Taegis Endpoint Agent Technical Details
integrations endpoints edr taegis agent secureworks
Agent Overview ⫘
The Taegis™ XDR Endpoint Agent is an easy to deploy, simple to manage agent with multi-OS support for Windows, macOS and Linux. The new Taegis Endpoint Agent:
- Natively integrates and optimally operates with Secureworks® Taegis™ XDR to aide in the detection and response of real security threats.
- Is an always-connected agent, providing better visibility into online and agent health status.
- Provides enhanced telemetry collection by XDR with near-real-time alerting.
- Provides native support of Windows, macOS and Linux.
- Has an improved system impact with 50%+ less CPU overhead vs. Red Cloak™ Endpoint Agent.
- Provides easy-to-use performance policy tiers that offer a balance of visibility vs. performance for specific assets.
- Provides group-level control of the update process via Release Channels.
- Ensures endpoints are always running the latest agent version through auto updates.
- Allows host isolation for all platforms.
Tip
Additional Taegis Endpoint Agent troubleshooting, tutorial, and informational articles are available in the Secureworks Knowledge Base.
Network Connectivity Requirements ⫘
Source | Destination | Protocol/Port | Reason |
---|---|---|---|
Taegis Endpoint Agent | https://reg.<ENV> .taegiscloud.com/ |
TCP/443 | Taegis Endpoint Agent Registration Service |
Taegis Endpoint Agent | wss://telemetry.<ENV> .taegiscloud.com/ |
TCP/443 | Taegis Endpoint Agent Network Connectivity - Primary * |
Taegis Endpoint Agent | wss://sink.<ENV> .taegiscloud.com/ |
TCP/8443 | Taegis Endpoint Agent Network Connectivity - Standby |
Taegis Endpoint Agent | https://taegis-agent-prod-builds.s3.us-east-2.amazonaws.com/ | TCP/443 | Taegis Endpoint Agent Auto Updates |
Taegis Endpoint Agent | https://file-receiver.<ENV> .taegiscloud.com/ |
TCP/9443 | Taegis Endpoint Agent File Receiver |
Taegis Endpoint Agent | https://file-receiver-<ENV> .s3.us-east-2.amazonaws.com/ |
TCP/443 | Taegis Endpoint Agent File Receiver |
Taegis Endpoint Agent for Linux | https://drivers.taegiscloud.com/* | TCP/443 | Required for Linux Agent to pull down correct drivers for kernel your system is running |
Taegis Endpoint Agent for Windows | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs http://crl3.digicert.com/ http://crl4.digicert.com/ http://ocsp.digicert.com/ http://crl.rootca1.amazontrust.com/ |
TCP/80 | Required for CRL revocation checks performed by the OS on behalf of Windows Agent and other applications |
* Only applies to Windows Agents 2.0.10 and later. See the Changelog for more information.
<ENV>
varies depending on the region your tenant is in:
C
if your tenant is in US1: https://ctpx.secureworks.com/D
if your tenant is in US2: https://delta.taegis.secureworks.com/E
if your tenant is in EU: https://echo.taegis.secureworks.com/F
if your tenant is in US3: https://foxtrot.taegis.secureworks.com/
Note
The Taegis Endpoint Agent for Windows also requires connectivity to Google DNS 8.8.8.8 if you do not provide a DNS override during installation.
Note
Secureworks does not recommend the use of IP addresses or CIDR blocks to perform allow-listing of connections from the Taegis Endpoint Agent to the backend, as the addresses associated with the preceding domains have changed and may continue to change in the future.
Supported Operating Systems ⫘
Windows | Linux | macOS |
---|---|---|
Windows 10 | CentOS 8-stream, 9-stream | Sequoia |
Windows 11 | Amazon Linux 2, 2023 | Sonoma |
Windows Server (2016, 2019, 2022) | Ubuntu 18.04, 20.04, 22.04, 24.04 | Ventura |
Debian 11, 12 | Monterey | |
Oracle Linux Enterprise 8, 9 | ||
RHEL 7, 8, 9 | ||
SUSE Linux Enterprise Server 12sp5, 15sp3, 15sp4, 15sp5 | ||
Rocky 9 versions that support eBPF | ||
Alma 9 versions that support eBPF |
Note: Only 64-bit Windows versions are supported.
Note: The macOS agent supports all OS versions that still receive security updates. While Apple does not explicitly state which versions are no longer receiving updates, there are some websites like endoflife.date that provide that information.
Note: CentOS 7 is no longer in long-term support (LTS). For more information, see Red Hat Enterprise Linux Life Cycle.
For more information about support for new OS updates, see Taegis Endpoint Agent Support for New Major Updates to Operating Systems.
Telemetry Overview ⫘
Telemetry | Platform |
---|---|
Auth | All |
Process | All |
Netflow | All |
FileMod | All |
Thread Injection | Windows |
Powershell SBL | Windows |
AMSI | Windows |
DNS | Windows |
RPC | Windows |
Registry | Windows |
Note
Only Auth telemetry is provided by the Linux agent when no driver is available; if the driver is available and loaded, Process, Netflow, and FileMod are provided as well.
Registration Keys ⫘
Registration keys are designed to provide secure and controlled access to the Taegis Endpoint Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.
Registration Key Expiration and Rotation ⫘
The registration key expiration date is displayed on the Agent Groups table and in group settings.
As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group settings. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.
Update Scripts and Tools ⫘
If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.
For more information on viewing and managing registration keys, see Agent Groups.
Telemetry Tiers ⫘
Currently, there are two telemetry tiers available. The telemetry tier you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:
-
Workstation Tier — Recommended default setting for most devices or environments. If system performance is severely impacted with this tier, try reassigning to Server Tier.
-
Server Tier — Recommended for resource-constrained devices or environments, such as servers, IoT, or domain controllers that have risks related to the resource. Note that due to a reduction in telemetry gathered from endpoints at this tier as documented in the following table, detections and investigations may also be reduced.
The following table provides an overview of the differences in telemetry gathered by each telemetry tier:
Taegis Agent Telemetry Data | Telemetry Gathered by Server Tier | Telemetry Gathered by Workstation Tier |
---|---|---|
Process | Process Creation Only | Process Creation and Termination |
Thread Injection | Enabled | Enabled |
ETW (Auth, Scriptblock, DNS) | Enabled | Enabled |
Netflow | Connect * | Connect, Disconnect |
Registry | Disabled | Modifications |
File | Open for mod, del, ren * | Open for mod, del, ren |
* Netflow and File modification are disabled for Windows agent with Server tier.
Note
Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.
For more information on configuring group policies with an assigned telemetry tier, see Agent Group Policies.
Agent Release Channels ⫘
Taegis Endpoint Agent Release Channels control the update process of the agent. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Configure group policies with the Stable, Preview, or Beta channel to auto-update endpoints when agent versions promoted to the chosen channel are released.
Important
The default channel, unless otherwise specified, is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the policy assigned to the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.
Taegis Endpoint Agent Release Cycle ⫘
The following release cycle model is followed for Taegis Endpoint Agent updates:
- Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
- Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
- Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.
Available Release Channels ⫘
The following list summarizes the currently supported channels and their expected usage:
-
Beta — Agents enrolled in this channel are first to receive new updates and features of pre-release builds. Enroll in this channel to find and report issues to Secureworks, and for testing and evaluation use only. This channel is recommended for <1% of overall estate, in non-production environments only, varied across OS/configurations. See Beta Release Channel for more information.
-
Preview — Agents enrolled in this channel receive updates early in the release process. Enroll in this channel to get early access to new upcoming features and updates. This channel is recommended for 1-10% of overall estate, in pre-production/validation environments only.
-
Production Stable — Agents enrolled in this channel receive updates when releases are disseminated more broadly to the general customer population. This channel is recommended for 100% of overall estate and for production environments.
For example, choosing the Stable channel for a group policy stops updates to agents in groups with that policy from occurring until a new Stable build is released, while choosing the Beta channel for a group policy allows admins to test newer builds with the agents in groups with that policy before they are promoted to the next channel.
For more information on configuring group policies with an assigned release channel, see Agent Group Policies.
Automatic Updates ⫘
When there is a new agent release, Production Stable and Preview agents are automatically updated over the course of the staged rollout, which may take up to two weeks. Beta agents do not participate in a staged rollout. Agents update upon a connection to the registration server, which occurs under the following conditions:
- During initial registration, the agent connects to the registration server, checks if there is a newer version available, and updates if there is.
- After a force restart of the service.
- After a reboot of the endpoint.
- When an endpoint is reassigned to a different group.
- Upon selecting the Reconnect Agent action; see Endpoint Management Actions for more information.
Tip
Configure a group policy maintenance window to limit when auto updates for the agents assigned to a group with that policy could occur. For more information, see Agent Group Policies.
Note
No system reboot is needed post upgrade.
Agent Staged Updates ⫘
Agent releases occur in staged rollouts based on the Release Channel that the endpoint agent's Configuration Group subscribes to. When a new version of the agent is available, Secureworks can rollout the update in stages that increase over time, up to approximately two weeks. This way a new version can be made available incrementally to subsets of eligible endpoints. Once confident that the new version has not introduced any issues, Secureworks can complete the full agent rollout to 100% of endpoints subscribed to the Configuration Group.
Two agent Release Channels participate in staged rollouts:
- Production Stable
- Preview
Note
The Beta Agent Release Channel does not participate in staged rollouts. Any version change for the Beta channel will be made immediately available to endpoints that are subscribed to the Beta release channel via their Group Policy.
Rollout Lifecycle ⫘
Important
Rollout statuses are not displayed in the XDR user interface and there are no controls available to customers for rollouts. This is controlled internally by Secureworks.
The lifecycle of a rollout is represented by one of the following four possible statuses: IN_PROGRESS, HALTED, COMPLETED, or CANCELLED:
- A release rollout is considered to be active if it is IN_PROGRESS or HALTED.
- A rollout is considered not active or finished if it is COMPLETED or CANCELLED.
In-Progress Rollout ⫘
An IN_PROGRESS rollout means that agents are eligible to receive the version represented by that rollout, until the current threshold of the rollout is met. The percentage of agents eligible to receive the rollout is increased by Secureworks as the agent version is verified to be free of issue. The initiation of a rollout for new agent versions is documented in the Changelog.
Halted Rollout ⫘
If an issue with the new agent version is detected, Secureworks can halt the rollout. A HALTED rollout means that agents will not receive the version represented by the rollout if they have not already upgraded. This action pauses agent upgrades while issues are investigated by Secureworks. A rollout that is halted can be continued by Secureworks so that agents can receive the new agent version if they have not already upgraded. A halted rollout may also move into a CANCELLED status if Secureworks determines that the issue is serious and that no further agents should receive the version.
Cancelled Rollout ⫘
A rollout that is CANCELLED by Secureworks means that endpoints pending upgrade will no longer receive the new rollout version.
Important
Agents that have already been upgraded to the new version will not be downgraded, but agents in the available pool of agents that have not already updated will not receive the version represented by the rollout if cancelled.
Completed Rollout ⫘
A COMPLETED rollout means that 100% of endpoints are eligible to receive that relevant version.
Countermeasures ⫘
Host Isolation - All Platforms ⫘
Isolating an endpoint from network communication (except to XDR) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.
The isolation state persists in a database and is pushed to the agent upon its connection to XDR, if not already connected. This ensures that disconnected agents or endpoints that are rebooted enter the desired state upon reconnection.
Important
Taegis Endpoint Agents behind a full VPN tunnel cannot be restored after being isolated, as they cannot reach the Taegis backend. We recommend using a split-tunneling VPN for Taegis Endpoint Agents. Note that this might also be applicable for other third-party EDR agents.
Note
When a Linux endpoint is isolated, DNS traffic from all processes is allowed.
For more information on isolating and restoring hosts via the XDR default Actions menu options, see Isolate and Restore a Host.
Tip
Response actions such as isolating and restoring an endpoint can also be enabled via playbooks. For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.
Open Source and Third-Party Software ⫘
Windows ⫘
Component | Reference |
---|---|
scope17 | https://github.com/PeterSommerlad/scope17 |
udis86 | http://udis86.sourceforge.net/ |
SQLite | http://sqlite.org/ |
SQLite Encryption Extension (SEE) | https://www.sqlite.org/see/doc/release/www/readme.wiki |
magic_enum | https://github.com/Neargye/magic_enum |
Google Protocol Buffers | https://developers.google.com/protocol-buffers |
LZ4 compression library | https://github.com/lz4/lz4 |
Linux ⫘
Component | Reference |
---|---|
RapidJSON | https://rapidjson.org/ |
Google Protocol Buffers | https://developers.google.com/protocol-buffers |
Websocketpp | https://github.com/zaphoyd/websocketpp |
Falco Libraries | https://falco.org/ |
LZ4 compression library | https://github.com/lz4/lz4 |
OpenSSL | https://www.openssl.org/ |
spdlog | https://github.com/gabime/spdlog |
zlib for crc32 | https://www.zlib.net/ |
macOS ⫘
Component | Resource |
---|---|
RapidJSON | https://rapidjson.org/ |
Google Protocol Buffers | https://developers.google.com/protocol-buffers |
Google Flatbuffers | https://google.github.io/flatbuffers/ |
LZ4 compression library | https://github.com/lz4/lz4 |
zlib for CRC32 | https://www.zlib.net/ |
fmt | https://github.com/fmtlib/fmt |