Arctic Wolf Agent InstallationUpdated Sep 19, 2023
Arctic Wolf® Agent is an endpoint security management tool that functions as a component of the following solutions:
- Managed Detection and Response (MDR) — Agent forwards security-relevant event and audit logs from endpoint devices in your network to Arctic Wolf to support continuous threat monitoring.
- Managed Risk — Agent creates an inventory of endpoint devices in your network and performs routine host vulnerability scans and security control benchmark scans to identify security risks. See Arctic Wolf Agent Scans for more information.
You can install Agent on desktop computers, laptops, virtual machines (VMs), and some cloud deployments.
Note: Do not install Arctic Wolf Agent on an endpoint that already has Wazuh installed.
Administrator permissions or the ability to perform administrator or root level functions
- Windows 11 for 64-bit systems
- Windows 10 Pro, 8.1, 8, and 7 Enterprise for 64-bit and 32-bit systems
- Windows Server 2022, 2019, 2016, 2012 R2, 2012, and 2008 R2 for 64-bit systems
- Windows 11 IoT, Windows 10 IoT, and 8.1 Embedded for 64-bit systems
Note: If you plan to use Sysmon with Arctic Wolf Agent, Sysmon has these operating system requirements:
- Windows 8.1 or newer for 64- and 32-bit systems
- Windows Server 2012 or newer for 64-bit systems
- macOS 10.14 or newer for 64-bit systems
- Amazon Linux 2
- CentOS 7 and 8
- CentOS Stream 9
- Debian 11.2 (Stable)
- Linux Mint 20.3
- Oracle Linux 8.5
- Red Hat 7 and 8
- Ubuntu 16.04, 18.04, 20.04, and 22.04
Note: Vulnerability scanning is not supported on CentOS.
At a minimum, dual-core CPU
x64 or x86 processor
At a minimum, 2 GB of memory
- Although Agent is designed to maintain a minimal footprint on all systems, Arctic Wolf recommends certain operating system requirements. Arctic Wolf cannot guarantee Arctic Wolf Agent functionality on virtual machine (VM) environments if resources do not meet recommended levels.
- Agent does not support ARM architecture.
Ports 443 and 1514 outbound open
Add all necessary Arctic Wolf Agent DNS entries to your allowlist. To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Agent.
Note: Agent must contact Arctic Wolf servers to register. If this process fails, Agent retries every 15 seconds. This has no negative impact on the system.
You must configure your firewall and other network and endpoint security applications so that they do not block or interfere with Agent operations. In most applications, this means adding network addresses, files or file paths, and processes to an exclusions list or a safe list.
To enable Agent installation, updates, and functionality, configure your firewall to allow traffic to Agent DNS hostnames.
Sign in to the Arctic Wolf Unified Portal.
Go to Help, and then select Allowlist Requirements.
Go to the Agent section to view the list of DNS hostnames to allow.
Configure your firewall to allow outbound traffic to the listed hostnames.
Note: You must add the hostnames, not IP addresses, to your allowlist configurations.
If you are installing Agent alongside an antivirus, endpoint scanner, Endpoint Detection and Response (EDR) solution, Unified Threat Management (UTM) solution, or similar software, you must add Agent processes to the allowlist in those applications to ensure stable CPU and memory utilization.
Configure your security systems to allow the processes listed in Arctic Wolf Agent Processes.
Tip: If feasible, define a security rule or policy exclusion for the parent folder so that the rule or policy exclusion applies to new processes that might be added with a future Agent software update. For example, for a Windows machine, define a rule that applies to this file path:
C:\Program Files\Arctic Wolf Networks\Agent\.
Add the files listed in Arctic Wolf Agent SHA-256 Hash Values to all allowlists.
If you use an EDR solution, verify that your EDR configuration changes are applied to all endpoints.
For more detailed instructions, see the technical documentation for the security systems that you are configuring.
You can install a single instance of Arctic Wolf Agent, see Arctic Wolf Agent on a Single Endpoint.
You can also bulk install Arctic Wolf Agent on several endpoints. Follow the guide for your operating system:
|Operating system||Installation tools||Guide|
||Arctic Wolf Agent Installation on Windows|
||Arctic Wolf Agent Installation on macOS|
||Arctic Wolf Agent Installation on Linux|
You can run the installer as a post-image install script after the system loads the image successfully. You should not pre-install the Agent on a base image.
- To install Sysmon for Agent on Windows endpoints, see Sysmon Installation on Windows.
To uninstall Arctic Wolf Agent from a single endpoint, see Uninstall an individual Agent client.
To bulk uninstall Arctic Wolf Agent from several endpoints, follow the guide for your operating system:
Operating system Guide Windows Uninstall Arctic Wolf Agent on Windows macOS Uninstall Arctic Wolf Agent on macOS Linux Uninstall Arctic Wolf Agent on Linux