🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis™ Agent Technical Details

integrations endpoints edr taegis agent secureworks


Agent Overview

The Taegis™ XDR Endpoint Agent is an easy to deploy, simple to manage agent with multi-OS support for Windows, macOS and Linux. The new Taegis™ XDR Endpoint Agent:

Tip

Additional Taegis™ Agent troubleshooting, tutorial, and informational articles are available in the Secureworks Knowledge Base.

Network Connectivity Requirements

Source Destination Protocol/Port Reason
Taegis™ Endpoint Agent https://reg.<ENV>.taegiscloud.com/ TCP/443 Taegis™ Endpoint Agent Registration Service
Taegis™ Endpoint Agent wss://sink.<ENV>.taegiscloud.com:8443/ TCP/8443 Taegis™ Endpoint Agent Network Connectivity
Taegis™ Endpoint Agent https://taegis-agent-prod-builds.s3.us-east-2.amazonaws.com TCP/443 Taegis™ Endpoint Agent Auto Updates
Taegis™ Endpoint Agent https://file-receiver.<ENV>.taegiscloud.com:9443/ TCP/9443 Taegis™ Endpoint Agent File Receiver
Taegis™ Endpoint Agent https://file-receiver.<ENV>.s3.us-east-2.amazonaws.com:443 TCP/443 Taegis™ Endpoint Agent File Receiver
Taegis™ Endpoint Agent for Linux https://drivers.taegiscloud.com/* TCP/443 Required for Linux Agent to pull down correct drivers for kernel your system is running
Taegis™ Endpoint Agent for Windows http://www.microsoft.com/pkiops/crl/
http://www.microsoft.com/pkiops/certs
http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
http://crl3.digicert.com/
http://crl4.digicert.com/
http://ocsp.digicert.com/
http://crl.rootca1.amazontrust.com/:80
TCP/80 Required for CRL revocation checks performed by the OS on behalf of Windows Agent and other applications

<ENV> varies depending on the region your tenant is in:

Note

Secureworks does not recommend the use of IP addresses or CIDR blocks to perform allow-listing of connections from the Taegis™ Agent to the backend, as the addresses associated with the preceding domains have changed and may continue to change in the future.

Supported Operating Systems

Windows Linux macOS
Windows 10 CentOS 7, 8, 9 Big Sur
Windows 11 Amazon Linux 2, 2023 Monterey
Windows Server (2016, 2019, 2022) Ubuntu 18.04, 20.04, 22.04 Ventura
Debian 11, 12 Sonoma
Oracle Linux Enterprise 8, 9
RHEL 7, 8, 9

Note: Only 64-bit Windows versions are supported.

Note: ARM is not currently supported on Linux, but is on the roadmap for future support.

Note: The macOS agent supports all OS versions that still receive security updates. While Apple does not explicitly state which versions are no longer receiving updates, there are some websites like endoflife.date that provide that information.

For more information about support for new OS updates, see Taegis™ Endpoint Agent Support for New Major Updates to Operating Systems.

Telemetry Overview

Telemetry Platform
Auth All
Process All
Netflow All
FileMod All
Thread Injection Windows
Powershell SBL Windows
AMSI Windows
Persistence Events Windows
DNS Windows

Note

Only Auth telemetry is provided by the Linux agent when no driver is available; if the driver is available and loaded, Process, Netflow, and FileMod are provided as well.

Registration Keys

Registration keys are designed to provide secure and controlled access to the Taegis™ Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.

Registration Key Expiration and Rotation

The registration key expiration date is displayed on the Group Configuration table and in group settings.

As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group configuration. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.

Update Scripts and Tools

If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.

For more information on viewing and managing registration keys, see Group Configuration.

Policy Tier Models

Currently, there are two policy tiers available. The policy you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:

The following table provides an overview of the differences in telemetry gathered by each policy tier:

Taegis Agent Telemetry Data Telemetry Gathered by Server Tier Telemetry Gathered by Workstation Tier
Process Process Creation Only Process Creation and Termination
Thread Injection Enabled Enabled
ETW (Auth, Scriptblock, DNS) Enabled Enabled
Netflow Connect * Connect, Disconnect
Registry Disabled Modifications
File Open for mod, del, ren * Open for mod, del, ren

* Netflow and File modification are disabled for Windows agent with Server tier policy.

Note

Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.

For more information on configuring Groups with an assigned policy tier, see Group Configuration.

Agent Release Channels

Taegis™ Endpoint Agent Release Channels control the update process of the agent at a group level. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Assign Taegis™ Endpoint Agent groups to the Stable, Preview, or Beta channel to auto-update endpoints in that group when agent versions promoted to the chosen channel are released.

Important

The default channel unless otherwise specified is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.

Taegis™ Agent Release Cycle

The following release cycle model is followed for Taegis™ Agent updates:

  1. Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
  2. Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
  3. Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.

Available Release Channels

The following list summarizes the currently supported channels and their expected usage:

For example, choosing the Stable channel for a group stops updates to agents in that group from occurring until a new Stable build is released, while choosing the Beta channel for a group allows admins to test newer builds with the agents in that group in their environment before they are promoted to the next channel.

Important

At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis™ Agent Downloads.

For more information on configuring Groups with an assigned release channel, see Group Configuration.

Automatic Updates

When there is a new agent release, any endpoint with an agent installed will be automatically updated upon its next connection to the registration server, which occurs under the following conditions:

Note

No system reboot is needed post upgrade.

Countermeasures

Host Isolation - All Platforms

Isolating an endpoint from network communication (except to Secureworks® Taegis™ XDR) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.

The isolation state persists in a database and is pushed to the agent upon its connection to XDR, if not already connected. This ensures that disconnected agents or endpoints that are rebooted enter the desired state upon reconnection.

Important

Taegis™ Endpoint Agents behind a full VPN tunnel cannot be restored after being isolated, as they cannot reach the Taegis™ backend. We recommend using a split-tunneling VPN for Taegis™ Endpoint Agents. Note that this might also be applicable for other third-party EDR agents.

Note

When a Linux endpoint is isolated, DNS traffic from all processes is allowed.

For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.

Open Source and Third-Party Software

Windows

Component Reference
scope17 https://github.com/PeterSommerlad/scope17
udis86 http://udis86.sourceforge.net/
SQLite http://sqlite.org/
SQLite Encryption Extension (SEE) https://www.sqlite.org/see/doc/release/www/readme.wiki
magic_enum https://github.com/Neargye/magic_enum
Google Protocol Buffers https://developers.google.com/protocol-buffers
LZ4 compression library https://github.com/lz4/lz4

Linux

Component Reference
RapidJSON https://rapidjson.org/
Google Protocol Buffers https://developers.google.com/protocol-buffers
Websocketpp https://github.com/zaphoyd/websocketpp
Falco Libraries https://falco.org/
LZ4 compression library https://github.com/lz4/lz4
OpenSSL https://www.openssl.org/
spdlog https://github.com/gabime/spdlog
zlib for crc32 https://www.zlib.net/

macOS

Component Resource
RapidJSON https://rapidjson.org/
Google Protocol Buffers https://developers.google.com/protocol-buffers
Google Flatbuffers https://google.github.io/flatbuffers/
LZ4 compression library https://github.com/lz4/lz4
zlib for CRC32 https://www.zlib.net/
fmt https://github.com/fmtlib/fmt

 

On this page: