🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Endpoint Agent Settings

integrations endpoints edr taegis agent secureworks

Note

Agent Settings is only available for tenants with the Taegis™ XDR Endpoint Agent.

Overview

Agent Settings provides you with a mechanism to control Taegis Endpoint Agent features at a tenant level. This provides you with further control to manage and customize how the Taegis Endpoint Agent operates within your tenant.

Important

Modifying preferences on Agent Settings affects all Taegis Endpoint Agents in all existing groups in your tenant except the defaultGroup.

Agent Settings

Agent Settings

File Analysis

To support security analysis and threat hunting, files are collected by Taegis Endpoint Agents. The file hash and other metadata are used to generate alerts for known malicious hashes. For more information on the file fetching, see File Analysis Detector.

Implicit file collection is enabled by default, but you may opt out at a tenant level, affecting all Taegis Endpoint Agents of all groups. To enable or disable file fetching at a tenant level, follow these steps:

  1. From the XDR left-hand side navigation, select Endpoint Agents → Agent Settings.

  2. Select the toggle for Implicit File Collection to either enable or disable this feature.

  3. Select Update from the top right.

Once you opt out, files are not collected in your tenant going forward. This results in the File Analysis Detector not generating alerts for malicious file hashes.

Tip

To configure implicit file collection at a group level, see Group Configuration.

Advanced Kernel Telemetry

Important

With this setting disabled, Taegis Endpoint Agents for Windows operate in a degraded state from the documented telemetry types captured.

The Advanced Kernel Telemetry setting is currently disabled by default both at a tenant level and in new groups to prevent compatibility issues on Windows endpoints with the Taegis Endpoint Agent. Issues such as BSOD or machines becoming inoperable may relate to compatibility with third-party security products interfering with the interoperability of the Taegis Endpoint Agent.

Disabling this setting may help with such compatibility issues and allow you to troubleshoot, but it does reduce the functionality of the Taegis Endpoint Agent. When this setting is disabled, the Advanced Kernel Telemetry captured by the agent is disabled, resulting in Code Injection and API Hooked telemetry not being captured.

To test a small number of endpoints with this setting enabled, create a new Group Configuration with the setting enabled and assign test endpoints.

To enable or disable Advanced Kernel Telemetry for all Windows agents in your tenant, follow these steps:

  1. From the XDR left-hand side navigation, select Endpoint Agents → Agent Settings.

  2. Select the toggle for Advanced Kernel Telemetry to either enable or disable this feature.

  3. Select Update from the top right.

  4. Restart the agent service to pull down the updated configuration.

Note

This setting only applies Taegis Endpoint Agents for Windows.

Tip

To configure Advanced Kernel Telemetry at a group level, see Group Configuration.

Auto Archive

Auto Archive allows you to specify a time frame after which any Taegis Endpoint Agents that have not reported to XDR are archived from view on the Endpoint Agents Summary table. This option is disabled by default. The archiving process is triggered every 24 hours at 12 AM ET to archive any Taegis Endpoint Agents that have been offline for the chosen time frame.

To configure Auto Archive at a tenant level:

  1. From the XDR left-hand side navigation, select Endpoint Agents → Agent Settings.

  2. Select the toggle for Auto Archive and then choose the desired time frame after which offline Taegis Endpoint Agents are archived.

  3. Select Update from the top right.

Tip

To configure Auto Archive at a group level, see Group Configuration.

 

On this page: