Documentation forSecurity Event Manager

About SEM groups

Groups in SEM are objects used to organize related elements for use with rules and filters. Groups can contain elements such as events, IP addresses, computer names, user accounts, and so on. After a group is defined, it can be referenced from multiple rules and filters.

Do not confuse groups and roles:

  • Groups organize related elements into logical units so that they can be used in rules and filters.
  • Roles restrict the actions that users can perform in SEM. See About SEM roles for information about SEM role types.

About SEM Group Types

There are seven group types in SEM:

Each group type is briefly described below.

User-defined groups

User-defined groups contain data specific to your environment, such as user and computer names, the names of sensitive files, trusted IP addresses, and so on. User-defined groups are typically used in rules and filters to whitelist or blacklist events that SEM should include or ignore when evaluating rules and filters. SEM ships with more than two dozen user-defined groups that need to be populated with values for your environment. See Configure user-defined groups in SEM for more information. You can also create rules that auto-populate user-defined groups with values.

Event groups

Event groups gather similar events into a single category for use with rules and filters. For example, create an event group for events that should all trigger the same response from SEM. If an event in the group occurs, SEM will fire the rule for that group. SEM ships with more than a dozen predefined event groups, such as: virus/scanner events, process start/stop events, change management events, and so on.

Directory Service groups

Directory Service groups (DS groups) are groups of users or computers that SEM imports from Microsoft Active Directory. DS groups are synchronized with Active Directory every five minutes. Use DS Groups in rules and filters to match specific users or computers. For example, use a DS group in a filter to limit the scope of events to only users or computers in that group.

Time-of-day sets

Time-of-day sets are defined time periods that you can use in rules and filters. Use time-of-day sets to perform specific actions at different hours of the day. For example, if you define a time-of-day set for Working Hours, and another for Outside Working Hours, you can assign different rules to each set. SEM ships with the following predefined time-of-day sets: business hours, early shift, graveyard shift, late shift, normal shift, and reboot cycle.

Connector profiles

Connector profiles are groups of Agents with common connector configurations. Most Agents in a network only have a few different network security connector configurations. Using connector profiles, you can group Agents by their common connector configurations, and enable your rules and filters to include or exclude the Agents associated with a profile.

Email templates

Email templates are pre-formatted email messages that your rules use to notify you when an event occurs.

State variables

State variables are used in rules to represent temporary or transitional states. For example, you can create a state variable to track the state of a system, setting it to a different value depending on whether the system comes online or goes offline.

How groups are added to filters and rules on the SEM Console

This section demonstrates how groups are used in filters and rules.

Use groups in filters

The following image shows the filter builder, which is accessed by selecting Live Events from the top menu, clicking the icon in the left panel, and clicking Add new filter.

In the left drag panel, groups are organized by group type. On the right side, the filter builder shows that the Service Audit Alerts event group is included as a condition of the filter.

Use groups in rules

The next image shows a rule definition, which is accessed by selecting Rules > Create New Rules.

Again, groups are organized by group-type on the left side. On the right side, the rule definition builder shows two different groups in the rule conditions: the Network Audit Alerts event group, and the Approved DNS Servers user-defined group. Four child fields are specified in the Network Audit Alerts event group: SourcePort, DestinationPort, SourceMachine, and DestinationMachine.