🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis™ Agent Group Configuration

integrations endpoints edr taegis agent secureworks


Use Group Configuration to create groups with an assigned registration key that is used during installation to associate Taegis™ Endpoint Agents to that group and the configuration you choose.

Note

Group Configuration is only available for tenants with the Taegis™ Endpoint Agent.

We recommend you create groups aligned with your company's grouping methodology prior to deploying the agent. There are two general options:

To view Group Configuration:

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.

  2. The Group Configuration table displays any groups currently configured.

Group Configuration

Group Configuration

Group Configuration Settings

Registration Keys

Registration keys are designed to provide secure and controlled access to the Taegis™ Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.

Registration Key Expiration and Rotation

The registration key expiration date is displayed on the Group Configuration table and in group settings.

As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group configuration. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.

Update Scripts and Tools

If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.

Access and Renew Registration Key

To access and manually renew the registration key:

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.

  2. Select a Group Name entry from the table.

  3. The Registration section displays the current registration key and expiration. Select Renew to manually renew the key.

Renew Registration Key

Renew Registration Key

Auto Archive

Auto Archive allows you to specify a time frame after which any Taegis™ Endpoint Agents that have not reported to XDR are archived from view on the Endpoint Agents Summary table. This option is disabled by default. The archiving process is triggered every 24 hours at 12 AM ET to archive any Taegis™ Endpoint Agents that have been offline for the chosen time frame.

When creating a new group, Auto Archive defaults to the global value set at Agent Settings, but you can configure this at a group level, affecting only Taegis™ Endpoint Agents of that group.

To configure Auto Archive at a group level, toggle the Auto Archive option when creating a new group or updating an existing group and then choose the desired time frame after which offline Taegis™ Endpoint Agents associated with that group are archived.

Tip

To configure Auto Archive at the tenant level, see Agent Settings.

File Analysis

To support security analysis and threat hunting, files are collected by Taegis™ Endpoint Agents. The file hash and other metadata are used to generate alerts for known malicious hashes. For more information on the file fetching, see File Analysis Detector.

When creating a new group, implicit file collection defaults to the global value set at Agent Settings, but you may opt in or out at a group level, affecting only Taegis™ Endpoint Agents of that group.

If you opt out at a group level, files are not collected from the Taegis™ Endpoint Agents in that group going forward. This results in the File Analysis Detector not generating alerts for malicious file hashes for those endpoints.

Tip

To configure implicit file collection at the tenant level, see Agent Settings.

Advanced Kernel Telemetry

Important

With this setting disabled, Taegis™ Endpoint Agents for Windows operate in a degraded state from the documented telemetry types captured.

The Advanced Kernel Telemetry setting is currently disabled by default both at a tenant level and in new groups to prevent compatibility issues on Windows endpoints with the Taegis™ Endpoint Agent. Issues such as BSOD or machines becoming inoperable may relate to compatibility with third-party security products interfering with the interoperability of the Taegis™ Endpoint Agent.

Disabling this setting may help with such compatibility issues and allow you to troubleshoot, but it does reduce the functionality of the Taegis™ Endpoint Agent. When this setting is disabled, the Advanced Kernel Telemetry captured by the agent is disabled, resulting in Code Injection and API Hooked telemetry not being captured.

When creating a new group, Advanced Kernel Telemetry defaults to disabled. To configure Advanced Kernel Telemetry at a group level, toggle the option when creating a new group or updating an existing group.

Tip

To configure Advanced Kernel Telemetry at the tenant level, see Agent Settings.

Telemetry Policy Tiers

Currently, there are two policy tiers available. The policy you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:

The following table provides an overview of the differences in telemetry gathered by each policy tier:

Taegis Agent Telemetry Data Telemetry Gathered by Server Tier Telemetry Gathered by Workstation Tier
Process Process Creation Only Process Creation and Termination
Thread Injection Enabled Enabled
ETW (Auth, Scriptblock, DNS) Enabled Enabled
Netflow Connect * Connect, Disconnect
Registry Disabled Modifications
File Open for mod, del, ren * Open for mod, del, ren

* Netflow and File modification are disabled for Windows agent with Server tier policy.

Note

Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.

Agent Release Channels

Taegis™ Endpoint Agent Release Channels control the update process of the agent at a group level. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Assign Taegis™ Endpoint Agent groups to the Stable, Preview, or Beta channel to auto-update endpoints in that group when agent versions promoted to the chosen channel are released.

Important

The default channel unless otherwise specified is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.

Taegis™ Agent Release Cycle

The following release cycle model is followed for Taegis™ Agent updates:

  1. Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
  2. Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
  3. Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.

Available Release Channels

The following list summarizes the currently supported channels and their expected usage:

For example, choosing the Stable channel for a group stops updates to agents in that group from occurring until a new Stable build is released, while choosing the Beta channel for a group allows admins to test newer builds with the agents in that group in their environment before they are promoted to the next channel.

Important

At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis™ Agent Downloads.

Create a Group

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.

  2. Select New Group from above the table.

  3. Enter a name for the group and an optional description.

  4. Configure the auto archive, implicit file collection, and Advanced Kernel Telemetry settings.

  5. Choose the policy tier and the release channel.

  6. Select Create.

Create Group

Create Group

Update a Group

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.

  2. Select a Group Name entry from the table.

  3. From Group Settings, modify the name, description, or configuration settings as needed.

  4. Choose Update from the top right.

Update Group

Update Group

Important

At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis™ Agent Downloads.

Delete a Group

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.

  2. Select a Group Name entry from the table.

  3. From Group Settings, select Delete from the top right and then confirm your action.

Delete Group

Delete Group

Important

If there are endpoints assigned, you cannot delete the group. First reassign those endpoints to a new group and then delete the group after. For more information, see Reassign Group.

Share Group Details

To share group details with another user within the tenant, follow these steps:

  1. From the Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.

  2. Select a Group Name entry from the table.

  3. From Group Settings, select the Copy share link icon for a direct URL.

Share Group

Share Group

 

On this page: