirus
events from the last 24 hours:
FROM antivirus where sensor_type='TaegisNGAV' EARLIEST =-24h
To search for antivirus
events from the last 4 days:
FROM antivirus where sensor_type='TaegisNGAV' EARLIEST=-4d
To search for antivirus
events from a specific host:
FROM antivirus WHERE sensor_type='TaegisNGAV' AND event_metadata.record.key='DeviceName' AND event_metadata.record.value='Server01'
To search for antivirus
Trojan events:
FROM antivirus WHERE sensor_type='TaegisNGAV' AND threat_category='trojan'
To search for antivirus
quarantined events:
FROM antivirus WHERE sensor_type='TaegisNGAV' AND action_taken='quarantined'
To search for antivirus
critical alerts:
FROM alert WHERE sensor_types='TaegisNGAV' AND severity=0.8
Event Details ⫘
NGAV Event Details
Data Normalized by XDR ⫘
NGAV Normalized Data
Alert Details ⫘
NGAV Alert Details