Group creation and modification
A grouping request is initiated on any QRadar® Network Packet Capture appliance, either through the GUI or the REST API.
Initial peer-to-peer group
In the following example, the QRadar Network Packet Capture appliance that requests the formation of a group is referred to as Appliance A. The receiver appliance of the grouping request is referred to as Appliance B.
- As part of the grouping request, a user name and password with admin level access rights must be provided for Appliance B.
- The list of local accounts and Active Directory configuration is exported from Appliance A to Appliance B. All previous configurations of accounts and Active Directory configuration on Appliance B are overwritten.
- All capture data is preserved on Appliance A as well as on Appliance B, and can be searched from either appliance.
Inclusion in existing group
The request for a stand-alone QRadar Network Packet Capture appliance to be included in an existing group can be initiated on the stand-alone appliance or a member of the group. In the following example, the stand-alone QRadar Network Packet Capture appliance to be included in the group is referred to as Appliance C.
- Local accounts and Active Directory configuration of the group are exported to Appliance C.
- Previous accounts and Active Directory configuration on Appliance C are overwritten.
Leaving a group
The local accounts and the Active Directory configuration are left as a snapshot of the state when a QRadar Network Packet Capture appliance is removed from the group. No further synchronization with the group occurs.