Xshield Spark
Introduction
ColorTokens is extending the Xshield Security Platform with a new component known as Xshield Spark. This program (executable) enables agentless policy enforcement on hosts by leveraging existing configuration management tools such as Microsoft Endpoint Configuration Manager (MECM) a.k.a SCCM, Tanium, Puppet etc.
The Xshield Security Platform integrates the Xshield Spark, configuration management tool and importing network and host visibility data from EDRs such as Microsoft Defender for Endpoint, to provide a highly scalable micro-segmentation solution with minimal friction.
This approach of integrating with EDR for collecting host and network telemetry and using Xshield Spark to configure the host firewalls with zero trust policies allows the Xshield Security Platform to offer the full set of micro-segmentation capabilities offered by its agent solution without the friction of requiring to install and manage agents (expensive and time consuming).
Xshield Spark – Functional Overview
The Xshield Spark program is a lightweight executable that when run, connects to the Xshield Security Platform to retrieve Zero Trust policies for the host and then program it on the host firewall. It additionally reads the programmed firewall rules and firewall event logs from the operating system and sends them to the Xshield Security Platform. It uses very little CPU and Memory during its execution and runs for a short duration. The Xshield Spark program itself is signed to ensure authenticity. It additionally also authenticates with the Xshield Security Platform to retrieve the policy updates.
The Xshield Spark program is designed to:
-
Install & Execute via Configuration Manager
- Xshield Spark can be distributed and executed periodically on endpoints through the configuration management tool of your choice.
- A script running on the configuration management server will initiate Spark on a defined list of hosts.
-
Policy Retrieval & Enforcement
-
Upon execution, Spark connects securely to the Xshield Platform.
-
It requests the latest policy updates for the host.
-
If updates are present, Spark translates them into host firewall rules:
- Windows OS → Windows Filtering Platform (WFP)
- Linux OS →
nf_tables
-
Collect the programmed firewall rules and send them to the Xshield platform
-
-
Log Collection & Publishing
-
Spark collects firewall event logs:
- Windows → Windows Event Logs / pfirewall logs
- Linux →
iptables/nf_tableslogs
-
Logs are then published back to the Xshield platform for visibility and analytics.
-
Listening Ports Discovery
ColorTokens Spark (version 26.1+) automatically enriches listening port data collected from EDR agents, providing enhanced visibility for policy creation and enforcement.
How It Works
- Spark periodically collects listening port information from EDR agents
- Data is automatically synchronized with the ColorTokens platform
- Collection runs on a scheduled basis and cannot be manually triggered
Enhanced Data Quality
Without Spark, the platform displays basic listening port data from EDR agents. With Spark deployed, you receive:
| Feature | Description |
|---|---|
| Complete UDP port discovery | Captures UDP listeners often missed by standard collection |
| Process identification | Associates each port with its owning process name |
| Full process paths | Provides complete executable paths for security validation |
Loopback exclusion: Ports listening exclusively on loopback interfaces (127.0.0.1/::1) are not displayed, as they are not accessible from external networks and do not require policy enforcement for internal-only communication.
Supported Operating Systems
-
Windows: Windows Server 2008 R2 and above, including modern Windows desktop/server platforms.
-
Linux:
- Red Hat Enterprise Linux (RHEL) 7 and above
- Ubuntu 20.04 and above
- CentOS 7.x and above
Integration Architecture
Components
The following figure provides a high level work flow architecture of the integration. The Integration involves
- Xshield Security Platform
- Xshield Spark Deployment Package (Includes spark binary)
- Configuration Management Tool (MECM, Tanium etc)
Xshield Security Platform
The Xshield Security Platform is responsible for:
- Downloadable Xshield Spark Package (including the Configuration Manager specific deployment script)
- Export APIs that Xshield Spark can invoke from each host to retrieve policies and to export firewall rules/logs.
- Enforcement key - Authentication key used for setting up the per-host session key for making API calls
- List of Hosts on which to execute Xshield Spark.
Xshield Spark
- Executable that runs on the host periodically.
- Responsible for generating session keys to make API calls
- Makes API calls to retrieve policy configuration and export firewall rules/logs.
- Export logs (for troubleshooting) to the Xshield Platform
- Resolve FQDN and process to program appropriate host firewall rules.
Xshield Spark Deployment Package
The Xshield Spark Deployment Package acts as an orchestrator between configuration manager and the Xshield platform.
It runs at a configurable interval to keep Spark components, enforcement keys and target host information up to date, ensuring that Spark executes on the correct hosts with the latest configuration.
Configuration Management Tool
The Configuration Management tool is responsible for distributing and executing Spark across managed endpoints.
It receives updated Spark packages and configuration data from the Deployment Package and ensures that Spark runs on the designated hosts at the configured schedule.
Software Package
The Xshield Spark executable (inclusive of binaries for different Operating Systems) is part of a software package along with the execution script for a specific configuration manager.
Ongoing Enforcement & Reporting
- Spark enforces updated firewall policies and streams logs.
- Integration ensures policy consistency and telemetry visibility without requiring permanent agents.
Managing Spark Assets
Spark Sensor Page
The Xshield platform provides a dedicated Sensors → Spark page for centralized management and monitoring of all EDR assets running Xshield Spark.
This page offers:
- Unified visibility into all Spark-enabled assets
- Operational controls and Bulk action for diagnostics and troubleshooting
The interface follows the same design patterns as the Agents page, providing a familiar experience for administrators.
Key Capabilities
Asset Monitoring
The Spark page displays:
- Asset inventory: All EDR assets which can be managed by Spark
- Spark status: Current operational state of Spark on each asset
- Last execution time: When Spark last ran on each asset
- Tags: Asset classification and grouping information
Diagnostics Collection
Collect system and network diagnostic data from Spark-enabled EDR assets to support troubleshooting and analysis.
Use diagnostics collection to:
- Investigate policy enforcement issues
- Analyze network connectivity problems
- Support technical troubleshooting workflows
Diagnostics can be collected from individual assets or in bulk across multiple assets.
Debug Logging Control
Enable or disable debug logs on selected Spark assets for deeper operational insight when required.
Debug logging provides:
- Detailed execution traces
- Policy application details
- Network communication logs
- Firewall rule programming activity
Debug logging should be enabled temporarily for troubleshooting purposes and disabled after investigation to minimize log volume.
Benefits
- Simplified management: Single interface for all Spark-based enforcement across EDR environments
- Improved visibility: Real-time status and execution tracking for all Spark assets
- Efficient troubleshooting: Bulk diagnostic collection and debug logging controls
- Reduced operational effort: Perform actions at scale from a centralized location
FAQ
Q: Where can I download the Spark package for my configuration management tool?
A: Spark installation packages for all supported configuration management systems are available at: Sensors → Spark → Install Spark (top-right button)
Q: How do I know if Spark is running on my EDR asset or not and how do I know when it last ran?
A: From Sensors → Spark page, each asset's 'Active' status shows that the spark has run recently (within 5 minutes) and the "Last CheckIn" column shows the timestamp when spark ran last.
Q: Is MacOS supported for Spark?
A: No, Spark cannot be ran on MacOS. It will be supported in future releases. Please check the "Supported Operating Systems" for list of OS spark supports.
Can firewalld and nftables (ctspark) coexist?
Answer: No
Spark installs and enables nftables on linux systems for enforcement.
If firewalld is installed or enabled on a Linux system, Spark will not run and will not enforce any firewall policies on that host.
This is because firewalld and nftables cannot co-exist.
If nftables are enabled, it effectively disables firewalld, preventing any applications depending on firewalld rules from proper functioning
Can domain based policies be programmed using XShield Spark?
Answer: Yes, Spark supports domain based policies. Domain-based policies are dynamically resolved to IP addresses and programmed into the firewall, with updates synchronized during each spark run. On every run, spark re-validates DNS records to ensure current IPs are enforced and any stale entries are automatically decommissioned.
Summary
The integration of Xshield Spark provides a scalable and agentless enforcement model by leveraging existing configuration management infrastructure. Combined with the Spark Sensor Page, administrators can deploy, monitor, and troubleshoot Spark-enabled assets from a centralized interface, ensuring consistent firewall policy enforcement across all endpoints without the overhead of traditional agent management.