Dynamic groups
General FAQs
What is dynamic groups?
Dynamic groups is a feature that allows users to set rules that automatically and dynamically sort hosts and accounts into groups based on regular expressions (regex).
Why is managing group membership important?
Having well defined groups can help improve signal quality by allowing triage rules to be defined using groups.
Importance of groups influences prioritization (scoring) of entities in RUX deployments.
Groups are displayed for entities which can give key context to analysts when interpreting signal in the Vectra UI.
How does dynamic groups work?
Users will specify regular expressions (regex) into the Vectra UI for sorting hosts and accounts into groups.
Vectra will then check all actively observed hosts and add any matching hosts and accounts into that group.
Vectra re-evaluates dynamic group membership on an ongoing basis.
Please see "Why are not all hosts appearing in the dynamic group?" in the Technical FAQs section below for more details on what "actively observed" means.
Any new host or account will be added to the relevant group automatically after our system observes it.
What does dynamic groups affect?
Dynamic groups have the same function as ordinary static groups.
Hosts and accounts associated with each group have triage filters applied to based on group membership and the importance assigned through group membership influences prioritization of attack signal.
How do users set up dynamic groups?
Settings for Dynamic Groups can be found directly on the Vectra AI Platform under Manage > Groups.
When users click on “Create Group,” one of the options for the group creation is "Build Using..." and you can choose from "Regex" or "Static Members".
When you select "Regex" the UI will generate a preview of the hosts that match the regex in their environment before the user confirms group creation.
Additional guidance will be given in the Configuration and Management section.
Is this available on RUX, QUX, or both?
Dynamic groups was initially released for Respond UX (RUX).
Quadrant UX (QUX) deployments are supported as of version 9.0 of Vectra software.
Does this affect any current group management settings?
No. Existing groups are not impacted.
Conversion of groups from static to dynamic and from dynamic to static is supported from early March in RUX deployments.
This will allow existing triage rules to make use of dynamic groups without having to rebuild the triage rules.
Conversion between group types for QUX deployments is supported as of the v9.1 release.
Is this feature free?
Yes, this is a standard part of the Vectra AI Platform and has no cost.
Configuration and Management
Creating a Dynamic Group
Expand/Collapse for Details
To configure dynamic groups, navigate in your Vectra UI to Manage > Groups.
Click the "Create Group" button and input or choose the following:
Name - a name for the group
Type - only Host and Account types are supported for the Dynamic Groups feature
Host
Domain
IP
Account
Build Using... - the type of group (Regex or Static Members)
Choose the Regex option for Dynamic Groups
Importance - the importance of the group members
High
Medium
Low
Description - enter a description of your choice
Enter a regex expression.
Leave off the ^ and $ at the beginning or end of any regex. The system will add them automatically.
If you click the "Run Preview" button you can see sample matches from your environment along with a count of expected members:
Click "Create Group & Add Members".
You will return to a detail page for the group. To add or manage additional groups, click the "Groups" button to return to the full list of Groups from the *Manage > Groups *page.
Managing an Existing Dynamic Group
Managing existing groups allows for:
Changing the details such as the name, importance, or description of a Dynamic Group.
Changing the regex pattern associated with a Dynamic Group.
Searching for specific members in a Dynamic Group.
Downloading a .csv (up to 5,000 members) containing entities in a Dynamic Group.
Expand/Collapse for Details
To manage an existing Dynamic Group simply click on the group name in the list of groups on the Manage > Groups page.
The green arrows show the locations where you can manage the group:
Group details can be changed with the "Edit Details" button.
The group can be deleted with the "Delete Group" button.
The regex can be changed by clicking on the pencil icon next to the regex expression.
You can search for specific members in the search box.
A .csv of group members can by downloaded using the "Download CSV button on the right.
When changing the regex pattern that defines a dynamic group, you will see members that will be added and members that will be removed and given a chance to preview any impact that the change could have. Below we have some sample screenshots. These are not related to the prior example screenshot.
After clicking the pencil icon to edit a regex pattern:
After clicking the "Preview Impact" button to see what changes would happen if you save the change:
Click the "Save" button to save the changes to the filters and have the system reprocess detections as was shown in the "Preview Impact" view.
Converting Between Group Types
Conversion from a static group to a dynamic group and from a dynamic group to a static group are both supported in RUX as of the early March release. This same functionality is available for QUX deployments starting in the 9.1 release.
Please keep in mind the following when converting between group types:
Each conversion operation, static to dynamic and dynamic to static, is a unique operation that maintains no knowledge of the prior group's members after the conversion has occurred.
In this sense, the conversion operation is irreversible, but you are free to convert from static to dynamic and then from dynamic to static.
Consider the following scenario to better understand this concept:
A static group that contains 100 members is converted to a dynamic group where the regex that defines the group members matches 75 entities at the time of conversion.
After the conversion happens, the resulting dynamic group contains 75 entities but this will be change on an ongoing basis if new matches are found or existing members are removed due to inactivity.
If that dynamic group is then later converted to a static group, the resulting static group will only contain the members that exist at the time it is converted back to a static group.
This would be 75 members assuming that no new members were added by the regex and no existing members were removed due to inactivity.
It is not possible to automatically get back to the original 100 members, they would need to be added manually.
Conversion from a static to a dynamic group
Expand/Collapse for Details
From the Manage > Groups page, find the group that you want to convert and click on it.
In the Group Details area, click on "Rebuild With Regex".
Enter a regex and then click on "Run Preview" in the bottom section of the dialog.
A sampling of new members that will be added based on the regex is displayed in the left preview column along with a count of how many will be added.
Existing members of the static group will not be displayed here, this is only showing members that will be added to the resulting dynamic group.
The left column could be blank if no new members will be added to to the existing static group by the conversion to dynamic.
In the right preview column will be one of two things:
A sampling of members that will be removed because they don't match the regex.
A statement that "No members will be removed" which means that all actively observed members of the original static group are also captured in the regex that will define the membership in this new dynamic group.
It is important to remember that dynamic groups will only contain actively observed entities as members.
It is possible that the original static group contained entities that will no longer be present in the dynamic group after conversion even though they would match the regex.
Please see the Technical FAQs section and "Why are not all hosts appearing in the dynamic group" for more details on what actively observed means.
If an entity becomes actively observed again, it would become a part of the dynamic group.
Click "Preview Impact" when you are ready to move to the next step of the conversion.
In the above example, we are showing a case where because members will be removed from the resulting dynamic group that were in the static group, there will be impacts to previously triaged detections.
If this is expected, go ahead and click the "Rebuild with Regex" button and you will be done.
If this is not expected, you can "Cancel" or go "Back" to change your regex.
In the above example, we are showing a case where there will be no triage impacts to detections, if this is expected, you can click the "Save" button to save your new dynamic group.
Conversion from a dynamic to a static group
Expand/Collapse for Details
From the Manage > Groups page, find the group that you want to convert and click on it.
In the Group Details area, click on "Rebuild As Static".
Confirm that you want to rebuild the existing dynamic group as a static group and then click "Rebuild As Static".
The group is now a static group and if desired it can be rebuilt as a dynamic group in the future.
Example Regex Patterns and Resources
Resources:
Search the internet for "regex cheat sheet" - there are many good options out there.
https://regexr.com is a website that provides an easy to use interface to test various regex filters against test data sets.
Remember to remove the leading ^ and trailing $ on regex's that you get from here.
Various LLMs such as ChatGPT can easily provide working regex examples when you give a natural language prompt.
Remember to remove the leading ^ and trailing $ on regex's that you get from here
Here is an example where I asked ChatGPT to create a regex:
Expand/Collapse for Details
Regex Examples:
Expand/Collapse for Details
Generic Host Containers
IP-(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])
Finds name-name hosts such as fabien-pc, piper-desktop, etc
[a-zA-Z]+-[a-zA-Z]+
Ending in corp.example.com
[a-zA-Z0-9._%+-]+@corp\example\com
Technical FAQs
Why are not all hosts appearing in the dynamic group?
To ensure that group membership is active and correct, Vectra will only include hosts or accounts in groups where they have been actively observed within the past 90 days.
"Actively observed" is defined as follows:
For hosts, this means your deployment has observed network traffic to or from the host entity in the past 90 days.
For accounts there are essentially three different scenarios.
Account entities that are based on observed network traffic (kerberos, etc).
Account entities that are based on logs (M365/AAD, AWS, etc).
Account entities that are linked due to Automatic Account Linking with AD Context.
Account linking is an option that is configured with Configuring Active Directory(AD) integration with Vectra NDR.
Linked accounts would show one account entity to cover both the network observed account entity and the log based account entity.
In the above account scenarios, the following will make the entity "actively observed".
Network traffic is observed that contains the account entity.
New detections are created that are attributed to the account entity (linked or based solely on logs) that are based on observed logs in the configured data source (M365, AAD, AWS, etc).
Please note that the in product "Active or Inactive" status only refers to if the entity in question has active detections attributed to it.
Why are some accounts, that I see in some detection details, not matched when previewing or viewing a dynamic group.
For an account to match in a dynamic group, the account must be a full account entity in the Vectra system. Accounts that show, for example as a target for an SMB Account Scan detection, may or may not be account entities in Vectra. Vectra doesn't create account entities when the target is only seen in SMB traffic. If the account entity in question can't be found as an account entity in the system, then it will not show in a preview or view of a dynamic group. If the account later becomes an account entity, it would match the regex an show as a member of the group.
Regex is difficult to learn. Is there assistance available?
There is a guide for building regex directly in the Dynamic Groups creation window. Regex may be hard to master but ultimately it allows for fine grained control over exact group membership.
Can other group types be managed as dynamic groups?
No, Host and Account groups are the only group types that are supported by the Dynamic Groups feature.
IP groups already support CIDR notation to define subnets. This should help mitigate the desire to use regex for IP groups.
Can static groups be migrated to regex?
This is supported from early March for RUX deployments.
Groups can also be converted from regex to static.
Conversion between group types for QUX deployments is supported as of the v9.1 release.
Can a group contain both static and regex entries in the same group?
This is not currently possible due to architectural limitations.
How fast will customers see updates on hosts in the dynamic group?
Vectra's Service Level Objective (SLO) for membership and scoring updates is 1 hour, but in the majority of cases, we are seeing updates occurring within a minute.
Can customers download a CSV of the dynamic group?
For customers looking to verify membership, they can download a CSV file from the manage groups page with up to 5,000 members.
Are changes made to dynamic groups logged?
Yes, changes are logged in the audit log which is available via the API in both RUX and QUX deployments.
Can I manage dynamic groups using the API?
Yes, details are available in the Vectra Platform API Guide v3.4 (RUX) for RUX deployments.
Yes, details are available in the REST API Guide v2.5 (QUX) for QUX deployments.
Last updated
Was this helpful?