Documentation forSecurity Event Manager

Auto-populate user-defined groups using a SEM rule

You can automate how you populate User-Defined Groups using the Add User-Defined Group Element active response in a SEM rule. This active response populates a pre-defined user-defined group with static or dynamic values, as defined by that rule.

Complete the following task to populate a user-defined group based on a specific type of event, such as when you attach a USB device you want to tag as authorized, or when a user attempts to visit a prohibited website.

For additional information about working with SEM rules, see About rules.

  1. (missing or bad snippet)
  2. On the SEM menu bar, navigate to Build > Rules.

  3. To create a new rule, click in the Rules toolbar.

  4. Enter a name and description for your rule.

  5. Populate the Correlations box with conditions that represent the event you want to trigger your rule. For the USB example:
    1. In the components pane on the left, click Events, and then enter SystemStatus without any spaces in the search box.
    2. Click SystemStatus, and then locate EventInfo from the Fields: SystemStatus list.
    3. Drag EventInfo into the Correlations box. The left side of your new condition should read, SystemStatus.EventInfo.
    4. Enter *Attached* into the Text Constant field, denoted by the pencil icon, on the left side of your new condition.
    5. To specify a computer for this procedure, create a second condition with SystemStatus.DetectionIP = *computerName*, where computerName is the hostname of the computer you want to specify.

      In this example, the computer you attach your authorized devices to must have a SEM Agent with USB Defender installed, whether you specify it in your rule or not.

  6. In the components pane, click Actions, and then locate Add User-Defined Group Element.

  7. Drag Add User-Defined Group Element into the Actions box.

  8. Within the Add User-Defined Group Element, select the appropriate User-Defined Group, such as Authorized USB Devices. If you do not find the User-Defined Group, perform the following:
    1. Close the action and navigate to Build > Groups.
    2. To create your own User-Defined Group, or to clone an existing group, click on the upper right.
  9. Populate the action using the alerts present in your Correlations. For the USB example:
    1. Select Authorized USB Devices from the User Defined Group menu.
    2. Click Alerts on the components pane, and then verify that SystemStatus is still selected.
    3. Drag ExtraneousInfo from the Fields: SystemStatus list into the blank Value field in the action.
  10. Select Enable at the top of the Rule Creation window, and then modify the Test and Subscribe settings if you want.

    Putting a rule into Test allows the rule to function as needed, but the rule will not perform any of the actions listed. In this example, it will not add any information to the User-Defined Group.

  11. At the bottom of the Rule Creation window, click Save.

  12. At the top of the main Rules view, click Activate Rules.

Any time the event you defined in your rule occurs, the value you defined in the Value field of the action gets added to the user-defined group you specified. In the USB example, the attached device is added to the Authorized USB Devices group.