About LEM groups

Groups in LEM are objects that organize related elements for use with rules and filters. Groups can contain elements such as events, IP addresses, computer names, user accounts, and so on. After a group is defined, it can be referenced from multiple rules and filters.

Do not confuse groups and roles:

  • Groups organize related elements into logical units so that they can be used in rules and filters.
  • Roles restrict the actions that users can perform in LEM. See About LEM roles for information about LEM role types.

About LEM Group Types

There are seven group types in LEM:

  • User-defined groups
  • Event groups
  • Directory Service groups
  • Time-of-day sets
  • Connector profiles
  • Email template
  • State variables

Each group type is briefly described below.

User-defined groups

User-defined groups contain data specific to your environment, such as user and computer names, the names of sensitive files, trusted IP addresses, and so on. User-defined groups are typically used in rules and filters to whitelist or blacklist events that LEM should include or ignore when evaluating rules and filters. LEM ships with more than two dozen user-defined groups that need to be populated with values for your environment. See Configure user-defined groups in LEM for more information. You can also create rules that auto-populate user-defined groups with values. See Auto-populate user-defined groups using a LEM rule for details.

Event groups

Event groups gather similar events into a single category for use with rules and filters. For example, create an event group for events that should all trigger the same response from LEM. If an event in the group occurs, LEM will fire the rule for that group. LEM ships with more than a dozen predefined event groups, such as: virus/scanner events, process start/stop events, change management events, and so on.

Directory Service groups

Directory Service groups (DS groups) are groups of users or computers that LEM imports from Microsoft Active Directory. DS groups are synchronized with Active Directory every five minutes. Use DS Groups in rules and filters to match specific users or computers. For example, use a DS group in a filter to limit the scope of events to only users or computers in that group.

Time-of-day sets

Time-of-day sets are defined time periods that you can use in rules and filters. Use time-of-day sets to perform specific actions at different hours of the day. For example, if you define a time-of-day set for Working Hours, and another for Outside Working Hours, you can assign different rules to each set. LEM ships with the following predefined time-of-day sets: business hours, early shift, graveyard shift, late shift, normal shift, and reboot cycle.

Connector profiles

Connector profiles are groups of Agents with common connector configurations. Most Agents in a network only have a few different network security connector configurations. Using connector profiles, you can group Agents by their common connector configurations, and enable your rules and filters to include or exclude the Agents associated with a profile.

Email template

Email templates are pre-formatted email messages that your rules use to notify you when an event occurs.

State variables

State variables are used in rules to represent temporary or transitional states. For example, you can create a state variable to track the state of a system, setting it to a different value depending on whether the system comes online or goes offline.

How groups are added to filters and rules in the LEM console

This section demonstrates how groups are used in filters and rules.

The following image shows the Filter Creation screen in the LEM console. On the left side, groups are organized by group type. On the right side, the filter definition pane shows that the Service Audit Alerts event group is included as a condition of the filter.

The next image shows the Rule Creation screen in the LEM console. Again, groups are organized by group-type on the left side. On the right side, the rule definition pane shows two different groups in the Correlations section: the Network Audit Alerts event group, and the Approved DNS Servers user-defined group. Four child fields are specified in the Network Audit Alerts event group: SourcePort, DestinationPort, SourceMachine, and DestinationMachine.