Arctic Wolf Agent deployment

Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:

• Managed Detection and Response (MDR) — Agent forwards security-relevant event and audit logs from endpoint devices in your network to Arctic Wolf to support continuous threat monitoring.
• Managed Risk — Agent creates an inventory of endpoint devices in your network and performs routine host vulnerability scans and security control benchmark scans to identify security risks. See Arctic Wolf Agent Scans for more information.

You can install Agent on desktop computers, laptops, virtual machines (VMs), and some cloud deployments.

Requirements

• Supported operating systems 

• System resources

• Port access

• Allowlist configuration changes

• Administrator permissions or the ability to perform administrator or root level functions

Supported operating systems

• Windows:

  • Windows 11 for 64-bit systems
  • Windows 10 Pro, 8.1, 8, and 7 Enterprise for 64-bit and 32-bit systems
  • Windows Server 2022, 2019, 2016, 2012 R2, 2012, and 2008 R2 for 64-bit systems
  • Windows 11 IoT, Windows 10 IoT, and 8.1 Embedded for 64-bit systems

  Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:

  • Windows 8.1 or newer for 64- and 32-bit systems
  • Windows Server 2012 or newer for 64-bit systems

• macOS:

  • macOS 10.14 or newer for 64-bit systems

• Linux:

  • Amazon Linux 2
  • CentOS 7 and 8
  • CentOS Stream 9
  • Debian 11.2 (Stable)
  • Linux Mint 20.3
  • Oracle Linux 8.5
  • Red Hat 7 and 8
  • Ubuntu 16.04, 18.04, 20.04, and 22.04

  Note: Vulnerability scanning is not supported on CentOS.

System requirements

• At a minimum, dual-core CPU

• x64 or x86 processor

• At a minimum, 2 GB of memory

  Notes:

  • Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
  • Agent does not support ARM architecture.

Networking requirements

• Ports 443 and 1514 outbound open

• Add all necessary Arctic Wolf Agent DNS entries to your allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Agent.

  Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.

Allowlist requirements

You must configure your firewall and other network and endpoint security applications so that they do not block or interfere with Agent operations. In most applications, this means adding network addresses, files or file paths, and processes to an exclusions list or a safe list.

Allow Agent DNS hostnames

To enable Agent installation, updates, and functionality, configure your firewall to allow traffic to Agent DNS hostnames.

1. Sign in to the Arctic Wolf Unified Portal.

2. Go to Help, and then select Allowlist Requirements.

3. Go to the Agent section to view the list of DNS hostnames to allow.

4. Configure your firewall to allow outbound traffic to the listed hostnames.

   Note: You must add the hostnames, not IP addresses, to your allowlist configurations.

Allow Agent processes

If you are installing Agent alongside an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, you must add Agent processes to the allowlist in those applications to ensure stable CPU and memory utilization.

1. Configure your security systems to allow the processes listed in Arctic Wolf Agent Processes.

   Tip: If feasible, define a security rule or policy exclusion for the parent folder so that the rule or policy exclusion applies to new processes that might be added with a future Agent software update. For example, for a Windows machine, define a rule that applies to this file path: C:\Program Files\Arctic Wolf Networks\Agent\.

2. Add the files listed in Arctic Wolf Agent SHA-256 Hash Values to all allowlists.

3. If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.

For more detailed instructions, see the technical documentation for the security systems that you are configuring.

Agent installation options

You can install a single instance of Arctic Wolf Agent, see Arctic Wolf Agent on a Single Endpoint.

You can also bulk install Arctic Wolf Agent on several endpoints. Follow the guide for your operating system:

Operating system	Installation tools	Guide
Windows	Agent Installer Group Policy Management Intune Sysmon	Arctic Wolf Agent Installation on Windows
macOS	Agent Installer Jamf Pro	Arctic Wolf Agent Installation on macOS
Linux	Agent Installer	Arctic Wolf Agent Installation on Linux

Install Arctic Wolf Agent on a base image

You can run the installer as a post-image install script after the system loads the image successfully. You should not pre-install the Agent on a base image.

Install Sysmon

• To install Sysmon for Agent on Windows endpoints, see Sysmon Installation on Windows.

Uninstall Agent

• To uninstall Arctic Wolf Agent from a single endpoint, see Uninstall an individual Agent client.

• To bulk uninstall Arctic Wolf Agent from several endpoints, follow the guide for your operating system:

  Operating system	Guide
  Windows	Uninstall Arctic Wolf Agent on Windows
  macOS	Uninstall Arctic Wolf Agent on macOS
  Linux	Uninstall Arctic Wolf Agent on Linux