Groups let you organize your users and endpoints into categories that control how Wirespeed automates responses. Each group has independent settings for Chat Ops and Containment, giving you fine-grained control over which assets are eligible for automated actions.
You can manage groups from Settings > Groups.
How Groups Work
Every group has two automation toggles:
| Setting | Effect when disabled |
|---|
| Chat Ops | Assets in this group will not be contacted during chat ops. Detections involving them are marked as suspicious and escalated instead. |
| Containment | Assets in this group will not be automatically contained. Manual containment from the case Actions menu is still available. |
If an asset belongs to any group that has Chat Ops or Containment disabled, that automation is disabled for the asset — even if other groups the asset belongs to have it enabled.
System Groups
Wirespeed seeds a set of built-in groups that are automatically maintained. System groups are indicated by the Wirespeed logo and cannot be deleted.
User Groups
| Group | Description | Default Chat Ops | Default Containment |
|---|
| VIP | High-profile users requiring priority monitoring and response | Off | Off |
| Administrator | Users with elevated privileges across systems | On | On |
| External | Contractors, vendors, and other non-employee users | On | On |
| Technical | Engineering, IT, and other technical staff | On | On |
| Financial | Users with access to financial systems and data | On | On |
| NHI | Non-human identities such as service accounts and API keys | Off | Off |
Endpoint Groups
| Group | Description | Default Chat Ops | Default Containment |
|---|
| Critical Asset | Business-critical servers and infrastructure | Off | Off |
| Domain Controller | Active Directory domain controllers | Off | Off |
| Server | Server endpoints running production or internal services | Off | Off |
| Workstation | Desktop and laptop endpoints used by employees | On | On |
| Mobile | Mobile devices including phones and tablets | On | On |
Custom Groups
Create your own groups to match your organization’s structure. Each custom group has:
- Name — a short label displayed throughout the platform
- Description — optional context for your team
- Color — visual identifier shown on badges
- Chat Ops — enable or disable chat ops for the group
- Containment — enable or disable containment for the group
Custom groups can be deleted when no longer needed.
Group Rules
Rules automatically assign assets to groups based on field matching. This keeps group membership up to date as your directory syncs without any manual work.
Rule Properties
| Property | Description |
|---|
| Asset Type | Whether the rule applies to Users or Endpoints |
| Group | The group to assign matching assets to |
| Field | The asset field to match against |
| Search Pattern | The pattern to match (text with wildcards or regex) |
Matchable Fields
User fields:
| Field | Description |
|---|
email | User’s email address |
name | User’s display name |
username | User’s login username |
title | Job title |
department | Department or business unit |
role | Assigned role |
| Field | Description |
|---|
name | Endpoint hostname |
OS | Operating system |
ip | IP address |
Pattern Types
Text — used by custom rules. Use * as a wildcard. For example:
ceo@* matches any email starting with ceo@*admin* matches any value containing admin*@example.com matches any email at that domain
Regex — used exclusively by Wirespeed-managed system rules for advanced matching. Custom rules cannot use regex patterns.
System rules (indicated by the Wirespeed logo) cannot be deleted, but they can be disabled. Custom rules can be deleted or disabled at any time.
When Rules Run
Rules are evaluated automatically after each directory or endpoint sync. When an asset matches a rule, it is added to the corresponding group. If a rule is later disabled or the asset no longer matches, the assignment is removed — unless a user has manually overridden the membership.
Viewing Group Membership
When viewing a user or endpoint detail page, their assigned groups are displayed as badges. Hover over any group badge to see which rule matched the asset to that group.
Manual Overrides
You can manually add or remove assets from groups on the individual user or endpoint detail pages. Manual assignments take priority over rule-based assignments:
- Manually adding an asset to a group persists even if no rule matches it.
- Manually removing an asset from a group persists even if a rule would otherwise assign it.
Groups and Directory Sync
Group membership is synced during directory and endpoint sync operations. Until the initial sync completes, automation decisions that depend on group membership (like containment) are deferred to avoid acting on incomplete data. 
