Agent User Guide

Updated Sep 19, 2023

Agent management in the Unified Portal

You can view information about the Arctic Wolf Agents in your environment on the Unified Portal Agents page.

See the following for more information:

View Agent health

Agent filters

You can use the following filters to refine the items that appear in the Agents table:

Click Reset Filters at any time to remove all filters.

Click Hide Filter to hide the filters from the page or Show Filter to display the filters.

View Agents

View Agent details

Note: When set up correctly, you should have one online non-persistent VDI device. Offline duplicate devices are automatically purged after three days. If duplicate non-persistent VDI devices appear in the Unified Portal, install Agent for non-persistent VDI instances again. See Install agent for non-persistant VDI instances.

  1. In the Unified Portal menu bar, click Telemetry Management > Agents.

  2. Identify the Agent you want to view, and then click Expand to view the Agent details.

    Tip: If desired, use filters to narrow your results. See Agent filters for more information.

    You can view the following details about Arctic Wolf Agents in your network:

    • Agent ID — Displays the identification number of the Agent.

    • Last Reported — Displays the date and time that the Agent last reported.

    • Username — Displays the username of the Agent.

    • Network Interfaces — Displays any network interfaces that connect to the Agent.

    • VDI State — Displays the image used to create the non-persistent Virtual Desktop Infrastructure (VDI) instance. This column does not display details for persistent instances.

      State Description
      Golden Image The master image template.
      Non-Persistent Host This instance was created from the golden image.

Agent Event logs

Arctic Wolf Agent without Sysmon captures a limited number of security-relevant Windows events, such as Active Directory (AD) lockouts for administrator accounts, AD sign-in failures for high-criticality users, and Kerberos replay attacks. When Sysmon is installed on the device, Arctic Wolf Agent can detect more events, such as process creation, loading drivers, and possible malicious PowerShell.

Arctic Wolf Agent does not forward all event logs to Arctic Wolf for storage. Agent is not a replacement for off-site log storage to meet industry compliance requirements.

Agent operations

These sections provide information about Agent operations.

Agent updates

Agent automatically checks for updates every hour. If an update is available, Agent downloads the update installer and automatically runs it in the background and removes the old application. Updates are pushed to Agents on all endpoints unless you specifically block an update for Advanced Threat Protection (ATP) testing. Updates download over port 443 in the Agent manager binary.

Note: You must allowlist Agent DNS hostnames to allow automatic software updates. For instructions, see Agent allowlist requirements in the Arctic Wolf Agent Installation Guide.

Bandwidth requirements

Arctic Wolf Agent requires a minimum bandwidth of 1 Mbps for both download and upload at all times, not just during a scan.

Agent CPU and memory usage

Arctic Wolf Agent causes CPU and memory usage spikes as vulnerability and benchmark scans are resource intensive. For example, it is normal to see 30% of a 2.5GHz single core CPU and 1GB of memory used. Schedule your scans accordingly if the endpoint has other resource requirements at certain times.

See also