IBM Cloud Docs
Managing the Workload Protection agent on Windows Servers

Managing the Workload Protection agent on Windows Servers

After you provision an instance of the IBM Cloud® Security and Compliance Center Workload Protection service in IBM Cloud, you can deploy the Workload Protection agent on your Windows Servers to collect events and protect your workloads.

Workload Protection provides the following features to protect your Windows servers:

  • Threat detection and response: identify threats and suspicious activity based on application, network and host activity by processing syscall events and investigate with detailed system captures.
  • Posture management: scan host configuration files for compliance and benchmarks such as CIS Windows Server Benchmarks.
  • Host scanning: scan host packages, detect the associated vulnerabilities and identify the resolution priority based on available fixed versions and severity.

Before you begin

  1. Obtain the access key. It will be used later as AGENT_ACCESS_KEY.

  2. Obtain the public or private ingestion URL. For more information, see Collector endpoints. It will be used later as COLLECTOR_URL.

  3. Make sure you have Administrator permissions to perform the operations.

Deploying the agent for threat detection and response

The Workload Protection agent uses Falco to ensure workload security and compliance. The agent has two components, the Connection Manager and the Security Manager, which are both managed by the Agent Installer.

Installing the Workload Protection agent using either GUI or CLI operation is possible.

Download the agent in MSI format to start the installation via GUI or CLI. If you need to install the agent in a host that only runs in the IBM private network you can download it from here.

GUI Installation

You can execute the MSI using a GUI and the installation process will prompt you to accept the EULA, select Region as custom and complete:

  • Custom Collector: is the public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example, ingest.private.us-east.security-compliance-secure.cloud.ibm.com.
  • Custom Collector port: set it always to 6443.
  • Custom Api Url: is the public or private API Endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example https://private.us-east.security-compliance-secure.cloud.ibm.com.
  • Access Key: is the ingestion key for the instance.

CLI Installation

Run the MSI in silent mode via CommandLine or PowerShell by running the following command. Remember to replace <COLLECTOR_URL>, <API_ENDPOINT>, <AGENT_ACCESS_KEY> with the values from your Workload Protection instance:

> msiexec /i sysdig-host-shield-latest.msi  REGION=custom ACCESS_KEY=<AGENT_ACCESS_KEY> COLLECTOR_URL=<COLLECTOR_URL> COLLECTOR_PORT=6443 API_URL=<API_ENDPOINT> VM_FEATURE_ENABLED=True POSTURE_FEATURE_ENABLED=True ACCEPT_TERMS_CONDITIONS=True  /qn

Where:

  • AGENT_ACCESS_KEY is the ingestion key for the instance.
  • COLLECTOR_URL is the public or private ingestion URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example, ingest.private.us-east.security-compliance-secure.cloud.ibm.com.
  • API_ENDPOINT is the public or private API Endpoint URL for the region where the Workload Protection instance is available. To get an endpoint, see Collector endpoints. For example https://private.us-east.security-compliance-secure.cloud.ibm.com.

Verifying the installation

A few minutes after the installation is completed, make sure that:

  • The new service should be running in the host: SysdigHostShield.
  • You can see your Windows server(s) are list in Integrations / Data Sources - Sysdig Agents in your Workload Protection instance.
  • Your Windows host appears under Inventory. You can filter by the hostname (Resource Name) or type of operating system (Platform).
  • You have a vulnerability report for your Windows server under Vulnerabilities / Runtime and search for your host by the hostname or type of system (asset.type is host).
  • The agent will evaluate Windows configuration files to identify failing controls. Enable your desire policy, such as CIS Benchmarks for Windows, under Policies / Posture Policies.
  • You enable or customize the Threat Detection policies under Policies / Runtime Policies in the Windows Workload section.

Check out Windows Threat Detection with IBM Security and Compliance Center Workload Protection to see examples of threat detection on Windows and how to troubleshoot detected events.