Configure agent membership in prevention groups

Endpoint Prevention is available to Managed Detection and Response and Managed Threat Complete customers who also have the Next-Generation Antivirus or Ransomware Prevention add-ons.

You can configure agent membership in your prevention groups by selecting eligible agents tracked by Agent Management. You can also apply filters using Agent Management's query language to make this selection process easier. This article covers the basics of the query language and how to configure agent membership in your groups.

You can configure group membership at install time

The Endpoint Prevention-edition Insight Agent installer supports a command line parameter that you can use to automatically assign the agent to an existing prevention group, which overrides the standard behavior of assigning newly installed agents to the default group. See the installation guide for instructions on how to do this.

How to use Agent Management's query language

Endpoint Prevention uses the same query language used by the overall Agents table in the Agent Management interface. Further, any queries you have saved in Agent Management are also available within a prevention group's agent membership configuration tool.

This query language allows you to select agent-related parameters, such as operating systems and IDs, and pair them with operators and values that you provide. The AND and OR operators also allow you to specify multiple criteria in a single query string. If your selected organization has a large number of agents, filtering what's available for selection with queries will make configuring prevention group membership much easier.

A practical query example

Consider this example query:

 
1
agent.platform CONTAINS "server" AND agent.timestamp > 8/1/2023 AND agent.semanticVersion = 3.3.3.27

Chained together with the AND operator, this query will refine your selectable agents to all those who satisfy all these criteria:

  • Agents that contain server in the operating system name (the intention being to retrieve all agents installed on an asset running an edition of Windows Server).
  • Agents that have most recently communicated with the Insight Platform later than August 1, 2023.
  • Agents running exactly version 3.3.3.27 of its software.
How to access the Agent Management interface

All aspects of your Endpoint Prevention program are configurable in the Agent Management experience of Insight Platform Home. Your Insight account must have either the Platform Administrator role or a Product Administrator role to access Agent Management:

  1. Go to https://insight.rapid7.com/login and sign in with your Insight account email address and password.
    • If you are not directed to Insight Platform Home upon successfully signing in, open the navigator in the upper left corner of your screen and click Insight Platform Home.
  2. Open the Data Collection tab in the left menu and click Agents.
    • Use the dropdown next to Agent Management to select the organization for which you want to configure Endpoint Prevention. If you only have access to 1 organization, it will already be selected.

To configure agent membership in a group:

  1. Click the Endpoint Prevention tab in Agent Management. The Prevention Groups subtab will already be selected.
  2. In your Prevention Groups table, browse to the custom prevention group you want to configure membership for and click its table row. The Edit Prevention Group interface will display.
  3. Scroll to the Select Agents section.
    • If the group is currently empty, click Add Agents to get started.
    • If the group already has member agents that you want to adjust, click Edit Agents.
  4. A window will display a table of all eligible Insight Agents attached to your currently selected organization. From here, you can manually select individual agents to move to this group using their corresponding check boxes, or select all of them with the universal check box in the top row of the table.
    • Note that the Agents table in this view lists all eligible agents in the organization and their current prevention group status.
    • As mentioned in the prevention group details, an agent can only be a member of one group at a time. Any agent you select here for association with this group means it will be removed from its current group as a result.
  5. You can also apply a query to filter this list down to something more manageable to assist your selection process.
    • You can enter your query manually by providing input directly in the query field. Click this field to see a list of parameters that you can use. This list will narrow in scope as you enter text.
    • Alternatively, use the Queries dropdown to load any Agent Management query you have saved previously, or any you have used recently.
  6. After you finish selecting which agents should be assigned to this group, click Save.