What are Asset Tags?
Metadata about assets are called Tags in Cisco Vulnerability Management. Tags are automatically imported and synched with assets only if the asset has been seen and reported by the scanner on a recent connector run. Tags may also be added via the UI or API. Tagging assets allows you to maintain a structure that you have already established within your scanner tools. Some common tags include Asset Groups and Tags from Qualys, Sites from Nexpose, Tags from Tenable and various data fields from ServiceNow CMDB such as Model Number, Location, Asset Tag, etc. Tags are very helpful for many customers in helping to filter and segregate data to build risk meters.
Adding and Removing Tags
Adding Tags
Tags can also be added in Cisco Vulnerability Management in three ways.
- Automatically by synching the data ingested from your scanners via connector runs.
- Manually using the Tag an Asset API endpoint.
- Manually by adding tags in the UI.
Tags added automatically by connector runs are called Scanner Tags. Tags added manually in the UI or using the API are called User Created Tags.
To add tags manually in the UI, first select one or more assets to apply the tags to within the Explore page. Once you have selected the assets, you will see a +Tags button appear.
Clicking that button will give you a text box where you can input the tag name you wish to apply to the assets.
Once you confirm the addition, the tags will be added to the assets as part of a background processing task. The more assets you are updating, the longer it will take for the recently added tags to appear.
Removing Tags
How specific tags can be removed will differ based on the source: User Created Tags or Scanner Tags. You can remove all tags regardless of source by using the reset_tags flag on the Bulk Update Assets endpoint in the API or the Kenna Data Importer (KDI).
Connector Run Tag Removal
Tags added from connector runs cannot be removed from the UI. These tags must be maintained at the source, whether that is a scanner or the KDI. When the tags are removed from the source, they will be removed in Cisco Vulnerability Management on the following connector run if the asset is seen and reported in that run.
API Tag Removal
User Created Tags can be removed using the Untag an Asset API endpoint. You can use the List Tags API endpoint to determine the source of the tag.
UI Tag Removal
Removing tags in Cisco Vulnerability Management UI is just like adding tags. You will select the asset(s) you wish to remove the tags from and then hit the X Tags button. You will be able to remove User Created Tags but not Scanner Tags, which is indicated by the red X next to the tags you can remove.
Click the red X next to the tag(s) you wish to remove. Once you do that, you will see the status bar indicating that the tags are being removed in the background.
Viewing Tags in Cisco Vulnerability Management
Tag List
You can see what tags have been brought in by your various scanning tools within the Explore page. Below Asset Filters on the right-hand side, you will see a section called Tags. This will display the tags that are in Cisco Vulnerability Management and the number of assets that have that tag applied. You can choose to sort the Tags list by the Count of Assets with the tag or alphabetically by Name. Please note that Cisco Vulnerability Management will only display the top 300 Tags that are applied to assets in the Tag list. All tags are imported and searchable in the Custom Query String box, but only 300 will be displayed in this list.
Asset List
You can also view which tags are applied to an asset from within the Explore tab. You can add the tags section on the Assets tab by selecting it from the Display dropdown. You will then see the tags that reside on the asset in the Tags section.
Asset Detail
When you click on an asset, this opens up the asset detail page. On the right-hand side, you will see the tags on the asset and whether or not they can be removed. A person icon indicates a User Created Tag and a computer icon indicates a Scanner Created Tag. You can add and remove tags from this view as well.
Using Tags in Searches
A very common function in Cisco Vulnerability Management is using tags to create risk meters or saved searches. From within the Explore page, you can use the list of Tags or the Custom Query String box to search for assets that have certain tags. Using custom queries, searches can be on complete tag names or partial names with a wildcard.
Some common search strings are:
|
tag:”Web Servers” |
This will search for any asset that has the tag Web Servers applied to it |
|
tag: DMZ* |
This will search for any asset that has a tag with DMZ in the name |
|
-_exists_:tag |
This will search for any asset that does not contain any tags |
|
tag:(”DMZ” OR “Web Servers”) |
This will search for any asset that contains a tag of DMZ or Web Servers |
Saving Searches as a Risk Meter
Once you have searched for the assets you are looking for, you can click the Save Group button to save your search as a Risk Group.
By saving a group based on Tag searches, any time a new asset gets added with that Tag (and matching the other criteria of the group) it will be automatically added to the risk meter.
Best Practices for Asset Tags
- Investigate and fix tag discrepancies at their source.
- Make sure assets that need to have their Scanner Tags updated have been seen and reported by the scanner on a recent connector run. If the scanner report does not change the “last_updated“ data field when a new tag is added, removed, or modified, Cisco Vulnerability Management will not import those changes.
- Make sure assets that have not been seen by the scanner, and therefore not had their Scanner Tags synched, are removed through asset inactivity and purge period settings.
- Keep standard naming conventions for all tags.
Comments
Please sign in to leave a comment.