🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Endpoint Agent Technical Details

integrations endpoints edr taegis agent secureworks


Agent Overview

The Taegis™ XDR Endpoint Agent is an easy to deploy, simple to manage agent with multi-OS support for Windows, macOS and Linux. The new Taegis Endpoint Agent:

Tip

Additional Taegis Endpoint Agent troubleshooting, tutorial, and informational articles are available in the Secureworks Knowledge Base.

Network Connectivity Requirements

Source Destination Protocol/Port Reason
Taegis Endpoint Agent https://reg.<ENV>.taegiscloud.com/ TCP/443 Taegis Endpoint Agent Registration Service
Taegis Endpoint Agent wss://telemetry.<ENV>.taegiscloud.com/ TCP/443 Taegis Endpoint Agent Network Connectivity - Primary *
Taegis Endpoint Agent wss://sink.<ENV>.taegiscloud.com/ TCP/8443 Taegis Endpoint Agent Network Connectivity - Standby
Taegis Endpoint Agent https://taegis-agent-prod-builds.s3.us-east-2.amazonaws.com/ TCP/443 Taegis Endpoint Agent Auto Updates
Taegis Endpoint Agent https://file-receiver.<ENV>.taegiscloud.com/ TCP/9443 Taegis Endpoint Agent File Receiver
Taegis Endpoint Agent https://file-receiver-<ENV>.s3.us-east-2.amazonaws.com/ TCP/443 Taegis Endpoint Agent File Receiver
Taegis Endpoint Agent for Linux https://drivers.taegiscloud.com/* TCP/443 Required for Linux Agent to pull down correct drivers for kernel your system is running
Taegis Endpoint Agent for Windows http://www.microsoft.com/pkiops/crl/
http://www.microsoft.com/pkiops/certs
http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
http://crl3.digicert.com/
http://crl4.digicert.com/
http://ocsp.digicert.com/
http://crl.rootca1.amazontrust.com/
TCP/80 Required for CRL revocation checks performed by the OS on behalf of Windows Agent and other applications

* Only applies to Windows Agents 2.0.10 and later. See the Changelog for more information.

<ENV> varies depending on the region your tenant is in:

Note

The Taegis Endpoint Agent for Windows also requires connectivity to Google DNS 8.8.8.8 if you do not provide a DNS override during installation.

Note

Secureworks does not recommend the use of IP addresses or CIDR blocks to perform allow-listing of connections from the Taegis Endpoint Agent to the backend, as the addresses associated with the preceding domains have changed and may continue to change in the future.

Supported Operating Systems

Windows Linux macOS
Windows 10 CentOS 8-stream, 9-stream Sequoia
Windows 11 Amazon Linux 2, 2023 Sonoma
Windows Server (2016, 2019, 2022) Ubuntu 18.04, 20.04, 22.04, 24.04 Ventura
Debian 11, 12 Monterey
Oracle Linux Enterprise 8, 9
RHEL 7, 8, 9
SUSE Linux Enterprise Server 12sp5, 15sp3, 15sp4, 15sp5
Rocky 9 versions that support eBPF
Alma 9 versions that support eBPF

Note: Only 64-bit Windows versions are supported.

Note: The macOS agent supports all OS versions that still receive security updates. While Apple does not explicitly state which versions are no longer receiving updates, there are some websites like endoflife.date that provide that information.

Note: CentOS 7 is no longer in long-term support (LTS). For more information, see Red Hat Enterprise Linux Life Cycle.

For more information about support for new OS updates, see Taegis Endpoint Agent Support for New Major Updates to Operating Systems.

Telemetry Overview

Telemetry Platform
Auth All
Process All
Netflow All
FileMod All
Thread Injection Windows
Powershell SBL Windows
AMSI Windows
DNS Windows
RPC Windows
Registry Windows

Note

Only Auth telemetry is provided by the Linux agent when no driver is available; if the driver is available and loaded, Process, Netflow, and FileMod are provided as well.

Registration Keys

Registration keys are designed to provide secure and controlled access to the Taegis Endpoint Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.

Registration Key Expiration and Rotation

The registration key expiration date is displayed on the Agent Groups table and in group settings.

As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group settings. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.

Update Scripts and Tools

If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.

For more information on viewing and managing registration keys, see Agent Groups.

Telemetry Tiers

Currently, there are two telemetry tiers available. The telemetry tier you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:

The following table provides an overview of the differences in telemetry gathered by each telemetry tier:

Taegis Agent Telemetry Data Telemetry Gathered by Server Tier Telemetry Gathered by Workstation Tier
Process Process Creation Only Process Creation and Termination
Thread Injection Enabled Enabled
ETW (Auth, Scriptblock, DNS) Enabled Enabled
Netflow Connect * Connect, Disconnect
Registry Disabled Modifications
File Open for mod, del, ren * Open for mod, del, ren

* Netflow and File modification are disabled for Windows agent with Server tier.

Note

Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.

For more information on configuring group policies with an assigned telemetry tier, see Agent Group Policies.

Agent Release Channels

Taegis Endpoint Agent Release Channels control the update process of the agent. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Configure group policies with the Stable, Preview, or Beta channel to auto-update endpoints when agent versions promoted to the chosen channel are released.

Important

The default channel, unless otherwise specified, is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the policy assigned to the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.

Taegis Endpoint Agent Release Cycle

The following release cycle model is followed for Taegis Endpoint Agent updates:

  1. Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
  2. Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
  3. Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.

Available Release Channels

The following list summarizes the currently supported channels and their expected usage:

For example, choosing the Stable channel for a group policy stops updates to agents in groups with that policy from occurring until a new Stable build is released, while choosing the Beta channel for a group policy allows admins to test newer builds with the agents in groups with that policy before they are promoted to the next channel.

For more information on configuring group policies with an assigned release channel, see Agent Group Policies.

Automatic Updates

When there is a new agent release, Production Stable and Preview agents are automatically updated over the course of the staged rollout, which may take up to two weeks. Beta agents do not participate in a staged rollout. Agents update upon a connection to the registration server, which occurs under the following conditions:

Tip

Configure a group policy maintenance window to limit when auto updates for the agents assigned to a group with that policy could occur. For more information, see Agent Group Policies.

Note

No system reboot is needed post upgrade.

Agent Staged Updates

Agent releases occur in staged rollouts based on the Release Channel that the endpoint agent's Configuration Group subscribes to. When a new version of the agent is available, Secureworks can rollout the update in stages that increase over time, up to approximately two weeks. This way a new version can be made available incrementally to subsets of eligible endpoints. Once confident that the new version has not introduced any issues, Secureworks can complete the full agent rollout to 100% of endpoints subscribed to the Configuration Group.

Two agent Release Channels participate in staged rollouts:

Note

The Beta Agent Release Channel does not participate in staged rollouts. Any version change for the Beta channel will be made immediately available to endpoints that are subscribed to the Beta release channel via their Group Policy.

Rollout Lifecycle

Important

Rollout statuses are not displayed in the XDR user interface and there are no controls available to customers for rollouts. This is controlled internally by Secureworks.

The lifecycle of a rollout is represented by one of the following four possible statuses: IN_PROGRESS, HALTED, COMPLETED, or CANCELLED:

In-Progress Rollout

An IN_PROGRESS rollout means that agents are eligible to receive the version represented by that rollout, until the current threshold of the rollout is met. The percentage of agents eligible to receive the rollout is increased by Secureworks as the agent version is verified to be free of issue. The initiation of a rollout for new agent versions is documented in the Changelog.

Halted Rollout

If an issue with the new agent version is detected, Secureworks can halt the rollout. A HALTED rollout means that agents will not receive the version represented by the rollout if they have not already upgraded. This action pauses agent upgrades while issues are investigated by Secureworks. A rollout that is halted can be continued by Secureworks so that agents can receive the new agent version if they have not already upgraded. A halted rollout may also move into a CANCELLED status if Secureworks determines that the issue is serious and that no further agents should receive the version.

Cancelled Rollout

A rollout that is CANCELLED by Secureworks means that endpoints pending upgrade will no longer receive the new rollout version.

Important

Agents that have already been upgraded to the new version will not be downgraded, but agents in the available pool of agents that have not already updated will not receive the version represented by the rollout if cancelled.

Completed Rollout

A COMPLETED rollout means that 100% of endpoints are eligible to receive that relevant version.

Countermeasures

Host Isolation - All Platforms

Isolating an endpoint from network communication (except to XDR) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.

The isolation state persists in a database and is pushed to the agent upon its connection to XDR, if not already connected. This ensures that disconnected agents or endpoints that are rebooted enter the desired state upon reconnection.

Important

Taegis Endpoint Agents behind a full VPN tunnel cannot be restored after being isolated, as they cannot reach the Taegis backend. We recommend using a split-tunneling VPN for Taegis Endpoint Agents. Note that this might also be applicable for other third-party EDR agents.

Note

When a Linux endpoint is isolated, DNS traffic from all processes is allowed.

For more information on isolating and restoring hosts via the XDR default Actions menu options, see Isolate and Restore a Host.

Tip

Response actions such as isolating and restoring an endpoint can also be enabled via playbooks. For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.

Open Source and Third-Party Software

Windows

Component Reference
scope17 https://github.com/PeterSommerlad/scope17
udis86 http://udis86.sourceforge.net/
SQLite http://sqlite.org/
SQLite Encryption Extension (SEE) https://www.sqlite.org/see/doc/release/www/readme.wiki
magic_enum https://github.com/Neargye/magic_enum
Google Protocol Buffers https://developers.google.com/protocol-buffers
LZ4 compression library https://github.com/lz4/lz4

Linux

Component Reference
RapidJSON https://rapidjson.org/
Google Protocol Buffers https://developers.google.com/protocol-buffers
Websocketpp https://github.com/zaphoyd/websocketpp
Falco Libraries https://falco.org/
LZ4 compression library https://github.com/lz4/lz4
OpenSSL https://www.openssl.org/
spdlog https://github.com/gabime/spdlog
zlib for crc32 https://www.zlib.net/

macOS

Component Resource
RapidJSON https://rapidjson.org/
Google Protocol Buffers https://developers.google.com/protocol-buffers
Google Flatbuffers https://google.github.io/flatbuffers/
LZ4 compression library https://github.com/lz4/lz4
zlib for CRC32 https://www.zlib.net/
fmt https://github.com/fmtlib/fmt

 

On this page: