Skip to content

Taegis Endpoint Agent Technical DetailsπŸ”—

Agent OverviewπŸ”—

The Taegis™ XDR Endpoint Agent is an easy to deploy, simple to manage agent with multi-OS support for Windows, macOS and Linux. The new Taegis Endpoint Agent:

  • Natively integrates and optimally operates with Secureworks® Taegis™ XDR to aide in the detection and response of real security threats.
  • Is an always-connected agent, providing better visibility into online and agent health status.
  • Provides enhanced telemetry collection by XDR with near-real-time alerting.
  • Provides native support of Windows, macOS and Linux.
  • Has an improved system impact with 50%+ less CPU overhead vs. Red Cloak™ Endpoint Agent.
  • Provides easy-to-use performance telemetry tiers that offer a balance of visibility vs. performance for specific assets.
  • Provides group-level control of the update process via Release Channels.
  • Ensures endpoints are always running the latest agent version through auto updates.
  • Allows host isolation for all platforms.

Tip

Additional Taegis Endpoint Agent troubleshooting, tutorial, and informational articles are available in the Secureworks Knowledge Base.

Network Connectivity RequirementsπŸ”—

Source Destination Protocol/Port Reason
Taegis Endpoint Agent https://reg.<ENV>.taegiscloud.com/ TCP/443 Taegis Endpoint Agent Registration Service
Taegis Endpoint Agent wss://telemetry.<ENV>.taegiscloud.com/ TCP/443 Taegis Endpoint Agent Network Connectivity - Primary *
Taegis Endpoint Agent wss://sink.<ENV>.taegiscloud.com/ TCP/8443 Taegis Endpoint Agent Network Connectivity - Standby
Taegis Endpoint Agent https://taegis-agent-prod-builds.s3.us-east-2.amazonaws.com/ TCP/443 Taegis Endpoint Agent Auto Updates
Taegis Endpoint Agent https://file-receiver.<ENV>.taegiscloud.com/ TCP/9443 Taegis Endpoint Agent File Receiver
Taegis Endpoint Agent https://file-receiver-<ENV>.s3.us-east-2.amazonaws.com/ TCP/443 Taegis Endpoint Agent File Receiver
Taegis Endpoint Agent for Linux https://drivers.taegiscloud.com/* TCP/443 Required for Linux Agent to pull down correct drivers for kernel your system is running
Taegis Endpoint Agent for Windows http://www.microsoft.com/pkiops/crl/
http://www.microsoft.com/pkiops/certs
http://crl.microsoft.com/pki/crl/products
http://www.microsoft.com/pki/certs
http://crl3.digicert.com/
http://crl4.digicert.com/
http://ocsp.digicert.com/
http://crl.rootca1.amazontrust.com/		 TCP/80 Required for CRL revocation checks performed by the OS on behalf of Windows Agent and other applications

Note

On Windows (version 2.0.10 and later) and Linux (version 2.1.4), the Taegis Endpoint Agent uses the following URL as the primary network connectivity destination:

  • wss://telemetry.<ENV>.taegiscloud.com/

and uses the following URL as a secondary fallback destination:

  • wss://sink.<ENV>.taegiscloud.com/

On macOS, the agent uses wss://sink.<ENV>.taegiscloud.com/ as its primary network connectivity destination.

<ENV> varies depending on the region your tenant is in:

  • C if your tenant is in US1: https://ctpx.secureworks.com/
  • D if your tenant is in US2: https://delta.taegis.secureworks.com/
  • E if your tenant is in EU: https://echo.taegis.secureworks.com/
  • F if your tenant is in US3: https://foxtrot.taegis.secureworks.com/

Note

The Taegis Endpoint Agent for Windows also requires connectivity to Google DNS 8.8.8.8 if you do not provide a DNS override during installation.

Note

Secureworks does not recommend the use of IP addresses or CIDR blocks to perform allow-listing of connections from the Taegis Endpoint Agent to the backend, as the addresses associated with the preceding domains have changed and may continue to change in the future.

Supported Operating SystemsπŸ”—

Windows Linux macOS
Windows 10 CentOS 9-stream Sequoia
Windows 11 Amazon Linux 2, 2023 Sonoma
Windows Server (2016, 2019, 2022, 2025) Ubuntu 18.04, 20.04, 22.04, 24.04 Ventura
Debian 11, 12 Monterey
Oracle Linux Enterprise 8, 9
RHEL 7, 8, 9
SUSE Linux Enterprise Server 12sp5, 15sp3, 15sp4, 15sp5
Rocky 9 versions that support eBPF
Alma 9 versions that support eBPF

Note: CentOS 7 is no longer in long-term support (LTS). For more information, see Red Hat Enterprise Linux Life Cycle. Secureworks is no longer building new drivers for CentOS 8-stream, which has moved to Maintenance Support. For more information, see Supported Distro Update.

For more information about support for new OS updates, see Taegis Endpoint Agent Support for New Major Updates to Operating Systems.

Telemetry OverviewπŸ”—

Telemetry Platform
Auth All
Process All
Netflow All
FileMod All
Thread Injection Windows
Powershell SBL Windows
AMSI Windows
DNS Windows
RPC Windows
Registry Windows

Note

Only Auth telemetry is provided by the Linux agent when no driver is available; if the driver is available and loaded, Process, Netflow, and FileMod are provided as well.

Registration KeysπŸ”—

Registration keys are designed to provide secure and controlled access to the Taegis Endpoint Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.

Registration Key Expiration and RotationπŸ”—

The registration key expiration date is displayed on the Agent Groups table and in group settings.

Taegis XDR notifies you 30 days before your registration key expires so you can rotate the key at your convenience. If you do not rotate the key yourself, the system will automatically rotate it 24 hours before expiration and notify you of the change.

Note

Taegis XDR notifies Tenant Administrators via email when a Taegis Agent Group registration key is expiring within 30 days.

Registration Key Expiration Notification

All initial registration keys expire two years after the date they were first generated. Each time the key is rotated, the newly generated key expires after one year. Agents that have already been deployed using the registration key are not impacted.

Update Scripts and ToolsπŸ”—

If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.

For more information on viewing and managing registration keys, see Agent Groups.

Telemetry TiersπŸ”—

Currently, there are two telemetry tiers available. The telemetry tier you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:

  • Workstation Tier — Recommended default setting for most devices or environments. If system performance is severely impacted with this tier, try reassigning to Server Tier.

  • Server Tier — Recommended for resource-constrained devices or environments, such as servers, IoT, or domain controllers that have risks related to the resource. Note that due to a reduction in telemetry gathered from endpoints at this tier as documented in the following table, detections and investigations may also be reduced.

The following table provides an overview of the differences in telemetry gathered by each telemetry tier:

Taegis Agent Telemetry Data Telemetry Gathered by Server Tier Telemetry Gathered by Workstation Tier
Process Process Creation Only Process Creation and Termination
Thread Injection Enabled Enabled
ETW (Auth, Scriptblock, DNS) Enabled Enabled
Netflow Connect * Connect, Disconnect
Registry Disabled Modifications
File Open for mod, del, ren * Open for mod, del, ren

Note

Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.

For more information on configuring group policies with an assigned telemetry tier, see Agent Group Policies.

Agent Release ChannelsπŸ”—

Taegis Endpoint Agent Release Channels control the update process of the agent. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Configure group policies with the Stable, Preview, or Beta channel to auto-update endpoints when agent versions promoted to the chosen channel are released.

Important

The default channel, unless otherwise specified, is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the policy assigned to the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.

Taegis Endpoint Agent Release CycleπŸ”—

The following release cycle model is followed for Taegis Endpoint Agent updates:

  1. Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
  2. Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
  3. Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.

Available Release ChannelsπŸ”—

The following list summarizes the currently supported channels and their expected usage:

  • Beta — Agents enrolled in this channel are first to receive new updates and features of pre-release builds.Β Enroll in this channel to find and report issues to Secureworks, and for testing and evaluation use only.Β  This channel is recommended for <1% of overall estate, in non-production environments only, varied across OS/configurations.Β See Beta Release Channel for more information.

  • Preview — Agents enrolled in this channel receive updates early in the release process.Β Enroll in this channel to get early access to new upcoming features and updates. This channel is recommended for 1-10% of overall estate, in pre-production/validation environments only.Β 

  • Production Stable — Agents enrolled in this channel receive updates when releases are disseminated more broadly to the general customer population. This channel is recommended for 100% of overall estate and for production environments.

For example, choosing the Stable channel for a group policy stops updates to agents in groups with that policy from occurring until a new Stable build is released, while choosing the Beta channel for a group policy allows admins to test newer builds with the agents in groups with that policy before they are promoted to the next channel.

For more information on configuring group policies with an assigned release channel, see Agent Group Policies.

Automatic UpdatesπŸ”—

When there is a new agent release, Production Stable and Preview agents are automatically updated over the course of the staged rollout, which may take up to two weeks. Beta agents do not participate in a staged rollout. Agents update upon a connection to the registration server, which occurs under the following conditions:

  • During initial registration, the agent connects to the registration server, checks if there is a newer version available, and updates if there is.
  • After a force restart of the service.
  • After a reboot of the endpoint.
  • When an endpoint is reassigned to a different group.
  • Upon selecting the Reconnect Agent action; see Endpoint Management Actions for more information.

Tip

Configure a group policy maintenance window to limit when auto updates for the agents assigned to a group with that policy could occur. For more information, see Agent Group Policies.

Note

No system reboot is needed post upgrade.

Agent Staged UpdatesπŸ”—

Agent releases occur in staged rollouts based on the Release Channel that the endpoint agent's Configuration Group subscribes to. When a new version of the agent is available, Secureworks can rollout the update in stages that increase over time, up to approximately two weeks. This way a new version can be made available incrementally to subsets of eligible endpoints. Once confident that the new version has not introduced any issues, Secureworks can complete the full agent rollout to 100% of endpoints subscribed to the Configuration Group.

Two agent Release Channels participate in staged rollouts:

  • Production Stable
  • Preview

Note

The Beta Agent Release Channel does not participate in staged rollouts. Any version change for the Beta channel will be made immediately available to endpoints that are subscribed to the Beta release channel via their Group Policy.

Rollout LifecycleπŸ”—

Important

Rollout statuses are not displayed in the XDR user interface and there are no controls available to customers for rollouts. This is controlled internally by Secureworks.

The lifecycle of a rollout is represented by one of the following four possible statuses: IN_PROGRESS, HALTED, COMPLETED, or CANCELLED:

  • A release rollout is considered to be active if it is IN_PROGRESS or HALTED.
  • A rollout is considered not active or finished if it is COMPLETED or CANCELLED.
In-Progress RolloutπŸ”—

An IN_PROGRESS rollout means that agents are eligible to receive the version represented by that rollout, until the current threshold of the rollout is met. The percentage of agents eligible to receive the rollout is increased by Secureworks as the agent version is verified to be free of issue. The initiation of a rollout for new agent versions is documented in the Changelog.

Halted RolloutπŸ”—

If an issue with the new agent version is detected, Secureworks can halt the rollout. A HALTED rollout means that agents will not receive the version represented by the rollout if they have not already upgraded. This action pauses agent upgrades while issues are investigated by Secureworks. A rollout that is halted can be continued by Secureworks so that agents can receive the new agent version if they have not already upgraded. A halted rollout may also move into a CANCELLED status if Secureworks determines that the issue is serious and that no further agents should receive the version.

Cancelled RolloutπŸ”—

A rollout that is CANCELLED by Secureworks means that endpoints pending upgrade will no longer receive the new rollout version.

Important

Agents that have already been upgraded to the new version will not be downgraded, but agents in the available pool of agents that have not already updated will not receive the version represented by the rollout if cancelled.

Completed RolloutπŸ”—

A COMPLETED rollout means that 100% of endpoints are eligible to receive that relevant version.

CountermeasuresπŸ”—

Host Isolation - All PlatformsπŸ”—

Isolating an endpoint from network communication (except to XDR) is performed to prevent lateral spreading of threats from infected host to healthy hosts. Once isolated hosts have the threat removed, they can be reintegrated and regain full network access.

The isolation state persists in a database and is pushed to the agent upon its connection to XDR, if not already connected. This ensures that disconnected agents or endpoints that are rebooted enter the desired state upon reconnection.

Important

Taegis Endpoint Agents behind a full VPN tunnel cannot be restored after being isolated, as they cannot reach the Taegis backend. We recommend using a split-tunneling VPN for Taegis Endpoint Agents. Note that this might also be applicable for other third-party EDR agents.

Note

When a Linux endpoint is isolated, DNS traffic from all processes is allowed.

For more information on isolating and restoring hosts via the XDR default Actions menu options, see Isolate and Restore a Host.

Tip

Response actions such as isolating and restoring an endpoint can also be enabled via playbooks. For information on configuring playbooks to perform these actions, see Playbooks Templates and related Automations documentation.

Open Source and Third-Party SoftwareπŸ”—

WindowsπŸ”—

Component Reference
scope17 https://github.com/PeterSommerlad/scope17
udis86 http://udis86.sourceforge.net/
SQLite http://sqlite.org/
SQLite Encryption Extension (SEE) https://www.sqlite.org/see/doc/release/www/readme.wiki
magic_enum https://github.com/Neargye/magic_enum
Google Protocol Buffers https://developers.google.com/protocol-buffers
LZ4 compression library https://github.com/lz4/lz4

LinuxπŸ”—

Component Reference
RapidJSON https://rapidjson.org/
Google Protocol Buffers https://developers.google.com/protocol-buffers
Websocketpp https://github.com/zaphoyd/websocketpp
Falco Libraries https://falco.org/
LZ4 compression library https://github.com/lz4/lz4
OpenSSL https://www.openssl.org/
spdlog https://github.com/gabime/spdlog
zlib for crc32 https://www.zlib.net/

macOSπŸ”—

Component Resource
RapidJSON https://rapidjson.org/
Google Protocol Buffers https://developers.google.com/protocol-buffers
Google Flatbuffers https://google.github.io/flatbuffers/
LZ4 compression library https://github.com/lz4/lz4
zlib for CRC32 https://www.zlib.net/
fmt https://github.com/fmtlib/fmt