topic StealthWatch host group baseline in Security Analytics

StealthWatch host group baseline

Bart G — Mon, 08 Feb 2021 19:54:56 GMT

Hi all,

I have a question about host group configurations and conflicting baseline configuration.

If I understand correctly the 'Enable baselining for Hosts in this Group' controls if hosts are baselined individually or if a baseline is taken for the whole host group. It makes sense to disable this for a host group that uses dynamic IP addresses

In the following example, what would be applied, individual baselining or host group baselining:

a host sits in 2 groups with different policies:
1. 'by location' > 'my campus': enable baselining turned on
2. 'by function' > 'DHCP clients': enable baselining turned off
host group hierarchy
1. 'peripherals' (On) > 'printers (Off): What would be applied for hosts in the printers host group, is there any inheritance for this setting?

Thanks!

Re: StealthWatch host group baseline

TJ-20933766 — Mon, 08 Feb 2021 21:03:34 GMT

By default, every individual host is baselined within the "Inside Hosts" host group. Stealthwatch baselines only aggregate host behavior at the host group level for the "Outside Hosts" host group.

If you turn off "Enable baselining for Hosts in this Group", Stealthwatch will baseline the aggregate host behavior at the host group level.

I have not been able to find any documentation to back this part up but I believe if your host is a member of two different host groups who are not children or parents of each other and one of them has the default enabled setting of "Enable baselining for Hosts in this Group", that host will be individually baselined. If the host is a member of a child host group who has disabled that option, the host will not be individually baselined.