Submit a ticketCall us

AnnouncementsAre You “Flying Blind?”

When it comes to your complex IT infrastructure, you want to ensure you have a good grasp of what’s going on to avoid any fire drills that result from guesswork. Read our white paper to learn how proactively monitoring your IT environment can help your organization while giving you peace of mind.

Get your free white paper.

Home > Success Center > Log & Event Manager (LEM) > Log & Event Manager (LEM) Documentation > LEM Administrator Guide > About LEM groups

About LEM groups

Updated: September 15, 2017

Groups in LEM are objects that organize related elements for use with rules and filters. Groups can contain elements such as events, IP addresses, computer names, user accounts, and so on. After a group is defined, it can be referenced from multiple rules and filters.

About LEM Group Types

There are seven group types in LEM:

  • User Defined Groups
  • Event Groups
  • Directory Service Groups
  • Time of Day Sets
  • Connector Profiles
  • Email Templates
  • State Variables

Each group type is briefly described below.

User-defined groups

User-defined groups contain data specific to your environment, such as user and computer names, the names of sensitive files, trusted IP addresses, and so on. User-defined groups are typically used in rules and filters to whitelist or blacklist events that LEM should include or ignore when evaluating rules and filters. LEM ships with more than two dozen user-defined groups that need to be populated with values for your environment. See Configure user-defined groups in LEM for more information. You can also create rules that auto-populate user-defined groups with values. See Auto-populate user-defined groups using a LEM rule for details.

Event groups

Event groups gather similar events into a single category for use with rules and filters. For example, create an event group for events that should all trigger the same response from LEM. If an event in the group occurs, LEM will fire the rule for that group. LEM ships with more than a dozen predefined event groups, such as: virus/scanner events, process start/stop events, change management events, and so on.

Directory Service groups

Directory Service groups (DS groups) are groups of users or computers that LEM imports from Microsoft Active Directory. DS groups are synchronized with Active Directory every five minutes. Use DS Groups in rules and filters to match specific users or computers. For example, use a DS group in a filter to limit the scope of events to only users or computers in that group.

Time-of-day sets

Time-of-day sets are defined time periods that you can use in rules and filters. Use time-of-day sets to perform specific actions at different hours of the day. For example, if you define a time-of-day set for "Working Hours,” and another for “Outside Working Hours,” you can assign different rules to each set. LEM ships with the following predefined time-of-day sets: business hours, early shift, graveyard shift, late shift, normal shift, and reboot cycle.

Connector profiles

Connector profiles are groups of Agents with common connector configurations. Most Agents in a network only have a few different network security connector configurations. Using connector profiles, you can group Agents by their common connector configurations, and enable your rules and filters to include or exclude the Agents associated with a particular profile.

Email template

Email templates are pre-formatted email messages that your rules use to notify you when an event occurs.

State variables

State variables are used in rules to represent temporary or transitional states. For example, you can create a state variable to track the state of a particular system, setting it to a different value depending on whether the system comes online or goes offline.

How groups are added to filters and rules in the LEM console

This section demonstrates how groups are used in filters and rules.

The following image shows the "Filter Creation" screen in the LEM console. On the left side, groups are organized by group-type. On the right side, the filter definition pane shows that the "Service Audit Alerts" event group is included as a condition of the filter.


The next image shows the "Rule Creation" screen in the LEM console. Again, groups are organized by group-type on the left side. On the right side, the rule definition pane shows two different groups in the Correlations section: the "Network Audit Alerts" event group, and the "Approved DNS Servers" user-defined group. Four child fields are specified in the "Network Audit Alerts" event group: SourcePort, DestinationPort, SourceMachine, and DestinationMachine.


Last modified