☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Taegis Endpoint Agent Group Configuration

integrations endpoints edr taegis agent secureworks

Use Group Configuration to create groups with an assigned registration key that is used during installation to associate Taegis™ XDR Endpoint Agents to that group and the configuration you choose.

Note

Group Configuration is only available for tenants with the Taegis Endpoint Agent.

We recommend you create groups aligned with your company's grouping methodology prior to deploying the agent. There are two general options:

(Recommended) Create groups aligned with your company's grouping methodology and assign the configuration best suited for each group.
Use the default group to register agents on all endpoints with one configuration.

To view Group Configuration:

From the Secureworks® Taegis™ XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
The Group Configuration table displays any groups currently configured.

Group Configuration

Group Configuration Settings ⫘

Registration Keys ⫘

Registration keys are designed to provide secure and controlled access to the Taegis Endpoint Agent. The registration key expiration is used to enhance the security of our agent and protect it from unauthorized use.

Registration Key Expiration and Rotation ⫘

The registration key expiration date is displayed on the Group Configuration table and in group settings.

As the expiration date of your registration key approaches, a new key is generated 30 days prior to expiration to ensure uninterrupted service and is available for you to access and manage within the group configuration. All registration keys expire one year after the date they were generated. Agents that have already been deployed using this registration key are not impacted.

Update Scripts and Tools ⫘

If you have any scripts or tools that rely on the registration key, it is essential to update them with the new registration key to ensure successful registration of future deployments.

Access and Renew Registration Key ⫘

To access and manually renew the registration key:

From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
Select a Group Name entry from the table.
The Registration section displays the current registration key and expiration. Select Renew to manually renew the key.

Renew Registration Key

Auto Archive ⫘

Auto Archive allows you to specify a time frame after which any Taegis Endpoint Agents that have not reported to XDR are archived from view on the Endpoint Agents Summary table. This option is disabled by default. The archiving process is triggered every 24 hours at 12 AM ET to archive any Taegis Endpoint Agents that have been offline for the chosen time frame.

When creating a new group, Auto Archive defaults to the global value set at Agent Settings, but you can configure this at a group level, affecting only Taegis Endpoint Agents of that group.

To configure Auto Archive at a group level, toggle the Auto Archive option when creating a new group or updating an existing group and then choose the desired time frame after which offline Taegis Endpoint Agents associated with that group are archived.

Tip

To configure Auto Archive at the tenant level, see Agent Settings.

File Analysis ⫘

To support security analysis and threat hunting, files are collected by Taegis Endpoint Agents. The file hash and other metadata are used to generate alerts for known malicious hashes. For more information on the file fetching, see File Analysis Detector.

When creating a new group, implicit file collection defaults to the global value set at Agent Settings, but you may opt in or out at a group level, affecting only Taegis Endpoint Agents of that group.

If you opt out at a group level, files are not collected from the Taegis Endpoint Agents in that group going forward. This results in the File Analysis Detector not generating alerts for malicious file hashes for those endpoints.

Tip

To configure implicit file collection at the tenant level, see Agent Settings.

Advanced Kernel Telemetry ⫘

Important

With this setting disabled, Taegis Endpoint Agents for Windows operate in a degraded state from the documented telemetry types captured.

The Advanced Kernel Telemetry setting is currently disabled by default both at a tenant level and in new groups to prevent compatibility issues on Windows endpoints with the Taegis Endpoint Agent. Issues such as BSOD or machines becoming inoperable may relate to compatibility with third-party security products interfering with the interoperability of the Taegis Endpoint Agent.

Disabling this setting may help with such compatibility issues and allow you to troubleshoot, but it does reduce the functionality of the Taegis Endpoint Agent. When this setting is disabled, the Advanced Kernel Telemetry captured by the agent is disabled, resulting in Code Injection and API Hooked telemetry not being captured.

When creating a new group, Advanced Kernel Telemetry defaults to disabled. To configure Advanced Kernel Telemetry at a group level, toggle the option when creating a new group or updating an existing group.

Tip

To configure Advanced Kernel Telemetry at the tenant level, see Agent Settings.

Telemetry Policy Tiers ⫘

Currently, there are two policy tiers available. The policy you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:

Server Tier — Recommended for resource-constrained devices or environments, such as servers, IoT, or domain controllers that have risks related to the resource.
Workstation Tier — Recommended default policy setting for most devices or environments, such as workstations.

The following table provides an overview of the differences in telemetry gathered by each policy tier:

Taegis Agent Telemetry Data	Telemetry Gathered by Server Tier	Telemetry Gathered by Workstation Tier
Process	Process Creation Only	Process Creation and Termination
Thread Injection	Enabled	Enabled
ETW (Auth, Scriptblock, DNS)	Enabled	Enabled
Netflow	Connect *	Connect, Disconnect
Registry	Disabled	Modifications
File	Open for mod, del, ren *	Open for mod, del, ren

* Netflow and File modification are disabled for Windows agent with Server tier policy.

Note

Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.

Agent Release Channels ⫘

Taegis Endpoint Agent Release Channels control the update process of the agent at a group level. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Assign Taegis Endpoint Agent groups to the Stable, Preview, or Beta channel to auto-update endpoints in that group when agent versions promoted to the chosen channel are released.

Important

The default channel unless otherwise specified is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.

Taegis Endpoint Agent Release Cycle ⫘

The following release cycle model is followed for Taegis Endpoint Agent updates:

Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.

Available Release Channels ⫘

The following list summarizes the currently supported channels and their expected usage:

Beta — Agents enrolled in this channel are first to receive new updates and features of pre-release builds. Enroll in this channel to find and report issues to Secureworks, and for testing and evaluation use only. This channel is recommended for <1% of overall estate, in non-production environments only, varied across OS/configurations. See Beta Release Channel for more information.
Preview — Agents enrolled in this channel receive updates early in the release process. Enroll in this channel to get early access to new upcoming features and updates. This channel is recommended for 1-10% of overall estate, in pre-production/validation environments only.
Production Stable — Agents enrolled in this channel receive updates when releases are disseminated more broadly to the general customer population. This channel is recommended for 100% of overall estate and for production environments.

For example, choosing the Stable channel for a group stops updates to agents in that group from occurring until a new Stable build is released, while choosing the Beta channel for a group allows admins to test newer builds with the agents in that group in their environment before they are promoted to the next channel.

Important

At this time, to alter a group configuration from a release channel earlier in the release cycle, like Beta or Preview, to a release channel later in the release cycle, you must first uninstall the newer agent version and reinstall the Production Stable version available from Taegis Endpoint Agent Downloads.

Create a Group ⫘

From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
Select New Group from above the table.
Enter a name for the group and an optional description.
Configure the auto archive, implicit file collection, and Advanced Kernel Telemetry settings.
Choose the policy tier and the release channel.
Select Create.

Create Group

Update a Group ⫘

From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
Select a Group Name entry from the table.
From Group Settings, modify the name, description, or configuration settings as needed.
Choose Update from the top right.

Update Group

Important

Delete a Group ⫘

From the XDR left-hand side navigation, select Endpoint Agents → Group Configuration.
Select a Group Name entry from the table.
From Group Settings, select Delete from the top right and then confirm your action.

Delete Group

Important

If there are endpoints assigned, you cannot delete the group. First reassign those endpoints to a new group and then delete the group after. For more information, see Reassign Group.

To share group details with another user within the tenant, follow these steps:

From the XDR left-hand side navigation, select Taegis Endpoint Agent Group Configuration.
Select a Group Name entry from the table.
From Group Settings, select the Copy share link icon for a direct URL.

Share Group

Taegis Endpoint Agent Group Configuration

Group Configuration Settings ⫘

Registration Keys ⫘

Registration Key Expiration and Rotation ⫘

Update Scripts and Tools ⫘

Access and Renew Registration Key ⫘

Auto Archive ⫘

File Analysis ⫘

Advanced Kernel Telemetry ⫘

Telemetry Policy Tiers ⫘

Agent Release Channels ⫘

Taegis Endpoint Agent Release Cycle ⫘

Available Release Channels ⫘

Create a Group ⫘

Update a Group ⫘

Delete a Group ⫘

Share Group Details ⫘

On this page: