This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

SamurAI Endpoint Agent

1: Support and Pre-requisites

2: Download and Installation

2.1: Download

2.2: Microsoft Windows

3: Management

3.1: Settings and Updates

4: Uninstall

5: FAQ

What is the SamurAI Endpoint Agent?

The SamurAI Endpoint Agent is a light weight, software component installed on an endpoint (such as a workstation or server) providing deep visibility and enabling SamurAI Managed Detection and Response across your endpoints. Capabilities include:

Telemetry Data Collection

Standardized and targeted telemetry data collection independent of operating system (e.g the agent utilizes a custom Sysmon configuration, specifically tuned for the SamurAI Platform applied to Microsoft Windows to optimize event collection and analysis).
Eliminates the need for 3rd party integrations to the SamurAI Platform (e.g winlogbeat agents installed on the Microsoft Windows OS).
Eliminates the need for any endpoint configuration in telemetry collection.

Detection

Leverages the SamurAI Real-Time Engine for detection of threats.
We apply our global threat intelligence feeds to enrich data with context about known malicious actors, emerging threats, and attack patterns enhancing accuracy and speed of threat detection.
Leverages the SamurAI Hunting Engine for automated and analyst driven threat hunting.

Investigate

Provides a powerful query capability (osquery) with real-time visibility into endpoints (e.g query for installed browser extensions to help analysts detect potential persistance mechanisms used by threat actors and accelerate investigations).
Event driven threat hunting to investigate, validate and contextualize a threat/incident.

Respond

Provides incident response tooling and aids endpoint forensics.

Please refer to the SamurAI Endpoint Agent FAQ for additional information.

You can read more about osquery here.

What’s Next?

Review the SamurAI Endpoint Agent Support and Pre-requisites.

1 - Support and Pre-requisites

Listed below are supported Operating Systems (OS) and communication pre-requisites. If you do not see a specific OS version listed please reach out to us.

Supported Operating Systems

Operating System	Supported Version
Microsoft Windows	10 11 Server 2016, 2019, 2022, 2025

Linux and MacOS SamurAI Endpoint Agents are available in Beta, however you must request access by raising a ticket.

Communication Pre-Requisites

Ensure endpoints with the SamurAI Endpoint Agent installed have the following network connectivity:

Source	Destination	Ports	Description
SamurAI Endpoint Agent	spiral-node-api.td.nttsecurity.io	TCP/443	Telemetry ingestion Status Queries Updates

For Microsoft Windows you should also ensure access is available to https://download.sysinternals.com/files/Sysmon.zip for Sysmon download.

What’s Next?

Now you have an understanding of support and pre-requisites, learn about Download and Installation.

2 - Download and Installation

Before you begin download and installation of the SamurAI Endpoint Agent you must first select how you wish to manage SamurAI Endpoint Agent Updates and decide settings for the SamurAI Endpoint Agent for Windows.

From the SamurAI MDR Portal select Telemetry and click SamurAI Endpoint Agent

Upon first navigation to this page, the following will be displayed:

Figure 1: SamurAI Endpoint Agent settings

Updates

Select how you want to manage SamurAI Endpoint Agent updates:

Auto Managed : Auto updates of agents is enabled by default, this option will automatically update agents as new versions are released without any action needed on your part.
Self Managed : Select this option should you wish to manage updates yourself. See Self Managed for more information.

You can change this at any time. Refer to Settings.

SamurAI Endpoint Agent for Windows

Determine whether to Accept Microsoft Sysinternals Software Licence Terms (Sysmon EULA).

We recommended accepting the Sysmon EULA as this enables advanced endpoint telemetry and provides deeper visibility for threat detection and investigations. Refer to The SamurAI Endpoint Agent and Sysmon

If you accept the Sysmon EULA, you can select to Install Sysmon if missing
Click Apply SamurAI Endpoint Agent Settings

The SamurAI Endpoint Agent and Sysmon

For enhanced telemetry on Windows, the SamurAI Endpoint Agent optionally leverages Microsoft System Monitor (Sysmon), a vital component for collecting detailed process and system activity. Read more about Sysmon from Microsoft Documentation.

Sysmon is not bundled with the SamurAI Endpoint Agent therefore if you Accept Microsoft Sysinternals Software Licence Terms (Sysmon EULA) upon installation of the SamurAI Endpoint Agent, sysmon will be downloaded and installed or updated silently using standard Microsoft provided installation flags.

The SamurAI Endpoint Agent leverages a custom Sysmon configuration tuned and maintained by the SamurAI detection engineering team. This provides:

Noise reduction: a default Sysmon deployment generates an extremely high volume of data, our tuned configuration filters out unnecessary events which are irrelevant for SamurAI Managed Detection and Response.
High Fidelity detections: we selectively enable and enrich valuable event IDs (e.g process creation, network connections, registry modification etc) aligned with the MITRE ATT&CK framework.
Consistency across environments: ensures standardized event coverage across deployments.
Ongoing Tuning: we regularly update the configuration to reflect emerging attacker techniques, new ATT&CK mappings and lessons learned.

What’s Next

You can now proceed to Agent Download

2.1 - Download

To download the SamurAI Endpoint Agent follow the steps below:

Login go the SamurAI MDR Portal
Click Telemetry and select SamurAI Endpoint Agent from the main menu
Click Installers
Select the relevant installer based on your operating system and click Download

When you download the SamurAI Endpoint Agent, you may notice use of the name Spiral. This is expected and an internal identifier used by the system.

The installer includes a checksum to verify the package.

Verify Download

Microsoft Windows

To ensure your download has not been corrupted or tampered with, you can validate it’s checksum using the built-in Windows tool ‘certutil’.

Run the following command and view the checksum to ensure it matches the installer within the SamurAI MDR Portal:

c:\certutil -hashfile spiral-windows-amd64.msi sha256

example:

c:\certutil -hashfile spiral-windows-amd64.msi sha256
SHA256 hash of spiral-windows-amd64.msi:
85193aa8c4e7a1eaba1da36251bc6ea78e0e62b2
CertUtil: -hashfile command completed successfully.

What’s Next?

Based on your Operating System jump to the relevant SamurAI Endpoint Agent installation guide:

Microsoft Windows

2.2 - Microsoft Windows

Deploy the SamurAI Endpoint Agent using your organization’s software distribution tools e.g Group Policy (GPO) active directory environment or Microsoft Intune.

When you install the SamurAI Endpoint Agent, you may notice installed components use the name Spiral - for example, the Windows installation path C:\Program Files\Spiral. These are expected internal identifiers used by the system.

Manual Installation

Locate the Windows MSI installer file that you previously downloaded and double-click, a small progress window will appear which does not require any interaction.

Additional commands are available using the command line as outlined below. All commands can be used in combination as required.

Proxy Support

If your organization leverages a proxy then use the following command during install:

Example:

msiexec.exe /i "spiral-windows-amd64.msi" PROXY=http://<ip>:<port>

This will create a key in the Windows registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\NTT\Spiral with a parameter Proxy with the proxy from the command line.

This can be added/changed/removed at a later time, if so the SamurAI Endpoint Agent services must be restarted.

Quiet Mode Installation

Use the the following command for quiet mode installation (i.e no progress window is displayed):

msiexec.exe /i "spiral-windows-amd64.msi" /qn

Verbose Installation Logs

If you wish to view installation logs you can use the following command to save logs to a file for review:

Example:

msiexec.exe /i "spiral-windows-amd64.msi" /L*vx output.txt

Validate installation

After the installation has completed, there will be a Spiral entry under installed programs.

Figure 1: Windows apps & features

The installation folder is C:\Program Files\Spiral with full control permissions to SYSTEM and Administrators.

This should apply to all subfolders and files with one exception osquery.db which will have an additional read access to Everyone/World.

Figure 2: SamurAI Endpoint Agent Windows install path and files

There will also be a service named Spiral running.

Figure 3: Task manager service

The Spiral process will also be visible.

Figure 4: Task manager process

Additionally osquery processes will be running.

Figure 5: osquery processes

The following files are created by the installer:

C:\Program Files\Spiral\bin\spiral.exe: The Spiral launcher (more details what it does and functions further down)
C:\Program Files\Spiral\bin\osqueryd.exe: The Osqueryd binary that will be launched by spiral.exe (more details further down)
C:\Program Files\Spiral\config.yaml: The configuration for Spiral launcher
C:\Program Files\Spiral\secret: The embedded tenant/enrollment secret
C:\Program Files\Spiral\ca.pem: Spiral CA bundle used to communicate with the SamurAI platform. Will download new if missing or if outdated. Used by both spiral.exe and osqueryd.exe.

The following files are created by either the Spiral or Osquery process:

C:\Program Files\Spiral\server.crt: Exported server certificate chain from Spiral Node API (typically excluding Root CA). 
C:\Program Files\Spiral\sysmon.xml: The sysmon configuration downloaded from Spiral Node API.
C:\Program Files\Spiral\data\osquery.db: RocksDB data folder used by Osquery for state keeping. Osquery sets this with read access to Everyone/World at intervals.
C:\Program Files\Spiral\data\extensions.load: Purposely left empty
C:\Program Files\Spiral\data\osquery.flags: Osquery startup flags (generated by Spiral), extended configuration is fetched by Osquery over HTTPS.
C:\Program Files\Spiral\data\osquery.log: Stdout/stderr log output from osqueryd.exe
C:\Program Files\Spiral\data\osquery.pid: Osquery PID
C:\Program Files\Spiral\data\osquery.uuid: UUID for this specific node
C:\Program Files\Spiral\data\spiral.log: Stdout/stderr log output from spiral.exe
C:\Program Files\Spiral\data\shell: A folder created if running spiral.exe with "shell" command which is an interactive mode to run Osquery commands.

Dependant on your selection for SamurAI Endpoint Agent for Windows the agent may:

Download Sysmon from Microsoft official servers.
Install or update Sysmon silently using standard Microsoft provided installation flags.
Modify Sysmon with the configuration.

Review Deployed SamurAI Endpoint Agents

Review and Manage within the SamurAI MDR Portal.

3 - Management

SamurAI Endpoint Agents registered with the SamurAI Platform are referred to as Nodes within the SamurAI MDR Portal.

View Nodes

To view all deployed agents:

Login go the SamurAI MDR Portal
Click Telemetry and select SamurAI Endpoint Agent from the main menu.

Dashboard

The dashboard panel displays summary information:

Nodes: the total deployed and seen by the SamurAI platform
Online: the total currently online (have communicated with the SamurAI platform within five minutes)
Offline: the total number offline (have not communicated with the SamurAI platform for five minutes)
Platforms: the total number of platforms i.e Windows / MacOS / Linux

Nodes Table

A table displays all deployed agents with node specific information:

Field	Description
ID	Universally Unique Identifier (UUID) of the node
Status Description	Status of the agent. Potential status displayed: Online or Offline
Name	Hostname of the endpoint
Platform	Platform and architecture - icon depicting OS and processor e.g AMD64
OS Name	The underlying operating system
OS Version	The operating system version
Agent Version	The SamurAI Endpoint Agent version installed
Sysmon Version	The System Monitor (sysmon) version installed
Last external IP	The external IP address of the agent as seen by the SamurAI platform
Last Seen	Date and timestamp of when the agent last checked-in to the SamurAI platform
Inactivity Threshold	An indicator displaying time until the agent will be deemed inactive and purged from view

Inactive Node(s)

Nodes communicate with the SamurAI platform every minute and are marked offline if no communication is received after five minutes.

Offline nodes will be visible for 90 days, after this threshold it is deemed to be inactive and purged from the SamurAI platform backend and the current view.

You can view inactive and deleted nodes within the Node History.

Delete Node(s)

You can delete nodes from the table:

Select the nodes you wish to Delete
Click Actions and select Delete selected nodes
To ensure you intended to delete the agents you will need to type DELETE in the field and select Delete
The deleted node record will appear under Node History.

If a node has been deleted and you have not un-installed the agent from the endpoint and it starts communicating with the SamurAI Platform, it will be displayed within the Node Table, however will remain within Node History.

Node History

The Node History log displays a table of Deleted Nodes and Purged (deemed inactive) with node specific information:

Field	Description
ID	Universally Unique Identifier (UUID) of the node
Action	The action taken against the node. This could include Purged based on the inactivity threshold or Deleted
Name	Hostname of the endpoint
Last Status	The Last known Status of the node (typically offline)
OS Name	The underlying operating system
User	The user that deleted the node. This could also include System which denotes the SamurAI platform when the node is inactive and purged
Last Enrolled	Date and timestamp of when the node was originally enrolled
Action Applied	Displays when the Action was applied to the node

Node history is stored and visible following our standard retention of 400 days.

3.1 - Settings and Updates

Settings

You can change the Update and Sysmon EULA selections by clicking Settings from the SamurAI Endpoint Agent view.

Auto Managed : Auto updates of agents is enabled by default, select this option if you want the agent updates to occur automatically without any action needed on your part.
Self Managed : Select this option should you wish to manage agent updates yourself.

For Sysmon EULA settings we recommend maintaining your original selection to ensure consistency across your nodes.

Updates

Self Managed

If Self Managed is selected a new option entitled Update Tasks is displayed.

Update Tasks

Selecting Update Tasks allows you to configure tasks for updating your deployed agents.

Click on Create Update Task

Within the Create Update Task view we recommend that you use filters and save as views. This is useful if, for example you want to run an update task against a specific set of deployed agents. Click Views to save/reset/delete your different filters. Once saved you can toggle between views.

Enter a Name for the task e.g Windows 10 Pro Update
Toggle whether you wish to Start immediately. If you do not start the task immediately you have the option to update the status at a later date/time. See Update the Task.
Select whether you wish to update:

SamurAI Agent version (the latest version will always be displayed)
Sysmon version

Rate Limit is enabled by default to 5 nodes per 1 minute. Read more about Rate Limiting
Once complete, select Review Selection and review your tasks
Click on Create Update Task

Rate Limiting

Rate limiting allows you to roll out updates to nodes gradually instead of updating all at once. This controlled approach reduces risk of disruption, avoids overloading networks and ensures that if an unexpected issue occurs, only a small number of nodes are affected.

Rate limiting allows you to configure the number of nodes to update per time duration (which can be set per minute/hour/day).

When rate limiting is recommended:

Large fleets (typically 500+ nodes)
Networks with remote sites, VPN’s or limited bandwidth
Critical workloads where uptime and stability are essential
Major agent version upgrades or significant configuration changes

When rate limiting may not be necessary:

Small fleets with a few hundred nodes
Minor, low-risk updates

Rate limit upper limits are set as:

25 nodes per 1 minute, 50 nodes per 2 minutes etc
1500 nodes per 1 hours, 3000 nodes per 2 hours etc
36000 nodes per 1 day, 72000 nodes per 2 days etc

View Update Tasks

From the SSamurAI Endpoint Agent view, click Update Tasks.

A table displays all Update Tasks with specific information:

Field	Description
Status	Status of the Update Task (hover over for text, potential status displayed Paused/Running/Completed/Failed
Status Description	Status Description (potential status displayed Paused/Running/Completed/Failed
Name	Name provided for the task
Sysmon Version	Updated Sysmon version (if applicable)
Agent Version	Updated SamurAI Endpoint Agent version
Target Node Count	The number of nodes within the update task
Completed Node Count	The number of completed node updates
Failed Node Count	The number of failed node updates
Created	Date/Timestamp of update task creation
Updated	Date/Timestamp of updates to the update task

Select an Update Task from the list to display status of individual node updates.

A summary will be displayed including:

Update task status
Number completed
Number failed
Target
Rate Limit

Additional details for each node are also included:

Field	Description
Name	Hostname of the node to be updated
Node Update Task Status	The status of the node update, potential status are New/Pending/Completed/Failed
Message	A short description of progress
Start Date	Date/Timestamp of agent update
End Date	Date/Timestamp of agent update end
Agent before	SamurAI Endpoint Agent version before the update
Agent after	SamurAI Endpoint Agent version after the update
Sysmon before	Sysmon version before update
Sysmon after	Sysmon version after update

Update the Task

You can update the State of an Update Task to either Paused or Running.

For example, if you previously set an Update Task NOT to Start Immediately you can set the state to Running to begin the update:

From the Update Tasks list select the relevant Update Task
Select More Options ().
Click Update the Task
Select the State to Paused to pause the update task or to Running to begin or resume the update task.

4 - Uninstall

You may notice installed components use the name Spiral - for example, the Windows installation path C:\Program Files\Spiral. These are expected internal identifiers used by the system.

Follow the steps to uninstall the SamurAI Endpoint Agent based on your Operating System:

Microsoft Windows

Uninstall the SamurAI Endpoint Agent using your organization’s software tools e.g Group Policy (GPO) active directory environment or Microsoft Intune.

Go to Add or remove programs
Find Spiral Agent
Click Uninstall
When uninstalled, program files and registry entries are removed from the endpoint/node, however some files may remain:
- All files not added by the installer itself such as the Data folder in C:\Program Files\Spiral\Data
- Files server.crt and sysmon.xml in C:\Program Files\Spiral remain after uninstall.
It is safe to delete C:\Program Files\Spiral after the uninstall has completed.

The SamurAI Endpoint Agent installer does not include Sysmon, and will not be uninstalled. If you wish to uninstall sysmon please refer to Microsoft Documentation

5 - FAQ

General

Is the SamurAI Endpoint Agent available to all clients?

Yes, the SamurAI Endpoint Agent is available to all SamurAI Managed Detection & Response (MDR) clients.

Is the SamurAI Endpoint Agent an Endpoint Detection & Response (EDR) product?

No, despite having similar capabilities to commercial EDR solutions it is not intended as a replacement. The intent is for a SamurAI platform native agent, allowing full customization, built and configured in support of SamurAI Managed Detection & Response (MDR) and Incident Response engagements.

I already have an EDR (e.g Crowdstrike, Microsoft Defender), do I need the SamurAI Endpoint Agent?

The SamurAI Endpoint Agent is optional, however there are advantages to its use such as the ability to gather advanced data and metrics optimized specifically for the SamurAI platform and detection engines in addition to aiding our SOC analysts to investigate and validate threats.

Can I use the SamurAI Endpoint Agent in conjunction with my current EDR?

Yes, the SamurAI Endpoint Agent can run in conjunction with your existing EDR solution for maximum visibility and response.

Are there any known limitations or problems with running the SamurAI Endpoint Agent in addition to my deployed agents?

The SamurAI Endpoint Agent has been tested alongside other agents e.g EDR solutions, and no limitations or problems were identified. In some cases you may need to 'whitelist' the SamurAI Endpoint Agent on your existing EDR deployments to ensure no issues. As the SamurAI Endpoint Agent is lightweight with a low footprint, resource contention is unlikely but is highly dependant on the underlying endpoint and network connectivity. There is a potential for duplicate security alerts, however the SamurAI platform handles this.

What type of data does the SamurAI Endpoint Agent collect from the host?

This is dependant on the underlying operating system, however for Microsoft Windows we gather event data using System Monitor (Sysmon) which is part of the Sysinternals Suite developed by Microsoft (if you have accepted the Microsoft UELA see SamurAI Endpoint Agent for Windows for additional information). We leverage a custom Sysmon configuration (which we maintain) that collects detailed information about system activity (logged to the Windows Event Log) to help with security monitoring and investigations. The SamurAI Endpoint Agent also leverages osquery which allows the SamurAI platform / SOC to query the endpoint operating system as if it were a relational database, for example gather system information (hostname,OS version, uptime), user and login activity, processes and services, networking (active network connections, listening ports).

What is the average log data volume per day for the SamurAI Endpoint Agent?

This can vary depending on the type of endpoint and activity however typically 30MB per day but can go up to approximately 200MB per day.

Support

What Operating Systems are supported?

Please review Support and Pre-requisites for a current list of supported operating systems.

Can the agent also be used and installed on server systems (e.g Windows Server 202x)

Yes, Please review Support and Pre-requisites for a current list of supported operating systems.

Can the SamurAI Endpoint Agent be installed on virtual systems? e.g within a virtualization platform where multiple virtual machines (VMs) share the same underlying hardware?)

Yes, however please adhere to supported operating systems. Please review Support and Pre-requisites for a current list of supported operating systems

Installation and Setup

What network connectivity is required?

Please review Communication Pre-Requisites for network connectivity requirements.

What endpoints should I install the SamurAI Endpoint Agent on?

Ideally all endpoints – laptops, servers. Alternatively you can install the SamurAI Endpoint Agent on specific endpoints where you have limited or no EDR coverage.

Are there any restrictions on installing on a user’s PC/endpoint?

There are no restrictions on installation other than supported OS and connectivity requirements.

Is it possible to install the SamurAI Endpoint Agent remotely?

It is your responsibility to deploy the SamurAI Endpoint Agent after download from the SamurAI portal. We recommend deploying the SamurAI Endpoint Agent using your organization's preferred software distribution tools. For Windows environments, this may include Group Policy Objects (GPO) in an Active Directory domain or Microsoft Intune for cloud-based management.

Management

How often are SamurAI Endpoint Agents updates available?

We periodically make SamurAI Endpoint Agent software updates as needed to ensure the latest enhancements are available. We keep you updated via announcements in the SamurAI Portal and the latest Release Notes.

How do I update deployed SamurAI Endpoint Agents?

You can update automatically or choose how and when to update deployed SamurAI Endpoint Agents. Please review Agent Updates.

Why is the term Node(s) used in the SamurAI Portal?

A Node is a registered instance of an Endpoint with the SamurAI Endpoint Agent installed. Please review the SamurAI Glossary of Terms.

Why is the name Spiral used in folder paths and services names?

The SamurAI Endpoint Agent operates under the name Spiral, which are expected internal identifiers by the SamurAI platform.