GroupSet

The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on Deep Security Agents. To enable and configure Integrity Monitoring, see Set up Integrity Monitoring.

GroupSet represents a set of groups. Note these are local groups only.

Tag Attributes

These are XML attributes of the tag itself, as opposed to the attributes of the Entity monitored by Integrity Monitoring Rules.

Attribute Description Required Default Value Allowed Values
onChange Will be monitored in real time No false true, false

Entity Set Attributes

These are the attributes of the entity that can be monitored:

  • Description: (Windows only) The textual description of the group.
  • Group: The group ID and name. The group name is part of the entity key, but it's still important to be able to monitor the group ID-name pairing in case groups are renamed and given new IDs. Operating systems generally enforce security based on its ID.
  • Members: A comma separated list of the members of the group.
  • SubGroups: (Windows only) A comma separated list of sub-groups of the group.

Short Hand Attributes

  • Standard: Group Members SubGroups

Meaning of "Key"

The key is the group's name. This is not a hierarchical Entity Set. Patterns are applied only to the group name. As a result the "**" pattern is not applicable. The following example monitors the "Administrators" group for additions and deletions. (The "Member" attribute is included implicitly because it is a part of the STANDARD set, and no attributes are explicitly listed.)

<GroupSet>
<include key="Administrators" />
</GroupSet>

Include and Exclude

See About the Integrity Monitoring rules language for a general description of Include and Exclude and their allowed attributes and sub elements.