As cyber attacks continue to increase, the importance of implementing a proper cybersecurity defense can not be overstated. One vulnerability is enough for a malicious actor to have a devastating impact on an organization. Ensuring you have the necessary tools to mitigate and respond to security risks is key to securing your network and digital assets.
The Arctic Wolf platform
Arctic Wolf is a leading provider of security operation solutions. Their platform, combined with their 24/7 response team, is dedicated to helping organizations monitor, detect, and respond to security threats while also providing ongoing risk management.
The Arctic Wolf platform utilizes a lightweight agent to analyze and detect threats while also identifying areas of risk. While the standard agent installation procedure utilizes Group Policy to deploy the agent, we've received multiple requests to demonstrate how to deploy the Arctic Wolf Agent using PDQ Deploy and PDQ Inventory. So, in conjunction with Arctic Wolf, here's how to quickly and silently deploy the Arctic Wolf Agent to your endpoints using PDQ Deploy and PDQ Inventory.
Setting up an Arctic Wolf collection in PDQ Inventory
Before creating the Arctic Wolf deployment package, we'll first create a collection in PDQ Inventory that filters for computers missing the Arctic Wolf Agent. This collection will help us target the correct machines for our deployment.
With PDQ Inventory open, click New Dynamic Collection.
Enter a name for the collection (in this case, Arctic Wolf Agent Not Installed).
Set the filter to Not Any > Application > Name > Contains > Arctic Wolf Agent.
Click OK when finished.
This collection should automatically populate with computers that don't have the Arctic Wolf Agent already installed. You can easily modify this filter to narrow down the membership even further. For example, you can filter out servers by adding the filter Member of Collection > Name > Contains > Servers. This collection would include only workstations that do not have the Arctic Wolf Agent installed.
Creating the Arctic Wolf package in PDQ Deploy
For this example, we'll create a deployment package containing both the Arctic Wolf Agent and the Sysmon installer, which is recommended for organizations that do not have an alternative Endpoint Detection and Response solution. If you don't intend to use the Sysmon client, you can exclude it from your deployment package.
Download the agent installer files from the Arctic Wolf Portal and save them to a folder in your PDQ Deploy repository. By default, the repository is located at C:\Users\Public\Documents\Admin Arsenal\PDQ Deploy\Repository.
Launch PDQ Deploy.
Click New Package.
Enter "Arctic Wolf" in the name field, then click New Step > Install.
Enter the path to the sysmon MSI file in the Install File field.
Enter the path to both sysmon EXE files in the Additional Files field.
Click New Step > Install to create a second install step.
Enter the path to the Arctic Wolf Agent MSI file in the Install File field.
Enter the path to your JSON file in the Additional Files field, then click Save to finish creating the package.
Deploying the Arctic Wolf Agent
Now that our Arctic Wolf package is created, we can deploy it to the collection we created in PDQ Inventory. We'll also configure a heartbeat schedule to ensure that any offline targets receive the deployment once they come online.
Right-click on the Arctic Wolf package and click Deploy Once.
Click Choose Targets > PDQ Inventory > Collection.
Select the collection created earlier and click OK.
The computers from the collection should populate in the target window. Once you review your settings, click Deploy Now.
As your Arctic Wolf deployment kicks off, you can review its status in the deployment window.
With the initial deployment complete, we'll create a schedule with a heartbeat trigger to target endpoints that may have been offline during the deployment.
Click the New Schedule button.
At the top of the Schedule windows, enter a name for the schedule, such as Arctic Wolf.
Click on the Triggers tab.
Click Heartbeat.
Click the Targets tab and click Choose Targets > PDQ Inventory > Collection. Select the Arctic Wolf Agent Not Installed collection we created earlier. Since we've already deployed to this collection once, this collection should now only contain endpoints that may have been offline or failed during the initial deployment.
Click the Packages tab and click Attach Packages. Select the Arctic Wolf package and click the arrow (>) button to attach it to the schedule, then click OK.
Click the Options tab and make sure Stop deploying to targets once they succeed is selected.
Click OK to save and close the Schedule window.
With this schedule created, machines that may have been offline during the initial deployment will receive the package as soon as they come online.
Wrapping up
Cyber threats are becoming more sophisticated and their impact more severe. Ensuring you have the necessary security platforms to protect your organization is critical. PDQ Deploy and PDQ Inventory can help quickly distribute your solutions to your endpoints, leaving you more time to focus on keeping your users and your network safe.