Manage Endpoint Agents
integrations endpoints edr taegis agent red cloak secureworks
Endpoint Agents Summary allows you to view and manage endpoints with Taegis™ XDR Endpoint Agents, Red Cloak™ Endpoint Agents, and third-party agents that Secureworks® Taegis™ XDR is aware of.
To view:
- From the XDR left-hand side navigation, select Endpoint Agents → Summary.
- Endpoint Agents Summary displays a table of endpoints that have been discovered by XDR.
Endpoint Agents
Endpoint Agents Summary Table ⫘
The Endpoint Agents Summary table displays quick-view information about each endpoint and its agent.
Use this table to verify the endpoints you installed a supported agent on appear and are connected, as well as other endpoint details.
Notes
- The
Connection StatusandGroupfields apply only to the Taegis Endpoint Agent. - The
Isolation Statuscolumn populates in the table for Taegis Endpoint Agents and Red Cloak Endpoint Agents only; view the isolation status for third-party agents from the endpoint details. - The
Last Seenfield displays how long ago XDR last received data from the endpoint, while theFirst Seenfields displays how long ago XDR first received data from the endpoint
The Endpoint Agents Summary table includes the following controls to sort, filter, and arrange data:
Column Menu ⫘
Open the menu for available columns in the table by selecting the menu icon to the right of the column name.
Endpoint Agents Summary Column Menu
Choose one of the following options:
- Pin Column — Pin a column to the left or right of the table
- Autosize This Column — Adjust the size of only the selected column to show obscured information
- Autosize All Columns — Adjust the size of all visible columns to show obscured information
- Reset Columns — Reset all columns to their default size and ordering
Choose Columns to Display ⫘
Choose which columns you want to appear in the table by opening a column menu, selecting the columns icon, and checking or unchecking the desired columns.
Use the text box to quickly filter for column names.
Arrange Columns ⫘
Drag and drop columns by the header to rearrange them.
Sort by Column ⫘
Select a column header to change the sort, when available. There are three toggle states:
- Initial — Default sort
- Ascending — Sorts by the column content in ascending order
- Descending — Sorts by the column content in descending order
You can apply sorting to one column at a time.
Filter Endpoint Agents Summary Table ⫘
Use the collapsible filter menu at the left of the table to narrow down the list of matching endpoints.
- As you select filters, the table updates dynamically and the count of results reflects the updated filtered list.
- Selected filters appear above the table; select the X to remove a single filter or Clear All to remove all filters and display all endpoints.
Filter Endpoint Agents Summary Table
Agent Status Options ⫘
Use the Agent Status Options to filter your view based on the following statuses. By default, Active agents are shown.
- Show Active Agents — Endpoint agents that have communicated with XDR within the last 30 days
- Show Unhealthy Agents — Endpoint agents that last communicated with XDR over 30 days ago
- Show Archived Agents — Endpoint agents that have been archived
Filter Values ⫘
For filters that include a Filter values field, the string you enter uses the Contains operator by default. Use a wildcard * at the end of your string to perform a Starts With search, or at the start of your string to perform an Ends With search. For example, to search for hostnames that start with desktop, enter desktop* in the Filter values field of the Hostname filter; alternatively, to search for hostnames that end with local, enter *local.
Filter Values with Wildcard
- Enter a text string in the Filter values field to begin filtering the available values.
- Hit Enter to display all results for your string in the table, or select individual results using the checkboxes.
- Delete your string from the field and hit Enter to remove the filter, or select Clear All from above the table.
Identify Cloud Instances ⫘
Identify agents that are deployed as cloud instances with the cloud provider icon that displays before the hostname in the Endpoint Agents Summary table. Endpoints without a cloud identifier record do not have an icon next to the hostname.
Cloud Instance Identifier
Agent side drawer summary and detailed views also display a cloud provider and cloud instance ID when available.
Note
The cloud identifier is currently supported for Taegis Endpoint Agents for Linux and Mac and third-party agents that provide the telemetry. Windows Taegis Endpoint Agents will be supported in a future release.
Select All Endpoints ⫘
To select all endpoints resulting from your chosen filters, even if not all results are displayed in the table, follow these steps:
- Filter the Endpoint Agents Summary table as needed.
- Select the checkbox from the top left of the table header row.
- If there are more endpoints resulting from your filters than are currently shown in the table, a message displays above the table with the option to select all results.
- Select the link from the message to Select all Agents in results.
Select All Endpoints
Export Endpoints as CSV File ⫘
Export Endpoints
To export a table with all endpoints or a selected subset of endpoints in CSV format, follow these steps:
- Export all active endpoints included in the table by selecting Export All above the table.
- Export a subset of endpoints by selecting the checkboxes to the left of the endpoints you would like to export and selecting the Export Selected as CSV icon above the table.
View the export status and download the file by selecting Downloads > Data Exports from the left-hand side navigation.
Note
The Export All function exports only the active endpoints included in the table by the filters currently selected.
Add and Remove Endpoint Tags ⫘
Tags are assigned to endpoints as a key:value pair to add useful context to the endpoint. The key should be a descriptive, constant identifier, while the value is the associated data from the host.
A few examples of key:value pairs are:
city:atlanta
country:united_states
department:sales
environment:production
Tags applied to an endpoint appear in the Endpoint Details of both the side drawer summary view and the detailed view.
You can also filter the Endpoint Agents Summary table by tag and add the Tag column to the table. See Filter Endpoints for more information.
Add a Tag ⫘
Tag Endpoint
- Assign a tag to an endpoint in multiple ways:
- From the Endpoint Agents Summary table, select one or more endpoints with the checkboxes and then choose the Assign Tags icon from above the table. See Select All Endpoints for guidance on selecting all.
- From the Endpoint Details of both the side drawer summary view and the detailed view, select + Add from the Tags entry.
- Enter a tag
keyand avalueassociated with thatkey. For example, entergroupas the key andsalesorproduct_supportas the value.
Important
You cannot assign two values for the same key on the same endpoint.
Note
key:value pairs are case sensitive. The key must begin with a letter and has a maximum length of 128 characters. The maximum value length is 256 characters. Tags cannot contain spaces, but can contain letters, numbers, and the following symbols: + - = . _ /.
- Select + Add Tag to bulk assign more than one tag, and then select Assign Tags when complete.
- Select Confirm to confirm the tag assignment.
Remove a Tag ⫘
Remove Tag
Remove a tag by selecting the X next to the tag name from the Endpoint Details of both the side drawer summary view and the detailed view.
Archive and Restore Selected Endpoints ⫘
Archive an endpoint to remove it from view if you do not expect that endpoint to report to XDR again. Archived endpoints remain archived until you manually restore them, even if they begin reporting again. Archiving an endpoint does not affect data ingestion, alerting, or telemetry for that endpoint, which remains subject to your data retention policy.
Tip
Taegis Endpoint Agents can be automatically archived after a set time frame using Auto Archive. For more information, see Group Configuration.
Archive an Endpoint ⫘
Archive Agent
To archive, or hide, endpoints from the Endpoint Agents Summary table, follow these steps:
- Filter the table as needed and then select the checkboxes to the left of the endpoints you want to archive. See Select All Endpoints for guidance on selecting all.
- Choose the Archive Selected Agents icon from above the table.
- Upon completion, the selected endpoints are moved to an archived agent status.
Restore an Endpoint ⫘
Restore Agent
To restore endpoints to the Endpoint Agents Summary table, follow these steps:
- Select the Agent Status Options filter and choose Show Archived Agents.
- Select the checkboxes to the left of the archived endpoints you want to restore. See Select All Endpoints for guidance on selecting all.
- Choose the Restore Selected Agents icon from above the table.
- Upon completion, the selected endpoints are restored to an active agent status.
View Archived Endpoints ⫘
To view archived endpoints, use the filter menu to Show Archived Agents. Archived endpoints display a label next to the hostname in the side drawer summary view and the detailed view:
Archived Status
Reassign Taegis Agent Group ⫘
Note
Group functionality is available only for the Taegis Endpoint Agent. See Group Configuration for more information.
Reassign Group
To reassign one or more Taegis Endpoint Agents to a new Group, follow these steps:
- Filter the table by Group if needed and then select the checkboxes to the left of the endpoints you would like to reassign. See Select All Endpoints for guidance on selecting all.
- Choose the Reassign Group icon from above the table.
- Select the Group you would like to reassign the selected endpoints to from the drop-down menu and then select Reassign.
Note
There is a limit of 50 endpoints that can be reassigned at a time.
Reconnect Taegis Agents ⫘
Note
The Reconnect Agents action is available only for Taegis Endpoint Agents that are both Active and Connected.
Reconnect Taegis Agents
Use the Reconnect Agents action to connect one or more Active and Connected Taegis Endpoint Agents to the registration server to initiate an auto-update if a new Taegis Endpoint Agent version is available. To reconnect agents, follow these steps:
- Select the checkboxes to the left of the Taegis Endpoint Agents you would like to reconnect. See Select All Endpoints for guidance on selecting all.
- Choose the Reconnect Agents icon from above the table.
- Enter a reason for the action in the dialog and select Reconnect.
Note
You can also reconnect an individual Taegis Agent from the Actions menu of the endpoint side drawer summary view or detailed view.
Uninstall Taegis Agents ⫘
Note
The Uninstall Agents action is available only for Windows and Linux Taegis Endpoint Agents that are both Active and Connected.
Uninstall Taegis Agents
Use the Uninstall Agents action to uninstall one or more Taegis Endpoint Agents from Active and Connected endpoints. Follow these steps:
- Select the checkboxes to the left of the Taegis Endpoint Agents you would like to uninstall. See Select All Endpoints for guidance on selecting all.
- Choose the Uninstall Agents icon from above the table.
- Enter a reason for the action in the dialog and select Uninstall.
Note
You can also uninstall an individual Taegis Agent from the Actions menu of the endpoint side drawer summary view or detailed view.
Note
The Uninstall Agent action in XDR is not supported for remotely uninstalling the Taegis macOS agent at this time. The Taegis macOS agent leverages system extensions that require an admin password that cannot be passed from XDR to be disabled so the agent can be uninstalled. To uninstall the Taegis macOS agent, follow these macOS Uninstall steps.
View Endpoint & Agent Details ⫘
Select the Hostname entry for an endpoint in the table to open a side drawer summary view of details about the endpoint and its agent.
Agent Side Drawer
For a detailed view, select the Open in new tab icon from the summary.
Agent Detailed View
Agent Details ⫘
The Agent Details section displays information about the agent running on the endpoint, including:
- Agent Type and Version
- Last Seen date and time
Additional information may be available depending on the agent type.
Endpoint Details ⫘
The Endpoint Details section displays information about the endpoint. From this section you can:
- Apply or remove a tag.
- Run a pivot search against any field with a magnifying glass icon by selecting the icon.
Alerts ⫘
The Alerts section of the detailed view displays alerts generated from the telemetry that endpoint generated and sent to XDR.
Expand or collapse the section by selecting the header, and select an alert from the list to open a side drawer view.
Filter the table and customize the view by selecting a column header menu icon and choosing the filter or column tab. Use the Actions menu directly above the table to take action on all or selected alerts.
Command History ⫘
The Command History section of the detailed view displays a list of actions taken for the endpoint, including the user that initiated the action and the reason they supplied for doing so.
Expand or collapse the section by selecting the header, and filter the table and customize the view by selecting a column header menu icon and choosing the filter or column tab.
Red Cloak Endpoint Agent Module Status ⫘
For Red Cloak Endpoint Agents only, the Module Status section displays the last time each of a Red Cloak Endpoint Agent ’s modules last reported to XDR. This information can aid in identifying problems with the Red Cloak Endpoint Agent ’s modules.
The status of each module except Mukluk is represented by the following colors, which are updated in XDR every four hours:
- Green — The module has reported data in the last 24 hours.
- Yellow — The module has not reported any data between 24 and 72 hours.
- Red — The module has not reported any data in over 72 hours.
Note
The Mukluk module status is represented as GREEN if data has been reported in the last 12 hours, YELLOW if data has not been reported between 12 hours and 30 days, and RED if data has not been reported in over 30 days.
Find further information on the Red Cloak Endpoint Agent modules in the Red Cloak Endpoint Agent Technical Details.
Actions ⫘
Endpoint Actions
View and take available actions related to an endpoint by selecting the three dot Actions icon from the side drawer summary view or the Actions menu from the detailed view.
The following actions may be available, depending on the agent type, the endpoint status, your tenant subscriptions, your user role, and any automations you have enabled:
- Refresh the data displayed in the summary or detailed view to account for updates such as to the Connection or Isolation status.
- Reconnect Agent to connect a Taegis Endpoint Agent to the registration server to initiate an auto-update if a new Taegis Endpoint Agent version is available. To perform this action for multiple Taegis Endpoint Agents at once, see Reconnect Taegis Agents.
- Uninstall Agent to remove a Taegis Endpoint Agent from the endpoint. To perform this action for multiple Taegis Endpoint Agents at once, see Uninstall Taegis Agents.
- Response Actions list playbook automations you have configured as Response Actions.
Note
Legacy default actions such as Isolate Host and Restore Host have been replaced by automations that perform these actions. Ensure you have configured response action playbooks to perform these actions. For more information, see the following release note.
Note
The Uninstall Agent action in XDR is not supported for remotely uninstalling the Taegis macOS agent at this time. The Taegis macOS agent leverages system extensions that require an admin password that cannot be passed from XDR to be disabled so the agent can be uninstalled. To uninstall the Taegis macOS agent, follow these macOS Uninstall steps.
Share Agent Details ⫘
To share agent details with another user within the tenant, select the Copy share link icon for a direct URL from either the side drawer summary view or detailed view.
Copy Link to Share Agent