Related Topics
Manage TDR Groups
In Threat Detection and Response, you can create groups of the hosts on your network. With these groups, you can:
- Specify a group name in a policy to configure different policies for different hosts.
For more information, see Configure TDR Policies. - See and manage Host Sensors, group membership, and Host Sensor settings for a group.
For more information, see Manage Hosts In a Group.
TDR supports three types of groups:
Active Directory Group
Active Directory groups are created in TDR when AD Helper sends the device group information from your Active Directory server to TDR. You manage membership in these groups on your Active Directory domain controller. You can synchronize the Active Directory group on your Active Directory server with TDR from the Groups page in the TDR web UI.
Host Group
You can add a Host group, which is a list of hosts. A host can be a member of only one Host group. An Operator can manage Host Sensors for members of the group and configure Host Sensor settings specific to the group. You can create and add members to a Host Group from the Groups page or from the Hosts page.
The easiest way to add multiple hosts to a group is from the Hosts page. For more information, see Manage TDR Hosts and Host Sensors.
IP Subnet Group
You can add an IP Subnet group, which is for a specific IPv4 subnet. The group includes hosts with IP addresses in the IP subnet specified for the group.
The Groups page appears only for users with Analyst or Operator credentials. A user with Analyst credentials can see information about groups but cannot edit them.
From the Groups page, a user with Operator credentials can:
- Synchronize Active Directory groups
- Add, edit, and remove IP Subnet and Host groups
- Edit the members of a Host Group
- Install and remove Host Sensors for members of a Host group
- Configure Host Sensor settings for a Host group
See Threat Detection and Response Groups
To see the list of groups:
- Log in to the TDR web UI as a user with Operator or Analyst credentials.
- Select Configuration > Groups.
- To see information for a Host group, adjacent to the group name, click
.
The hosts in the group and Host Sensor settings for the group appear.
A user with Operator credentials can add and edit IP Subnet and Host groups on this page. An Operator can also manage host sensor settings, and install and remove Host Sensors for members of a group.
Synchronize an Active Directory Group
From the Groups page, an Operator can synchronize the Active Directory groups. When you synchronize a group, AD Helper gets updated information about the group from the Active Directory domain controller and updates the group information in your TDR account.
To synchronize an Active Directory group:
- On the Groups page, adjacent to an Active Directory group, click
. - Select Sync Group.
A confirmation message about whether you want to synchronize the group appears. - Click Yes, Sync.
You must synchronize an Active Directory group before you can expand it on the groups page or change the Host Group membership for members of the Active Directory group.
Add a Group
From the Groups page, you can add a Host group or an IP Subnet group.
You can also use the Change Host Group action to add a Host Group for selected hosts. For more information, see Manage TDR Hosts and Host Sensors.
When you add a Host group, you specify the hosts in the group by name. Before you can add hosts to the group, you must know the names of the hosts. Because you can configure different Host Sensor settings for each group, a host cannot be a member of more than one Host group.
- On the Groups page, click Add Group.
The Add Group dialog box appears.
- In the Group Name text box, type a name for this group.
- From the Type drop-down list, select Host. This is the default option.
- In the Hosts text box, to search for a host name, type at least three characters from the host name.
Host names that contain the characters you type appear below the text box.
- Select the host name to add.
The host name is added to the Group Details section. - Repeat the previous two steps for each host to add.
- To remove a host, adjacent to the host name, click
. - Click Save & Close.
- On the Groups page, click Add Group.
The Add Group dialog box appears.
- In the Group Name text box, type a name for this group.
- From the Type drop-down list, select IP Subnet.
- In the Network Address text box, type the IP address of a host or network.
- In the Subnet Mask text box, type the subnet mask for the IP address.
- Click Save & Close.
Edit or Remove a Group
To edit or remove an IP Subnet or Host group, you must log in to TDR with Operator credentials.
To edit a group:
- In the Groups list, adjacent to the group to edit, click .
- Select Edit Group.
The Edit Group dialog box appears. - Edit the group information as described in the previous procedure.
- Click Save & Close.
To remove a group:
- In the Groups list, adjacent to the group to remove, click .
- Select Remove Group.
A confirmation message appears. - Click Yes, Delete.
When you remove a group, the group is automatically removed from all policies that included it.
Manage Hosts In a Group
From the Groups page, you can see information about the hosts in a group and manage the Host Sensors and Host Sensor settings for the group. You can expand any group that includes at least one host.
To manage Hosts in a group, adjacent to that group, click .
The group information appears on two tabs:
- Hosts — Shows the hosts in the group and includes network, OS, and the Host Sensor status for each host
- Host Sensor Configuration — Host Sensor settings for hosts in the group; you can configure Host Sensor settings for the group that take precedence over the global Host Sensor settings specified by the Administrator
On the Hosts tab, you can see information about the hosts in this group, and manage Hosts Sensors and group membership.
You can complete these actions for hosts:
- Change Host Group — Change the Host Group the host is a member of
- Install Sensor — Use AD Helper to install a Host Sensor on a Windows host
- Remove Sensor — Uninstall a Host Sensor from a host
- Acknowledge Manually Removed — Acknowledge that a Host Sensor has been manually uninstalled from a host
To install or remove Host Sensors for one or more hosts in a group:
- On the Groups page, adjacent to the group to manage click .
The host information dialog box for that group appears.
- On the Hosts tab, select the check box adjacent to one or more hosts.
- From the Actions drop-down list, select an option.
The drop-down list shows the number of selected hosts each available action applies to.
The Confirm Action dialog box appears with the list of hosts the action applies to.
- To confirm the action, click Execute Action.
To remove a Host Sensor from a single host, in the Install State column, click .
For information about how to manually uninstall a Host Sensor from a host, see Uninstall TDR Host Sensors.
From the list of hosts within a group you can change the Host Group a Host is a member of. This removes the host from the current group and adds it to another group. You can also remove a Host from all groups.
To change the Host Group for one or more Hosts:
- Select Devices > Hosts.
- Select the check box adjacent to one or more hosts in the list.
- From the Actions drop-down list, select Change Host Group.
The Change Host Group dialog box appears.
- Start to type the name of the group. This can be an existing group or a new group.
As you type. the names of existing groups and the option to add a new group appear below the text box. - Select the group, or select the option to add the new group with the name you typed.
The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added.
To remove one or more Host Sensors from a Host Group.
- Select the check box adjacent to one or more hosts in the list.
- From the Actions drop-down list, select Change Host Group.
The Change Host Group dialog box appears. - Select No Group.
Each selected host is removed from the Host Group it was previously a member of.
In the group configuration, you can specify Host Sensor settings that apply to only the group. The settings you specify for a group take precedence over the global Host Sensor settings configured by the Administrator.
The Host Sensor configuration includes these settings:
- Host Sensor Settings — Control the allowed actions of the Host Sensor.
- Host Sensor Driver Configuration Settings — Enable and disable settings for the Host Sensor driver. We recommend you keep the default settings unless you have configured Host Groups with group-specific Host Sensor settings.
For more information about recommended Host Sensor settings for different types of hosts, see TDR Deployment Best Practices.
To see more information about each setting, adjacent to each setting, click 
.
For most Host Sensor settings, a switch shows whether the setting is enabled or disabled.
— The feature is enabled
— The feature is disabled
To change each setting, click the switch.
To specify the Host Sensor settings for a group:
- On the Groups page, adjacent to the group to manage, click .
The host information dialog box for that group appears. - Select the Host Sensor Configuration tab.
- To enable the Host Sensor settings for this group, click the Override Host Sensor settings for this group switch.
- Configure the Host Sensor settings for this group.
For more information about these settings, see Configure TDR Host Sensor Settings. - Click Save.