Documentation forSecurity Event Manager

About SEM groups

Groups in SEM are objects used to organize related elements for use with rules and filters. Groups can contain elements such as events, IP addresses, computer names, user accounts, and so on. After a group is defined, it can be referenced from multiple rules and filters.

Do not confuse groups and roles.

Groups organize related elements into logical units so that they can be used in rules and filters.

Roles restrict the actions that users can perform in SEM. See About SEM roles for information about SEM role types.

About SEM Group Types

SEM includes the following groups types:

User-defined groups

User-defined groups contain data specific to your environment, such as user and computer names, the names of sensitive files, trusted IP addresses, and so on. User-defined groups are typically used in rules and filters to whitelist or blacklist events that SEM should include or ignore when evaluating rules and filters.

SEM ships with more than two dozen user-defined groups that need to be populated with values for your environment. See Configure user-defined groups for more information. You can also create rules that auto-populate user-defined groups with values.

Event groups

Event groups gather similar events into a single category for use with rules and filters. For example, create an event group for events that should all trigger the same response from SEM. If an event in the group occurs, SEM will fire the rule for that group.

SEM ships with more than a dozen predefined event groups, such as: virus/scanner events, process start/stop events, change management events, and so on.

Directory Service groups

Directory Service groups (DS groups) are groups of users or computers that SEM imports from Microsoft Active Directory. DS groups are synchronized with Active Directory every five minutes. Use DS Groups in rules and filters to match specific users or computers. For example, use a DS group in a filter to limit the scope of events to only users or computers in that group.

Time-of-day sets

Time-of-day sets are defined time periods that you can use in rules and filters. Use time-of-day sets to perform specific actions at different hours of the day. For example, if you define a time-of-day set for Working Hours, and another for Outside Working Hours, you can assign different rules to each set.

SEM ships with the following predefined time-of-day sets: business hours, early shift, graveyard shift, late shift, normal shift, and reboot cycle.

Connector profiles

Connector profiles are groups of Agents with common connector configurations. Most Agents in a network only have a few different network security connector configurations. Using connector profiles, you can group Agents by their common connector configurations, and enable your rules and filters to include or exclude the Agents associated with a profile.

Email templates

Email templates are pre-formatted email messages that your rules use to notify you when an event occurs.

State variables

State variables are used in rules to represent temporary or transitional states. For example, you can create a state variable to track the state of a system, setting it to a different value depending on whether the system comes online or goes offline.

How groups are added to filters and rules on the SEM Console

This section describes how groups are used in filters and rules.

Use groups in filters

You can access the filter builder by selecting Live Events from the top menu, clicking the icon in the left panel, and then clicking Add new filter.

In the left panel, groups are organized by group type. In the right panel, the filter builder shows that the Service Audit Alerts event group is included as a condition of the filter.

Use groups in rules

You can access rule definitions by selecting Rules > Create New Rules. Groups are organized by group-type in the left panel.

In the right panel, the rule definition builder shows two different groups in the rule conditions:

  • Network Audit Alerts event group,

  • Approved DNS Servers user-defined group

Four child fields are specified in the Network Audit Alerts event group:

  • SourcePort

  • DestinationPort

  • SourceMachine

  • DestinationMachine