ProTip: Dynamic User Group Based on Device Activity

protip
triggers

#1

Hi, Cal Jewell, Sr. Technical Trainer at ExtraHop Networks.

I previous uploaded a bundle to help you look at problematic DNS queries: https://www.extrahop.com/bundles/gumby/problem-dns-queries/.

Now, we are going to examine a quick and easy way to assign Triggers, Alerts, Custom Pages, and Geomaps to devices based on device activity.

Background

In the ExtraHop UI you can create your own groups of devices. There are two types of user-created groups: static and dynamic.

A Static group is just that, static. Once set, devices do not enter or leave that group.

A Dynamic group is much more powerful. As new devices appear on the network, if they fit the criteria for the Dynamic group, the devices are added to the group.

Here’s How

In this example, we want to create a dynamic user group that includes all DNS Servers.

  1. Click Device Groups then click the User Groups tab.

  2. Click the Select Action dropdown then click Add.

  3. In the Name field, give your new group a name. In this example, we will use “DNS Servers”.

  4. In the Group Type field, select Dynamic. Then, in the pulldown menu select type.

  5. In the box to the right of the pulldown, enter “dns_server” (without the quotes).

  6. In the Comment field, enter “Dynamic group of DNS Servers”

  7. When done, the Add Device Group dialog box should look like this:

  8. Click OK.

Your new group is added to your list of User Groups and it should be populated with devices (visible in the Count) column.

Now, you can easily assign a Trigger (as mentioned in the bundle description) to a dynamic group by selecting the box next to the dynamic group, clicking Select Action, then clicking Assign Trigger.

For Future Reference

Here are other criteria that work for “type” when creating a Dynamic user group:

  • http_server
  • http_client
  • db_server
  • db_client
  • dns_server
  • dns_client
  • ica_server
  • ica_client
  • ssl_server
  • ssl_client
  • cifs_server
  • cifs_client
  • smtp_server
  • smtp_client
  • etc.