This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Samurai Agent (BETA)

1: Support and Pre-requisites

2: Download and Installation

2.1: Agent Download

2.2: Microsoft Windows

3: Agent Management

4: Agent Uninstall

SamurAI Agent BETA

The SamurAI ‘Endpoint’ Agent is currently in BETA.

This section is only applicable to participants of the BETA program and is work in progress, therefore will be updated accordingly.

If you are interested in participating, please contact your Cyber Security Advisor (CSA) or NTT representative.

What is the SamurAI Agent?

The SamurAI Agent is a light weight, universal agent that provides deep visibility, detection and response across your endpoints for SamurAI services. Capabilities include:

Telemetry Data Collection

Standardized and targeted telemetry data collection independent of operating system (e.g the agent utilizes a custom Sysmon configuration, specifically tuned for the SamurAI platform applied to Microsoft Windows to optimize event collection and analysis).
Eliminates the need for 3rd party integrations to the Samurai platform (e.g winlogbeat agents installed on the Microsoft Windows OS).
Eliminates the need for any endpoint configuration in telemetry collection.

Detection

Leverages the Samurai Real-Time Engine for detection of threats.
We apply our global threat intelligence feeds to enrich data with context about known malicious actors, emerging threats, and attack patterns enhancing accuracy and speed of threat detection.
Leverages the Samurai Hunting Engine for automated and analyst driven threat hunting.

Investigate

Provides a powerful query capability (osquery) with real-time visibility into endpoints (e.g query for installed browser extensions to help analysts detect potential persistance mechanisms used by threat actors and accelerate investigations).
Event driven threat hunting to investigate, validate and contextualize a threat/incident.

Respond

Provides incident response tooling and aids endpoint forensics.

You can read more about osquery here.

What’s Next?

Review the SamurAI Agent Support and Pre-requisites.

1 - Support and Pre-requisites

Listed below are supported Operating Systems and communication pre-requisites. If you do not see a specific OS version listed please reach out to us.

Supported Operating Systems

Operating System	Supported Version
Microsoft Windows	Microsoft Windows 10 Home Microsoft Windows 10 Pro Microsoft Windows 10 Pro N Microsoft Windows 11 Enterprise Microsoft Windows Server 2016 Standard

Linux and MacOS SamurAI Agents are also available for download but are currently being tested.

Communication Pre-Requisites

Ensure all agents have the following network connectivity:

Source	Destination	Ports	Description
SamurAI Agent	spiral-node-api.td.nttsecurity.io	TCP/443	Telemetry ingestion Status Queries

What’s Next?

Now you have an understanding of support and pre-requisites, learn about Download and Installation of the SamurAI Agent.

2 - Download and Installation

Before you begin download and installation of the SamurAI Agent you must first select how you wish to manage Agent Updates and decide the settings for SamurAI Agent for Windows.

From the SamurAI MDR Portal select Telemetry and click SamurAI Agent

Upon first browsing to this page, the following will be displayed:

Figure 1: SamurAI Agent settings

SamurAI Agents Updates

By default, SamurAI Agents are updated automatically. However if you require flexibility to update individual or groups of agents you can select this option (leaving blank denotes automatic updates).

Self Managed : Select this option should you wish to manage agent updates yourself. See Self Managed for more information.

You can change this at any time. Refer to SamurAI Agent Settings.

SamurAI Agent for Windows

Determine whether to Accept Microsoft Sysinternals Software Licence Terms (Sysmon EULA).

We recommended accepting the Sysmon EULA as this enables advanced endpoint telemetry and provides deeper visibility for threat detection and response. Refer to The SamurAI Agent and Sysmon

If you accept the Sysmon EULA, you can select to Install Sysmon if missing
Click Apply SamurAI Agent Settings

You can update these settings at any time. Refer to SamurAI Agent Settings

The SamurAI Agent and Sysmon

For enhanced telemetry on Windows, the SamurAI Agent optionally leverages Microsoft System Monitor (Sysmon), a vital component for collecting detailed process and system activity. Read more about Sysmon from Microsoft Documentation.

Sysmon is not bundled with the SamurAI Agent therefore if you Accept Microsoft Sysinternals Software Licence Terms (Sysmon EULA) upon installation of the SamurAI Agent, sysmon will be downloaded and installed or updated silently using standard Microsoft provided installation flags.

The SamurAI Agent leverages a custom Sysmon configuration tuned and maintained by the SamurAI detection engineering team. This provides:

Noise reduction: a default Sysmon deployment generates an extremely high volume of data, our tuned configuration filters out unnecessary events which are irrelevant for SamurAI Managed Detection and Response.
High Fidelity detections: we selectively enable and enrich valuable event IDs (e.g process creation, network connections, registry modification etc) aligned with the MITRE ATT&CK framework.
Consistency across environments: ensures standardized event coverage across deployment.
Ongoing Tuning: we regularly update the configuration to reflect emerging attacker techniques, new ATT&CK mappings and lessons learned.

What’s Next

You can now proceed to Agent Download

2.1 - Agent Download

To download the SamurAI Agent follow the steps below:

Login go the Samurai MDR Portal
Click Telemetry and select SamurAI Agent from the main menu
Click SamurAI Agent installers
Select the relevant installer based on your operating system and click Download

We make reference to ‘Spiral’ in filenames and during/after installation. This is the internal name for the SamurAI Agent.
Each installer includes a checksum to verify the package.

Verify Download

Microsoft Windows

To ensure your download has not been corrupted or tampered with, you can validate it’s checksum using the built-in Windows tool ‘certutil’.

Run the following command and view the checksum to ensure it matches the installer within the SamurAI MDR Portal:

c:\certutil -hashfile spiral-windows-amd64.msi sha256

example:

c:\certutil -hashfile spiral-windows-amd64.msi sha256
SHA256 hash of spiral-windows-amd64.msi:
85193aa8c4e7a1eaba1da36251bc6ea78e0e62b2
CertUtil: -hashfile command completed successfully.

What’s Next?

Based on your Operating System jump to the relevant SamurAI Agent installation guide:

Microsoft Windows

2.2 - Microsoft Windows

Deploy the SamurAI Agent using your organization’s software distribution tools e.g Group Policy (GPO) active directory environment or Microsoft Intune.

We make reference to ‘Spiral’ in filenames and during/after installation. This is the internal name for the SamurAI Agent

Manual Installation

Locate the Windows MSI installer file that you previously downloaded and simply double-click, a small progress window will appear which does not require any interaction.

Additional commands are available using the command line as outlined below. All commands can be used in combination as required.

Proxy Support

If your organization leverages a proxy then use the following command during install:

Example:

msiexec.exe /i "spiral-windows-amd64.msi" PROXY=http://<ip>:<port>

This will create a key in the Windows registry: ‘Computer\HKEY_LOCAL_MACHINE\SOFTWARE\NTT\Spiral’ with a parameter ‘Proxy’ with the proxy from the command line.

This can be added/changed/removed at a later time, if so the SamurAI Agent services must be restarted.

Quiet Mode Installation

Use the the following command for ‘quiet mode’ installation (i.e no progress window is displayed):

msiexec.exe /i "spiral-windows-amd64.msi" /qn

Verbose Installation Logs

If you wish to view installation logs you can use the following command to save logs to a file for review:

Example:

msiexec.exe /i "spiral-windows-amd64.msi" /L*vx output.txt

Validate installation

After the installation has completed, there will be a ‘Spiral’ entry under installed programs.

Figure 1: Windows apps & features

The installation folder is ‘C:\Program Files\Spiral’ with full control permissions to SYSTEM and Administrators.

This should apply to all subfolders and files with one exception ‘osquery.db’ which will have an additional read access to Everyone/World.

Figure 2: SamurAI Agent Windows install path and files

There will also be a service named ‘Spiral’ running.

Figure 3: Task manager service

The ‘Spiral’ process will also be visible.

Figure 4: Task manager process

Additionally osquery processes will be running.

Figure 5: osquery processes

The following files are created by the installer:

C:\Program Files\Spiral\bin\spiral.exe: The Spiral launcher (more details what it does and functions further down)
C:\Program Files\Spiral\bin\osqueryd.exe: The Osqueryd binary that will be launched by spiral.exe (more details further down)
C:\Program Files\Spiral\config.yaml: The configuration for Spiral launcher
C:\Program Files\Spiral\secret: The embedded tenant/enrollment secret
C:\Program Files\Spiral\ca.pem: Spiral CA bundle used to communicate with the SamurAI platform. Will download new if missing or if outdated. Used by both spiral.exe and osqueryd.exe.

The following files are created by either the ‘Spiral’ or ‘Osquery’ process:

C:\Program Files\Spiral\server.crt: Exported server certificate chain from Spiral Node API (typically excluding Root CA). 
C:\Program Files\Spiral\sysmon.xml: The sysmon configuration downloaded from Spiral Node API.
C:\Program Files\Spiral\data\osquery.db: RocksDB data folder used by Osquery for state keeping. Osquery sets this with read access to Everyone/World at intervals.
C:\Program Files\Spiral\data\extensions.load: Purposely left empty
C:\Program Files\Spiral\data\osquery.flags: Osquery startup flags (generated by Spiral), extended configuration is fetched by Osquery over HTTPS.
C:\Program Files\Spiral\data\osquery.log: Stdout/stderr log output from osqueryd.exe
C:\Program Files\Spiral\data\osquery.pid: Osquery PID
C:\Program Files\Spiral\data\osquery.uuid: UUID for this specific node
C:\Program Files\Spiral\data\spiral.log: Stdout/stderr log output from spiral.exe
C:\Program Files\Spiral\data\shell: A folder created if running spiral.exe with "shell" command which is an interactive mode to run Osquery commands.

Dependant on your selection for SamurAI Agent for Windows the agent may:

Download Sysmon from Microsoft official servers.
Install or update Sysmon silently using standard Microsoft provided installation flags.
Modify Sysmon with the SamurAI Agent configuration.

Review Deployed SamurAI Agents

Review and Manage within the SamurAI MDR Portal.

3 - Agent Management

View Agents

To view all deployed agents:

Login go the Samurai MDR Portal
Click Telemetry and select SamurAI Agent from the main menu.

SamurAI agents communicate with the SamurAI platform every minute and are marked offline if no communication is receieved after five minutes.

Agent Dashboard

The SamurAI Agent dashboard panel displays summary information as:

Nodes: the total deployed and seen by the SamurAI platform
Online: the total currently online (have communicated with the SamurAI platform within five minutes)
Offline: the total number offline (have not communicated with the SamurAI platform for five minutes)
Platforms: the total number of platforms i.e Windows / MacOS / Linux

A table displays all deployed agents with node specific information:

Field	Description
Status Description	Status of the agent. Potential status displayed: Online or Offline
Name	Hostname of the endpoint
Platform	Platform and architecture - icon depicting OS and processor e.g AMD64
OS Name	The underlying operating system
OS Version	The operating system version
SamurAI Agent	The SamurAI agent version installed
Sysmon Version	The System Monitor (sysmon) version installed (applicable to Windows only)
Last external IP	The external IP address of the agent as seen by the SamurAI platform
Last Seen	Date and timestamp of when the agent last checked-in to the SamurAI platform

Delete Agent(s)

The SamurAI platform does not remove or delete offline agents that are displayed. For example you may have uninstalled or removed the agent from a node but it will still be displayed as offline.

You can delete SamurAI Agents from the table:

Select the nodes you wish to Delete
Click Actions and select Delete selected nodes
To ensure you intended to delete the agents you will need to type DELETE in the field and select Delete

If you have deleted an agent and it is still installed and starts communicating back to the SamurAI platform, it will re-appear in the table.

Agent Settings

You can change the SamurAI Agent Update and Sysmon EULA selections by clicking Settings.

Auto Managed : Auto updates of agents is enabled by default, select this option if you want the agent updates to occur automatically without any action needed on your part.
Self Managed : Select this option should you wish to manage agent updates yourself.

Self Managed

If Self Managed is selected a new option entitled Update Tasks is displayed.

Update Tasks

Selecting Update Tasks allows you to configure tasks for updating your deployed agents.

Click on Create Update Task

Within the Create Update Task view we recommend that you use filters and save as views. This is useful if, for example you want to run an update task against a specific set of deployed agents. Click Views to save/reset/delete your different filters. Once saved you can toggle between views.

Enter a Name for the task e.g Windows 10 Pro Update
Toggle whether you wish to Start immediately. If you do not start the task immediately you have the option to update the status at a later date/time. See Update the Task.
Select whether you wish to update:

SamurAI agent version (the latest version will always be displayed)
Sysmon version (applicable to Windows only)

Select if you wish to Rate Limit the update task. Read more about Rate Limiting
Once complete, select Review Selection and review your tasks
Click on Create Update Task

Rate Limiting

Rate limiting allows you to roll out updates to endpoint agents gradually instead of updating all systems at once. This controlled approach reduces risk of disruption, avoids overloading networks and ensures that if an unexpected issue occurs, only a small number of endpoints are affected.

Enabling rate limiting allows you to configure the number of agents to update per time duration (which can be set as minute/hour/day/month/week/year).

When rate limiting is recommended:

Large fleets (typically 500+ endpoints)
Networks with remote sites, VPN’s or limited bandwidth
Critical workloads where uptime and stability are essential
Major agent version upgrades or significant configuration changes

When rate limiting may not be necessary:

Small fleets with a few hundred endpoints
Minor, low-risk updates

View Update Tasks

From the SamurAI Agent view, click Update Tasks.

A table displays all Update Tasks with specific information:

Field	Description
Status	Status of the Update Task (hover over for text, potential status displayed Paused/Running/Completed/Failed
Name	Name provided for the task
Rate Limit	If Rate Limiting was enabled
Sysmon Version	Updated Sysmon version (if applicable)
SamurAI agent	Updated SamurAI Agent version
Target Node Count	The number of agents within the update task
Completed Node Count	The number of completed agent updates
Failed Node Count	The number of failed agent updates
Created	Date/Timestamp of update task creation
Updated	Date/Timestamp of updates to the update task

Select an Update Task from the list to display status of individual agent updates.

A summary will be displayed including:

Update task status
Number completed
Number failed
Target
Rate Limit

Additional details for each agent are also included:

Field	Description
Name	Hostname of the agent to be updated
Node Update Task Status	The status of the agent update, potential status are New/Pending/Completed/Failed
Message	A short decription of progress
Start Date	Date/Timestamp of agent update
End Date	Date/Timestamp of agent update end
SamurAI Agent before	SamurAI agent version before the update
SamurAI Agent after	SamurAI agent version after the update
Sysmon before	Sysmon version before update
Sysmon after	Sysmon version after update

Update the Task

You can update the State of an Update Task to either Paused or Running.

For example, if you previously set an Update Task NOT to Start Immediately you can set the state to Running to begin the update:

Select More Options ().
Click Update the Task
Select the State to Paused to pause the update task or to Running to begin or resume the update task.

4 - Agent Uninstall

We make reference to ‘Spiral’ in filenames and during/after installation. This is the internal name for the SamurAI Agent.

Follow the steps to uninstall the SamurAI Agent based on your Operating System:

Microsoft Windows

Uninstall the SamurAI Agent using your organization’s software tools e.g Group Policy (GPO) active directory environment or Microsoft Intune.

Go to Add or remove programs
Find Spiral Agent
Click Uninstall
When uninstalled, program files and registry entries are removed from the endpoint/node, however some files may remain:
- All files not added by the installer itself such as the Data folder in C:\Program Files\Spiral\Data
- Files server.crt and sysmon.xml in C:\Program Files\Spiral remain after uninstall.
It is safe to delete C:\Program Files\Spiral after the uninstall has completed.

The SamurAI Agent installer does not include Sysmon, and will not be uninstalled. If you wish to uninstall sysmon please refer to Microsoft Documentation