Taegis Endpoint Agent Group Configuration
integrations endpoints edr taegis agent secureworks
Use Group Configuration to create groups with an assigned registration key that is used during installation to associate Taegis™ XDR Endpoint Agents to that group and the configuration you choose.
Note
Group Configuration is only available for tenants with the Taegis Endpoint Agent.
We recommend you create groups aligned with your company's grouping methodology prior to deploying the agent. There are two general options:
- (Recommended) Create groups aligned with your company's grouping methodology and assign the configuration best suited for each group.
- Use the default group to register agents on all endpoints with one configuration.
To view Group Configuration:
-
From the Secureworks® Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
-
The Group Configuration table displays any groups currently configured.
Group Configuration
Group Configuration Settings ⫘
Registration Keys ⫘
Registration keys are designed to provide secure and controlled access to the Taegis Endpoint Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.
Registration Key Expiration and Rotation ⫘
The registration key expiration date is displayed on the Group Configuration table and in group settings.
As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group configuration. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.
Update Scripts and Tools ⫘
If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.
Access and Renew Registration Key ⫘
To access and manually renew the registration key:
-
From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
-
Select a Group Name entry from the table.
-
The Registration section displays the current registration key and expiration. Select Renew to manually renew the key.
Renew Registration Key
Auto Archive ⫘
Auto Archive allows you to specify a time frame after which any Taegis Endpoint Agents that have not reported to XDR are archived from view on the Endpoint Agents Summary table. This option is disabled by default. The archiving process is triggered every 24 hours at 12 AM ET to archive any Taegis Endpoint Agents that have been offline for the chosen time frame.
When creating a new group, Auto Archive defaults to the global value set at Agent Settings, but you can configure this at a group level, affecting only Taegis Endpoint Agents of that group.
To configure Auto Archive at a group level, toggle the Auto Archive option when creating a new group or updating an existing group and then choose the desired time frame after which offline Taegis Endpoint Agents associated with that group are archived.
Tip
To configure Auto Archive at the tenant level, see Agent Settings.
File Analysis ⫘
To support security analysis and threat hunting, files are collected by Taegis Endpoint Agents. The file hash and other metadata are used to generate alerts for known malicious hashes. For more information on the file fetching, see File Analysis Detector.
When creating a new group, implicit file collection defaults to the global value set at Agent Settings, but you may opt in or out at a group level, affecting only Taegis Endpoint Agents of that group.
If you opt out at a group level, files are not collected from the Taegis Endpoint Agents in that group going forward. This results in the File Analysis Detector not generating alerts for malicious file hashes for those endpoints.
Tip
To configure implicit file collection at the tenant level, see Agent Settings.
Advanced Kernel Telemetry ⫘
Important
With this setting disabled, Taegis Endpoint Agents for Windows operate in a degraded state from the documented telemetry types captured.
The Advanced Kernel Telemetry setting is currently disabled by default both at a tenant level and in new groups to prevent compatibility issues on Windows endpoints with the Taegis Endpoint Agent. Issues such as BSOD or machines becoming inoperable may relate to compatibility with third-party security products interfering with the interoperability of the Taegis Endpoint Agent.
Disabling this setting may help with such compatibility issues and allow you to troubleshoot, but it does reduce the functionality of the Taegis Endpoint Agent. When this setting is disabled, the Advanced Kernel Telemetry captured by the agent is disabled, resulting in Code Injection and API Hooked telemetry not being captured.
When creating a new group, Advanced Kernel Telemetry defaults to disabled. To configure Advanced Kernel Telemetry at a group level, toggle the option when creating a new group or updating an existing group.
Tip
To configure Advanced Kernel Telemetry at the tenant level, see Agent Settings.
Telemetry Policy Tiers ⫘
Currently, there are two policy tiers available. The policy you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:
-
Server Tier — Recommended for resource-constrained devices or environments, such as servers, IoT, or domain controllers that have risks related to the resource.
-
Workstation Tier — Recommended default policy setting for most devices or environments, such as workstations.
The following table provides an overview of the differences in telemetry gathered by each policy tier:
Taegis Agent Telemetry Data | Telemetry Gathered by Server Tier | Telemetry Gathered by Workstation Tier |
---|---|---|
Process | Process Creation Only | Process Creation and Termination |
Thread Injection | Enabled | Enabled |
ETW (Auth, Scriptblock, DNS) | Enabled | Enabled |
Netflow | Connect * | Connect, Disconnect |
Registry | Disabled | Modifications |
File | Open for mod, del, ren * | Open for mod, del, ren |
* Netflow and File modification are disabled for Windows agent with Server tier policy.
Note
Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.
Agent Release Channels ⫘
Taegis Endpoint Agent Release Channels control the update process of the agent at a group level. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Assign Taegis Endpoint Agent groups to the Stable, Preview, or Beta channel to auto-update endpoints in that group when agent versions promoted to the chosen channel are released.
Important
The default channel unless otherwise specified is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.
Taegis Endpoint Agent Release Cycle ⫘
The following release cycle model is followed for Taegis Endpoint Agent updates:
- Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
- Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
- Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.
Available Release Channels ⫘
The following list summarizes the currently supported channels and their expected usage:
-
Beta — Agents enrolled in this channel are first to receive new updates and features of pre-release builds. Enroll in this channel to find and report issues to Secureworks, and for testing and evaluation use only. This channel is recommended for <1% of overall estate, in non-production environments only, varied across OS/configurations. See Beta Release Channel for more information.
-
Preview — Agents enrolled in this channel receive updates early in the release process. Enroll in this channel to get early access to new upcoming features and updates. This channel is recommended for 1-10% of overall estate, in pre-production/validation environments only.
-
Production Stable — Agents enrolled in this channel receive updates when releases are disseminated more broadly to the general customer population. This channel is recommended for 100% of overall estate and for production environments.
For example, choosing the Stable channel for a group stops updates to agents in that group from occurring until a new Stable build is released, while choosing the Beta channel for a group allows admins to test newer builds with the agents in that group in their environment before they are promoted to the next channel.
Important
At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis Endpoint Agent Downloads.
Create a Group ⫘
-
From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
-
Select New Group from above the table.
-
Enter a name for the group and an optional description.
-
Configure the auto archive, implicit file collection, and Advanced Kernel Telemetry settings.
-
Choose the policy tier and the release channel.
-
Select Create.
Create Group
Update a Group ⫘
-
From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
-
Select a Group Name entry from the table.
-
From Group Settings, modify the name, description, or configuration settings as needed.
-
Choose Update from the top right.
Update Group
Important
At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis Endpoint Agent Downloads.
Delete a Group ⫘
-
From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
-
Select a Group Name entry from the table.
-
From Group Settings, select Delete from the top right and then confirm your action.
Delete Group
Important
If there are endpoints assigned, you cannot delete the group. First reassign those endpoints to a new group and then delete the group after. For more information, see Reassign Group.
Share Group Details ⫘
To share group details with another user within the tenant, follow these steps:
-
From the XDR left-hand side navigation, select Taegis Endpoint Agent Group Configuration.
-
Select a Group Name entry from the table.
-
From Group Settings, select the Copy share link icon for a direct URL.
Share Group