Agent Groups

Agent groups let you organize your fleet into logical collections. You use groups to scope assessments ("assess all Linux servers"), control which users can see which agents, and quickly target a category of host in Claude without specifying individual agent IDs. Every agent can belong to multiple groups, and InfraScout keeps group membership consistent as your fleet grows or changes.

Static Groups

A static group is one you maintain by hand. You create the group in the dashboard under Agents → Groups → New Group → Static, then add agents to it individually. Static groups are a good fit for environment-based collections that don't change often — "Production," "DMZ," or "Finance Department" are typical examples. Because membership is explicit, what's in the group is always exactly what you put there.

Dynamic Groups

Dynamic groups have rules. InfraScout evaluates every enrolled agent against those rules and automatically includes or excludes agents based on their properties. The membership list stays current as agents are enrolled, updated, or removed — you don't have to manage it manually.

Create a dynamic group in the dashboard under Agents → Groups → New Group → Dynamic, then define one or more rules. Each rule tests a specific agent property against a value using an operator.

The agent properties available as rule fields are:

FieldDescriptionExample values
osOperating systemwindows, linux, darwin
archCPU architectureamd64, arm64
hostnameHost's fully qualified hostnamedc01.example.com
display_nameHuman-readable name set in the dashboardPrimary Domain Controller
capabilitiesCapabilities reported by the agentpowershell, ldap, wmi

Rule Operators

Each rule pairs a field with an operator and a value. InfraScout supports the following operators:

OperatorMeaningExample
eqExact matchos eq windows
inMatches any value in a listos in [windows, linux]
containsField contains the stringhostname contains .corp.
regexField matches a regular expressionhostname regex ^dc\d+
hasAgent reports this capabilitycapabilities has powershell

Any operator can be negated. For example, you can express "hostname does not contain .test" or "os is not windows" using the negated form of the relevant operator.

Match Mode

A dynamic group's match mode controls how multiple rules combine. Set the match mode to "All" and every rule must match — this is AND logic. Set it to "Any" and at least one rule must match — this is OR logic.

For example, to create a group for Windows domain controllers you might add two rules: os eq windows and hostname regex ^dc. With match mode set to "All," only agents that satisfy both rules are included. Agents running Linux, or Windows hosts whose hostnames don't start with dc, are excluded automatically.

Default Groups

Every InfraScout tenant starts with five groups that are seeded and maintained automatically:

GroupIncluded agents
All HostsEvery enrolled agent
Windows ServersWindows agents running a Server edition
Windows ClientsWindows agents running a Client (desktop) edition
LinuxAll Linux agents
macOSAll macOS agents

These groups are system-owned. Their membership criteria cannot be edited, but you can configure visibility on them to control who can see the agents they contain.

Visibility

Visibility controls which InfraScout users or Entra groups can see and interact with agents in a group. You configure visibility at the group level, and every agent in that group inherits the setting. This lets you give a Windows team access to their servers without exposing Linux hosts to them, for example.

When an agent belongs to multiple groups with different visibility settings, InfraScout applies the most permissive setting that applies to the requesting user. This ensures users always have access through the broadest permission that any of their group memberships grants.

INFO

Visibility applies to agent discovery and interaction — it does not affect playbook execution permissions, which are controlled separately.