Skip to content

Taegis Endpoint Agent Group PoliciesπŸ”—

OverviewπŸ”—

A policy is a set of configuration settings designed to control how Taegis Endpoint Agents protect endpoints from security threats. Policies ensure that devices adhere to your organization's endpoint and security standards. Policy settings are the specific configurations that define how the policy is enforced. A policy can be applied to one or more groups.

To view Agent Group Policies:

  1. From the Taegis Menu, select Endpoint Agents → Group Policies.

  2. The Agent Group Policies page displays currently configured policies.

    Agent Group Policies

Filter Group PoliciesπŸ”—

Use the collapsible filter menu at the left of the list to narrow down the matching policies.

As you select filters, the list updates dynamically and the count of results reflects the updated filtered list.

Filter Group Policies

Export Group PoliciesπŸ”—

Export all policies or a subset using the Actions menu at the top right:

  • Export All — Select the Actions menu and choose Export All to generate a CSV file that includes details of all policies, regardless of any filters you have selected.

Export All Group Policies

  • Export Selected — Select the policies you wish to export using the checkboxes, select the Actions menu, and choose Export Selected to generate a CSV file that includes details of the selected policies.

Export Selected Policies

Policy Configuration SettingsπŸ”—

Select a policy name from the Group Policies page to view that policy’s settings.

Group Policy Settings

Agent ManagementπŸ”—

Tamper ProtectionπŸ”—

Agent Tamper Protection

Important

Tamper Protection is currently supported by Windows Agents version 2.1.2 and later and macOS Agents version 2.0.9 and later. See Taegis Endpoint Agent Changelog.

Tamper Protection adds a layer of security around the uninstall of Taegis Agents from endpoints. This setting is OFF by default. When enabled:

  • If a user wishes to manually remove the agent from the system, they will be required to provide a tamper protection uninstall token that can be generated from the Taegis XDR UI.
  • Stopping or restarting the Taegis Agent service manually is prohibited.

The tamper protection uninstall token can be generated to apply to all agents in the tenant from Endpoint Agents Summary, or to apply to a specific host from Endpoint Agent Details.

Important

Tokens expire one hour after they are generated.

Note

Uninstalls initiated from the XDR UI do not require a token when Tamper Protection is enabled. When Tamper Protection is disabled, all uninstall methods proceed without need for a token.

Auto ArchiveπŸ”—

Auto Archive Setting

Auto Archive allows you to specify a time frame after which any Taegis Endpoint Agents that have not sent telemetry to XDR are archived from view on the Endpoint Agents Summary table. This option is disabled by default. The archiving process is triggered every 24 hours at 12 AM ET to archive any Taegis Endpoint Agents that have been offline for the chosen time frame.

Note

Archived agents that continue to send telemetry to XDR are automatically unarchived. When an agent is initially archived, a brief grace period is provided before unarchiving occurs if the agent continues to send telemetry.

Security ControlsπŸ”—

File AnalysisπŸ”—

File Analysis Setting

To support security analysis and threat hunting, files that are unique to XDR are collected by Taegis Endpoint Agents. The file hash and other metadata are used to generate alerts for known malicious hashes. For more information on the file fetching, see File Analysis Detector.

This setting is OFF in the default policy. If you opt out, files are not collected from the Taegis Endpoint Agents in that policy. This may result in the File Analysis Detector not generating alerts for malicious files found on those endpoints.

Deep Process InspectionπŸ”—

Note

This setting was previously called Advanced Kernel Telemetry.

Deep Process Inspection Setting

The Deep Process Inspection setting enables capture of RPC and API call telemetry. RPC and API call telemetry enables detections for Active Directory malicious synchronization attacks, aka 'DCSync', and the Secretsdump credential theft tool.

Important

With this setting disabled, Taegis Endpoint Agents for Windows may experience degraded performance due to differences in the documented telemetry types captured.

This setting is disabled by default to avoid compatibility issues on Windows endpoints between the Taegis Endpoint Agent and other running programs. Issues such as BSOD or machines becoming inoperable may occur in cases where there is incompatibility with third-party security products that interfere with the interoperability of the Taegis Endpoint Agent. See Compatibility Issues for an up-to-date assessment of product compatibility issues.

Disabling this setting may help with such issues and allow you to troubleshoot, but it does reduce the functionality of the Taegis Endpoint Agent. When this setting is disabled, the Deep Process Inspection performed by the agent is disabled, resulting in Code Injection and API Hooked telemetry not being captured.

Deep Process Inspection Compatibility TestingπŸ”—

Important

Check Known Issues for potential compatibility issues prior to testing.

To test a small number of endpoints with this setting enabled, create a new Agent Group with a policy that has the setting enabled and assign test endpoints to the new group. Alternatively, if you have an existing test or beta group, you can modify the policy assigned to that group.

  1. From Group Policy Settings, select the toggle for Deep Process Inspection to enable the feature.

  2. Select Save Changes on the top right.

  3. Restart the agent service to pull down the updated configuration or reboot the affected test systems.

    Note

    This setting only applies to Taegis Endpoint Agents for Windows.

Maintenance WindowsπŸ”—

Configure Maintenance Windows

Maintenance windows allow you to limit when automatic updates for agents could occur to the window you configure. If no maintenance windows are configured, agent updates may occur at any time during the rollout process.

One maintenance window can be configured per day for a duration of 6 to 12 hours.

Add a Maintenance WindowπŸ”—

To add a maintenance window when creating or updating a group policy, follow these steps:

  1. Select + Add Maintenance Window.
  2. Choose the day of the week the maintenance window starts.
  3. Choose the time of day the maintenance window starts.
  4. Choose the duration of the maintenance window.

Note

The timezone used for maintenance windows is set in your User Profile & Settings and listed at the top of the Maintenance Windows section.

Disable or Enable a Maintenance WindowπŸ”—

To disable or enable a configured maintenance window, follow these steps:

  1. Select the vertical ellipses next to a configured maintenance window.
  2. Choose Disable or Enable, depending on its current status.

Delete a Maintenance WindowπŸ”—

To delete a configured maintenance window, follow these steps:

  1. Select the vertical ellipses next to a configured maintenance window.
  2. Choose Delete.

Telemetry TiersπŸ”—

Telemetry Tiers

Currently, there are two telemetry tiers available. The telemetry tier you choose dictates the behavior for the agent as it runs, the amount of telemetry it collects, and the level of performance impact on the endpoint:

  • Workstation Tier — Recommended default setting for most devices or environments. If system performance is severely impacted with this tier, try reassigning to Server Tier.

  • Server Tier — Recommended for resource-constrained devices or environments, such as servers, IoT, or domain controllers that have risks related to the resource. Note that due to a reduction in telemetry gathered from endpoints at this tier as documented in the following table, detections and investigations may also be reduced.

The following table provides an overview of the differences in telemetry gathered by each telemetry tier:

Taegis Agent Telemetry Data Telemetry Gathered by Server Tier Telemetry Gathered by Workstation Tier
Process Process Creation Only Process Creation and Termination
Thread Injection Enabled Enabled
ETW (Auth, Scriptblock, DNS) Enabled Enabled
Netflow Connect * Connect, Disconnect
Registry Disabled Modifications
File Open for mod, del, ren * Open for mod, del, ren

Note

Only Process, Netflow, Auth, and FileMod are available for the macOS and Linux agents; see Telemetry Overview.

Agent Release ChannelsπŸ”—

Agent Release Channels

Taegis Endpoint Agent Release Channels control the update process of the agent. In its standard configuration, the agent updates automatically on a periodic, roughly quarterly release cycle. Configure group policies with the Stable, Preview, or Beta channel to auto-update endpoints when agent versions promoted to the chosen channel are released.

Important

The default channel, unless otherwise specified, is Stable. All installations begin with the latest Stable version available from Agent Downloads. Endpoints then update automatically to the agent version promoted to the release channel specified in the policy assigned to the group to which the endpoints belong. The release channel you choose does not affect the cadence of automatic updates.

Taegis Endpoint Agent Release CycleπŸ”—

The following release cycle model is followed for Taegis Endpoint Agent updates:

  1. Beta — The newest release is promoted to Beta and delivered to Beta channel subscribers.
  2. Preview — After additional testing, validation, feedback, and fixes, the release is promoted to Preview and delivered to Preview channel subscribers.
  3. Production Stable — Finally, the release is promoted to Stable and delivered to Stable channel subscribers.

Available Release ChannelsπŸ”—

The following list summarizes the currently supported channels and their expected usage:

  • Beta — Agents enrolled in this channel are first to receive new updates and features of pre-release builds.Β Enroll in this channel to find and report issues to Secureworks, and for testing and evaluation use only.Β  This channel is recommended for <1% of overall estate, in non-production environments only, varied across OS/configurations.Β See Beta Release Channel for more information.

  • Preview — Agents enrolled in this channel receive updates early in the release process.Β Enroll in this channel to get early access to new upcoming features and updates. This channel is recommended for 1-10% of overall estate, in pre-production/validation environments only.Β 

  • Production Stable — Agents enrolled in this channel receive updates when releases are disseminated more broadly to the general customer population. This channel is recommended for 100% of overall estate and for production environments.

For example, choosing the Stable channel for a group policy stops updates to agents in groups with that policy from occurring until a new Stable build is released, while choosing the Beta channel for a group policy allows admins to test newer builds with the agents in groups with that policy before they are promoted to the next channel.

Create a PolicyπŸ”—

  1. From the Taegis Menu, select Endpoint Agents → Group Policies.

  2. Select + Add from the top of the page.

  3. Enter a name for the policy and an optional description.

  4. Configure the policy settings as desired.

  5. Select Create.

    Create Group Policy

Update a PolicyπŸ”—

  1. From the Taegis Menu, select Endpoint Agents → Group Policies.

  2. Select the name of the policy you would like to edit.

  3. Modify the policy settings as desired.

  4. Select Save Changes.

    Update Group Policy

Delete a PolicyπŸ”—

Important

You cannot delete a policy if it is assigned to a group. First, update groups with a different policy and then delete the desired policy after. For more information, see Update a Group.

  1. From the Taegis Menu, select Endpoint Agents → Group Policies.

  2. Select the name of the policy you would like to delete.

  3. From Agent Group Policy Settings, select Delete from the top right and then confirm your action.

    Delete Group Policy

Share Policy DetailsπŸ”—

To share policy details with another user within the tenant, follow these steps:

  1. From the Taegis Menu, select Endpoint Agents → Group Policies.

  2. Select the name of the policy you would like to share.

  3. From Agent Group Policy Settings, select the Copy share link icon for a direct URL.

    Share Group Policy