Events include several Data Fields that are related to zones (see Assets). In the Common Conditions Editor you can compare these fields with asset groups or categories, to test whether the field's event does or does not correlate with those asset properties. This comparison is performed by the InGroup operator.
For example, if an event's Attacker Zone field value and a Source Asset ID's System Asset Categories' Criticality value correlate, then the InGroup operator would test True. You can apply this outcome in your reports, rules, or filters.
Note: The InGroup operator is inserted automatically when you create zone-asset correlation statements in the Common Condition Editor. There is no button or command to manually insert the operator.
The InGroup operator tests True for specified asset resources and their parents but not for their own peers or their parent's peers.
In the Conditions tab of any appropriate editor, set a logical operator for a zone-related field (for example, Destination Zone).
In the same field, click the ellipses button (...). In the Select a Zone dialog, enter a prompt for the condition, select the Parameter checkbox, then choose a zone from the resource tree.
Right-click the new statement in the editor and choose AND, then right-click the AND statement and choose New Assets Condition.
In the Asset resources panel below, choose the Source, Target, or other type of relevant asset ID.
For that asset ID type, click the Assets or Asset Categories tab and select an asset group or category to test with the InGroup operator.
Click Apply in the Assets resources panel to add the asset group or category to the condition statement, with the embedded Ingroup operator.