Download PDF

View Table of Contents

Product Requirements

All ExtraHop systems

Thank you! We will contact you soon to ask how we can improve our documentation. We appreciate your feedback.

Was this topic helpful?

Yes No

Thank you for your feedback. Can we contact you to ask follow up questions?

How can we improve?

Need more help?

Ask the Community

Create a device group

You can create device groups that gather metrics for all of the specified devices in a group. With device groups, you can still view metrics for each individual device or group member. Device groups can also be set as a metric source.

Users with limited write privileges can create and edit both dynamic and static device groups.

Create a dynamic device group to automatically add all devices that match specified criteria to the group.
Create a static device group to manually add each device.

Here are some performance considerations when creating a device group:

A high number of device groups with a large number of devices will take more time to process.
Static groups process faster than dynamic groups and are recommended for a set group of devices.
Dynamic groups with complex criteria might have a higher performance cost.

Create a dynamic device group

You can create dynamic device groups with complex filters, which enable you to specify multiple criteria and create nested groups of criteria.

Tip:

You can quickly create a dynamic device group from a filtered list of devices on the Devices page. Click Create Dynamic Group from the upper right corner.

You can also create a dynamic device group from a built-in device group. From the Assets page, click a role or protocol, update the filter criteria, and then click the Save icon from the upper right corner.

Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
From the top menu, click Assets and then click the Device Groups chart.
Click Create Device Group.
In the Group Name field, type a descriptive name to identify the group
(Optional): From the Editors drop-down menu, select users with limited write privileges that can edit this device group. This global privilege must be enabled from the Administration settings.
- The list only displays limited write users with active accounts.
- Only a user with edit permission for a device group can add other limited write users.
(Optional): In the Description field, add information about this device group.
In the Group Type section, click Dynamic.
In the Filter Criteria section, Name and select one of the following categories from the drop-down menu:

Click Name and select one of the following categories from the drop-down menu:

Option

Description

Name

Filters devices by the discovered device name. For example, a discovered device name can include the IP address or hostname.

MAC Address

Filters devices by the device MAC address.

IP Address

Filters devices by IP address in IPv4, IPv6, or CIDR block formats.

Site

Filters devices associated with a connected site.

Console only.

Discovery Time

Filters devices automatically discovered by the ExtraHop system within the specified time interval. For more information, see Create a device group based on discovery time.

Analysis Level

Filters devices by analysis level, which determines what data and metrics are collected for a device.

You cannot create a dynamic device group for devices filtered by analysis level.

Model

Filters devices by make, family, or model name. The make represents the manufacturer of the device. A family represents a grouping such as a product line. The following tips can help you find the device model you want:

You can select from a list of makes found on your ExtraHop system and then click the filter to refine results.
You can display hovertips next to makes and families to view how many devices and matching models were found.
You can select a make or a family to find all devices in that group, regardless of model.

Cloud-updated Properties

Filters devices by cloud-updated properties obtained from integrations that are configured on your ExtraHop system such as CrowdStrike. The filter name is the vendor or partner associated with the integration. Cloud-updated properties vary by integration.

Activity

Filters devices by protocol activity associated with the device. For example, selecting HTTP Server returns devices with HTTP server metrics, and any other device with a device role set to HTTP Server.

Also filters devices that accepted or initiated an external connection, which can help you determine whether devices are engaged in suspicious activity.

CDP Name

Filters devices by the CDP name assigned to the device.

Cloud Account

Filters devices by the cloud service account associated with the device.

Available if you add cloud instance properties through the REST API.

Cloud Instance ID

Filters devices by the cloud instance ID associated with the device.

Available if you add cloud instance properties through the REST API.

Cloud Instance Name

Filters devices by the cloud instance name assigned to the device.

Available if you add cloud instance properties through the REST API.

Cloud Instance Type

Filters devices by the cloud instance type associated with the device.

Available if you add cloud instance properties through the REST API.

Cloud Subnet ID

Filters devices by the cloud subnet ID associated with the device.

Available if you add cloud instance properties through the REST API.

Currently Active

Filters devices by activity observed on a device in the last 30 minutes.

Custom Name

Filters devices by the custom name assigned to the device.

Detection Activity

Filters devices with detection activity where the device was a participant. Enables additional criteria such as category, risk score, and MITRE technique.

Note:

You cannot create a device group that contains this criteria option.

DHCP Name

Filters devices by the DHCP name assigned to the device.

DNS Name

Filters devices by any DNS name assigned to the device.

High Value

Filters devices that are considered high value because they provide authentication services, support essential services on your network, or are user-specified as high value.

NetBIOS Name

Filters devices by the NetBIOS name assigned to the device.

Network Locality Name

Filters devices by network locality name.

Network Locality Type

Filters devices by all internal or external network localities.

Role

Filters devices by the assigned device role, such as gateway, firewall, load balancer, and DNS Server.

SHA-256 File Hash

Filters devices on which files hashed by the SHA-256 hashing algorithm has been observed. You can view a table of hashed files on the Files page.

Software

Filters devices by operating system software detected on the device.

Software Type

Filters devices by the type of software observed on the device such as attack simulator, remote access, or database server.

Tag

Filters devices by user-defined device tags.

User

Filters devices by the username of a user observed on the network.

The username is extracted from observed network traffic or an authentication protocol or application, such as LDAP or Active Directory.

You can view a table of active network users on the Users page.

Vendor

Filters devices by the device vendor name, as determined by the Organizationally Unique Identifier (OUI) lookup.

Virtual Private Cloud

Filters devices by the VPC associated with the device.

Available if you add cloud instance properties through the REST API.

VLAN

Filters devices by the device VLAN tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.

Only available if the devices_accross_vlans setting is set to False in the running configuration file.

Select one of the following operators from the drop-down menu; the operators available are based on the selected category:

Option	Description
=	Filters devices that are an exact match of the search field for the selected category.
≠	Filters devices that do not exactly match the search field.
≈	Filters devices that include the value of the search field for the selected category.
≈/	Filters devices that exclude the value of the search field for the selected category.
starts with	Filters devices that start with the value of the search field for the selected category.
exists	Filters devices that have a value for the selected category.
does not exist	Filters devices that do not have a value for the selected category.
match	Filters devices that include the value of the search field for the selected category.
and	Filters devices that match the conditions specified in two or more search fields.
or	Filters devices that match at least one condition specified in two or more search fields.
not	Filters devices that do not match the conditions specified in a search field.

In the search field, type the string to be matched, or select a value from the drop-down menu. The input type is determined by the selected category.
For example, if you want to find devices based on Name, type the string to be matched in the search field. If you want to find devices based on Role, select from the drop-down menu of roles.
Tip: Depending on the selected category, you can click the Regex icon in the text field to enable matching by regular expression.
(Optional): Click the add filter icon and select Add Filter or Add Filter Group to specify more criteria at the top or secondary level of the filter.
For example, if you filter for devices names that start with "acct", you can add a new group of criteria that filters for a certain role or tag within the group of devices that start with "acct".
Click Save.

You can change the criteria by clicking the group you want to modify from the Device Groups page, and then clicking Properties.

Create a static device group

Tip:	From the Devices page, you can select the checkbox next to one or more devices and click Add to Group to quickly create a static device group or add devices to an existing group.

Log in to the ExtraHop system through https://<extrahop-hostname-or-IP-address>.
From the top menu, click Assets and then click the Device Groups chart.
Click Create Device Group.
In the Group Name field, type a name for the new group.
(Optional): From the Editors drop-down menu, select users with limited write privileges that can edit this device group. This global privilege must be enabled from the Administration settings.
- The list only displays limited write users with active accounts.
- Only a user with edit permission for a device group can add other limited write users.
(Optional): In the Description field, add information about this device group.
In the Group Type section, select Static.
Click Save.
Your device group is now created.
Add a specific device to your group.
1. Click the static device group you want and click Devices from the left pane.
2. Click the Find device... field top of the device table, type the name of the device you want, and then select the device from the list.
3. Click Add to Group.
Add devices with specified criteria to your group.
1. Click Devices in the left pane.
2. Find a device and then select the checkbox next to the devices you want to add to your group.
3. At the top of the device table, click Add to Group.
4. From the Add to Group dialog box, select Add to an existing group.
5. Select a device group from the Group drop-down menu.
6. Click Add to Group.

Next steps

Remove devices from a group by selecting the checkbox next to the device name and clicking Remove from Group in the upper right corner.

Last modified 2025-04-05

Documentation

Concepts

How To's

Walkthroughs

Admin Guides

API Guides

Deployment

Products

Network Detection and Response

Network Performance Monitoring

RevealX™ Platform

Customers

Community

Partners

Support

Training

Resources

Customer Stories

Integrations

Company

About Us

Careers

Newsroom

Events

Blog

Create a device group

Create a dynamic device group

Create a static device group