Taegis Endpoint Agent Technical Details
integrations endpoints edr taegis agent secureworks
Agent Overview ⫘
The Taegis™ XDR Endpoint Agent is an easy to deploy, simple to manage agent with multi-OS support for Windows, macOS and Linux. The new Taegis Endpoint Agent:
- Natively integrates and optimally operates with Secureworks® Taegis™ XDR to aide in the detection and response of real security threats.
- Is an always-connected agent, providing better visibility into online and agent health status.
- Provides enhanced telemetry collection by XDR with near-real-time alerting.
- Provides native support of Windows, macOS and Linux.
- Has an improved system impact with 50%+ less CPU overhead vs. Red Cloak™ Endpoint Agent.
- Provides easy-to-use performance policy tiers that offer a balance of visibility vs. performance for specific assets.
- Provides group-level control of the update process via Release Channels.
- Ensures endpoints are always running the latest agent version through auto updates.
- Allows host isolation for all platforms.
Tip
Additional Taegis Endpoint Agent troubleshooting, tutorial, and informational articles are available in the Secureworks Knowledge Base.
Network Connectivity Requirements ⫘
| Source | Destination | Protocol/Port | Reason |
|---|---|---|---|
| Taegis Endpoint Agent | https://reg.<ENV>.taegiscloud.com/ |
TCP/443 | Taegis Endpoint Agent Registration Service |
| Taegis Endpoint Agent | wss://sink.<ENV>.taegiscloud.com:8443/ |
TCP/8443 | Taegis Endpoint Agent Network Connectivity |
| Taegis Endpoint Agent | https://taegis-agent-prod-builds.s3.us-east-2.amazonaws.com | TCP/443 | Taegis Endpoint Agent Auto Updates |
| Taegis Endpoint Agent | https://file-receiver.<ENV>.taegiscloud.com:9443/ |
TCP/9443 | Taegis Endpoint Agent File Receiver |
| Taegis Endpoint Agent | https://file-receiver.<ENV>.s3.us-east-2.amazonaws.com:443 |
TCP/443 | Taegis Endpoint Agent File Receiver |
| Taegis Endpoint Agent for Linux | https://drivers.taegiscloud.com/* | TCP/443 | Required for Linux Agent to pull down correct drivers for kernel your system is running |
| Taegis Endpoint Agent for Windows | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs http://crl3.digicert.com/ http://crl4.digicert.com/ http://ocsp.digicert.com/ http://crl.rootca1.amazontrust.com/:80 |
TCP/80 | Required for CRL revocation checks performed by the OS on behalf of Windows Agent and other applications |
<ENV> varies depending on the region your tenant is in:
Cif your tenant is in US1: https://ctpx.secureworks.com/Dif your tenant is in US2: https://delta.taegis.secureworks.com/Eif your tenant is in EU: https://echo.taegis.secureworks.com/Fif your tenant is in US3: https://foxtrot.taegis.secureworks.com/
Note
The Taegis Endpoint Agent for Windows also requires connectivity to Google DNS 8.8.8.8 if you do not provide a DNS override during installation.
Note
Secureworks does not recommend the use of IP addresses or CIDR blocks to perform allow-listing of connections from the Taegis Endpoint Agent to the backend, as the addresses associated with the preceding domains have changed and may continue to change in the future.
Supported Operating Systems ⫘
| Windows | Linux | macOS |
|---|---|---|
| Windows 10 | CentOS 7, 8, 9 | Big Sur |
| Windows 11 | Amazon Linux 2, 2023 | Monterey |
| Windows Server (2016, 2019, 2022) | Ubuntu 18.04, 20.04, 22.04 | Ventura |
| Debian 11, 12 | Sonoma | |
| Oracle Linux Enterprise 8, 9 | ||
| RHEL 7, 8, 9 |
Note: Only 64-bit Windows versions are supported.
Note: ARM is not currently supported on Linux, but is on the roadmap for future support.
Note: The macOS agent supports all OS versions that still receive security updates. While Apple does not explicitly state which versions are no longer receiving updates, there are some websites like endoflife.date that provide that information.
For more information about support for new OS updates, see Taegis Endpoint Agent Support for New Major Updates to Operating Systems.
Telemetry Overview ⫘
| Telemetry | Platform |
|---|---|
| Auth | All |
| Process | All |
| Netflow | All |
| FileMod | All |
| Thread Injection | Windows |
| Powershell SBL | Windows |
| AMSI | Windows |
| Persistence Events | Windows |
| DNS | Windows |
Note
Only Auth telemetry is provided by the Linux agent when no driver is available; if the driver is available and loaded, Process, Netflow, and FileMod are provided as well.
Registration Keys ⫘
Registration keys are designed to provide secure and controlled access to the Taegis Endpoint Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.
Registration Key Expiration and Rotation ⫘
The registration key expiration date is displayed on the Group Configuration table and in group settings.
As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group configuration. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.
Update Scripts and Tools ⫘
If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.
For more information on viewing and managing registration keys, see Group Configuration.
Policy Tier Models ⫘
Currently, there are two policy tiers available. The policy you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:
-
Server Tier — Recommended for resource-constrained devices or environments, such as servers, IoT, or domain controllers that have risks related to the resource.
-
Workstation Tier — Recommended default policy setting for most devices or environments, such as workstations.
The following table provides an overview of the differences in telemetry gathered by each policy tier:
| Taegis Agent Telemetry Data | Telemetry Gathered by Server Tier | Telemetry Gathered by Workstation Tier |
|---|---|---|
| Process | Process Creation Only | Process Creation and Termination |
| Thread Injection | Enabled | Enabled |
| ETW (Auth, Scriptblock, DNS) | Enabled | Enabled |
| Netflow | Connect * | Connect, Disconnect |
| Registry | Disabled | Modifications |
| File | Open for mod, del, ren * | Open for mod, del, ren |
* Netflow and File modification are disabled for Windows agent with Server tier policy.
Note
Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.
For more information on configuring Groups with an assigned policy tier, see Group Configuration.
Agent Release Channels ⫘
Taegis Endpoint Agent Release Channels control the update process of the agent at a group level. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Assign Taegis Endpoint Agent groups to the Stable, Preview, or Beta channel to auto-update endpoints in that group when agent versions promoted to the chosen channel are released.
Important
The default channel unless otherwise specified is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.
Taegis Endpoint Agent Release Cycle ⫘
The following release cycle model is followed for Taegis Endpoint Agent updates:
- Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
- Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
- Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.
Available Release Channels ⫘
The following list summarizes the currently supported channels and their expected usage:
-
Beta — Agents enrolled in this channel are first to receive new updates and features of pre-release builds. Enroll in this channel to find and report issues to Secureworks, and for testing and evaluation use only. This channel is recommended for <1% of overall estate, in non-production environments only, varied across OS/configurations. See Beta Release Channel for more information.
-
Preview — Agents enrolled in this channel receive updates early in the release process. Enroll in this channel to get early access to new upcoming features and updates. This channel is recommended for 1-10% of overall estate, in pre-production/validation environments only.
-
Production Stable — Agents enrolled in this channel receive updates when releases are disseminated more broadly to the general customer population. This channel is recommended for 100% of overall estate and for production environments.
For example, choosing the Stable channel for a group stops updates to agents in that group from occurring until a new Stable build is released, while choosing the Beta channel for a group allows admins to test newer builds with the agents in that group in their environment before they are promoted to the next channel.
Important
At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis Endpoint Agent Downloads.
For more information on configuring Groups with an assigned release channel, see Group Configuration.
Automatic Updates ⫘
When there is a new agent release, any endpoint with an agent installed will be automatically updated upon its next connection to the registration server, which occurs under the following conditions:
- During initial registration, the agent connects to the registration server, checks if there is a newer version available, and updates if there is.
- After a force restart of the service.
- After a reboot of the endpoint.
- When an endpoint is reassigned to a different group policy.
- Upon selecting the Reconnect Agent action; see Endpoint Management Actions for more information.
Note
No system reboot is needed post upgrade.
Agent Staged Updates ⫘
Agents participate in staged rollouts based on the Release Channel that the endpoint agent's Configuration Group subscribes to. When a new version of the XDR Endpoint Agent is made available, it can be updated in stages that will be increased over time. A new version can be made available in stages from 1% to 50%, and once confident that the new version has not introduced any issues, a full agent rollout can be completed to 100% of endpoints subscribed to the Configuration Group.
Two agent Release Channels participate in staged rollouts:
- Production Stable
- Preview
Note
The Beta Agent Release Channel does not participate in staged rollouts. Any version change for the Beta channel will be made immediately available to endpoints that are subscribed to the Beta release channel via their Configuration Group.
Rollout Lifecycle ⫘
The lifecycle of a rollout is represented by the rollout status. There are four possible statuses: IN_PROGRESS, HALTED, COMPLETED, or CANCELLED:
- A release rollout is considered to be active if it is IN_PROGRESS or HALTED.
- A rollout is considered not active or finished if it is COMPLETED or CANCELLED.
Note
Rollout statuses are not displayed in the XDR user interface at this time.
In Progress Rollout ⫘
A rollout in IN_PROGRESS status means that agents are eligible to receive the version represented by that rollout, until the current threshold of the rollout is met. The percentage of agents that will be eligible to receive the rollout will increase as the agent version is verified to be free of issue.
Halted Rollout ⫘
If an issue is detected with the new agent version the rollout can be halted. A rollout with a status of HALTED means that agents will not receive the version represented by the rollout if they have not already upgraded. This action pauses agent upgrades while issues are investigated. A rollout that is halted can be continued so that agents can receive the new agent version if they have not already upgraded. A halted rollout may also move into a CANCELLED status if determined that the issue is serious and that no further agents should receive the version.
Cancelled Rollout ⫘
A rollout that is CANCELLED means that endpoints pending upgrade will no longer receive the new rollout version.
Important
Agents that have already been upgraded to the new version will not be downgraded, but agents in the available pool of agents that have not already updated will not receive the version represented by the rollout.
Completed Rollout ⫘
A rollout that is COMPLETED means that 100% of endpoints are eligible to receive that relevant version.
Note
Rollouts that are COMPLETED or CANCELLED are considered to be finished and cannot be made to be IN_PROGRESS again.
Countermeasures ⫘
Host Isolation - All Platforms ⫘
Isolating an endpoint from network communication (except to XDR) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.
The isolation state persists in a database and is pushed to the agent upon its connection to XDR, if not already connected. This ensures that disconnected agents or endpoints that are rebooted enter the desired state upon reconnection.
Important
Taegis Endpoint Agents behind a full VPN tunnel cannot be restored after being isolated, as they cannot reach the Taegis backend. We recommend using a split-tunneling VPN for Taegis Endpoint Agents. Note that this might also be applicable for other third-party EDR agents.
Note
When a Linux endpoint is isolated, DNS traffic from all processes is allowed.
For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.
Open Source and Third-Party Software ⫘
Windows ⫘
| Component | Reference |
|---|---|
| scope17 | https://github.com/PeterSommerlad/scope17 |
| udis86 | http://udis86.sourceforge.net/ |
| SQLite | http://sqlite.org/ |
| SQLite Encryption Extension (SEE) | https://www.sqlite.org/see/doc/release/www/readme.wiki |
| magic_enum | https://github.com/Neargye/magic_enum |
| Google Protocol Buffers | https://developers.google.com/protocol-buffers |
| LZ4 compression library | https://github.com/lz4/lz4 |
Linux ⫘
| Component | Reference |
|---|---|
| RapidJSON | https://rapidjson.org/ |
| Google Protocol Buffers | https://developers.google.com/protocol-buffers |
| Websocketpp | https://github.com/zaphoyd/websocketpp |
| Falco Libraries | https://falco.org/ |
| LZ4 compression library | https://github.com/lz4/lz4 |
| OpenSSL | https://www.openssl.org/ |
| spdlog | https://github.com/gabime/spdlog |
| zlib for crc32 | https://www.zlib.net/ |
macOS ⫘
| Component | Resource |
|---|---|
| RapidJSON | https://rapidjson.org/ |
| Google Protocol Buffers | https://developers.google.com/protocol-buffers |
| Google Flatbuffers | https://google.github.io/flatbuffers/ |
| LZ4 compression library | https://github.com/lz4/lz4 |
| zlib for CRC32 | https://www.zlib.net/ |
| fmt | https://github.com/fmtlib/fmt |