Metadata about assets are called Tags in Cisco Vulnerability Management. Tags are automatically imported and synchronized with assets during connector runs. Tags can also be added using the UI or API. Tagging assets allows you to maintain a structure that you have already established in your scanner tools. Some common tags include Asset Groups and Tags from Qualys, Sites from Nexpose, Tags from Tenable and various data fields from ServiceNow CMDB such as Model Number, Location, and Asset Tag. Tags help many customers filter and segregate data to build risk meters.
Add Tags
You can add tags in Cisco Vulnerability Management in three ways.
- Automatically by synchronizing the data ingested from your scanners through connector runs.
- Manually using the Tag an Asset API endpoint.
- Manually by adding tags in the UI.
Tags added automatically by connector runs are called Scanner Tags. Tags added manually in the UI or using the API are called User Created Tags.
Use the UI to add a tag
1. On the Vulnerability Management Explore page, select one or more assets to apply the tags to.
2. Click + Tag(s).
3. In the Add Tag(s) field, enter the tag that you want to apply to the assets.
Note: Once you confirm the addition, the tags will be added to the assets as part of a background processing task. The more assets you are updating, the longer it will take for the recently added tags to appear.
Remove Tags
How you remove specific tags differs based on the source: User Created Tags or Scanner Tags. You can remove all tags regardless of source by using the reset_tags flag on the Bulk Update Assets endpoint in the API or the Data Importer.
Remove Connector Run Tags
Tags added from connector runs cannot be removed in the UI. These tags must be maintained at the source, whether that is a scanner or the Data Importer. When the tags are removed from the source, they will be removed in Cisco Vulnerability Management on the following connector run if the asset is seen and reported in that run.
Remove API Tags
You can use the Untag an Asset API endpoint. You can use the List Tags API endpoint to determine the source of the tag.
Use the UI to remove a tag
1. On the Vulnerability Management Explore page, select one or more assets to apply the tags to.
2. Click x Tag(s).
3. Click the red X next to the tags you want to remove. A status bar indicating that the tags are being removed in the background displays.
View Tags in Cisco Vulnerability Management
On the Vulnerability Management Explore page. you can see what tags your various scanning tools have imported. Below Asset Filters on the right-hand side of the page, you will see a section called Tags. This will display the tags that are in Cisco Vulnerability Management and the number of assets that have that tag applied. You can choose to sort the Tags list by the Count of Assets with the tag or alphabetically by Name. Note that Cisco Vulnerability Management will only display the top 300 tags that are applied to assets in the Tag list. All tags are imported and searchable in the Custom Query String box, but only 300 will be displayed in this list.
View the Tags that are Applied to an Asset
You can also view which tags are applied to an asset on the Vulnerability Management Explore page. To add the tags section on the Assets tab, click the Display drop-down list and select Tags. You will then see the tags that reside on the asset in the Tags column.
View Asset Details
When you click on an asset, the asset detail page opens. On the right-hand side of the page, you will see the tags on the asset and whether they can be removed. A person icon indicates a User Created Tag, and a computer icon indicates a Scanner Created Tag. You can add and remove tags from this view as well.
Use Tags in Searches
A very common function in Cisco Vulnerability Management is using tags to create risk meters or saved searches. From the Vulnerability Management Explore page, you can use the list of Tags or the Custom Query String box to search for assets that have particular tags. Using custom queries, you can perform searches on complete tag names or partial names with a wildcard.
Some common search strings are:
tag:”Web Servers” |
This will search for any asset that has the tag Web Servers applied to it |
tag: DMZ* |
This will search for any asset that has a tag with DMZ in the name |
-_exists_:tag |
This will search for any asset that does not contain any tags |
tag:(”DMZ” OR “Web Servers”) |
This will search for any asset that contains a tag of DMZ or Web Servers |
Save Searches as a Risk Meter
Once you have searched for the assets you are looking for, you can click the Save Group button to save your search as a Risk Meter Group.
By saving a group based on Tag searches, any time a new asset gets added with that Tag (and matching the other criteria of the group) it will be automatically added to the risk meter.
Best Practices for Asset Tags
- Investigate and fix tag discrepancies at their source.
- Ensure that on a recent connector run the scanner has seen and reported assets that need to have their Scanner Tags updated.
- Ensure assets that the scanner has not seen, and therefore have not had their Scanner Tags synchronized, are removed through asset inactivity and purge period settings.
- Keep standard naming conventions for all tags.
Comments
Please sign in to leave a comment.