Using Asset Tags

Metadata about assets are called Tags in Cisco Vulnerability Management. Tags are automatically imported and synchronized with assets during connector runs. Tags can also be added using the UI or API. Tagging assets allows you to maintain a structure that you have already established in your scanner tools. Some common tags include Asset Groups and Tags from Qualys, Sites from Nexpose, Tags from Tenable and various data fields from ServiceNow CMDB such as Model Number, Location, and Asset Tag. Tags help many customers filter and segregate data to build risk meters. 

Add Tags 

You can add tags in Cisco Vulnerability Management in three ways.  

  • Automatically by synchronizing the data ingested from your scanners through connector runs. 
  • Manually using the Tag an Asset API endpoint. 
  • Manually by adding tags in the UI. 

Tags added automatically by connector runs are called Scanner Tags. Tags added manually in the UI or using the API are called User Created Tags. 

Use the UI to add a tag

1. On the VM Explore page, select one or more assets to apply the tags to.
2. Click + Tag(s).

AT1.png

3. In the Add Tag(s) field, enter the tag that you want to apply to the assets. 

AT2.png

Note: Once you confirm the addition, the tags will be added to the assets as part of a background processing task. The more assets you are updating, the longer it will take for the recently added tags to appear. 

blobid2.png

Remove Tags 

How you remove specific tags differs based on the source: User Created Tags or Scanner Tags. You can remove all tags regardless of source by using the reset_tags flag on the Bulk Update Assets endpoint in the API or the Data Importer. 

Remove Connector Run Tags

Tags added from connector runs cannot be removed in the UI. These tags must be maintained at the source, whether that is a scanner or the Data Importer. When the tags are removed from the source, they will be removed in Cisco Vulnerability Management on the following connector run if the asset is seen and reported in that run. 

Remove API Tags

You can use the Untag an Asset API endpoint. You can use the List Tags API endpoint to determine the source of the tag. 

Use the UI to remove a tag

1. On the VM Explore page, select one or more assets to apply the tags to.
2. Click x Tag(s).  

AT3.png

3. Click the red X next to the tags you want to remove. A status bar indicating that the tags are being removed in the background displays.

View Tags in Cisco Vulnerability Management

On the VM Explore page. you can see what tags your various scanning tools have imported. Below Asset Filters on the right-hand side of the page, you will see a section called Tags. This will display the tags that are in Cisco Vulnerability Management and the number of assets that have that tag applied. You can choose to sort the Tags list by the Count of Assets with the tag or alphabetically by Name. Note that Cisco Vulnerability Management will only display the top 300 tags that are applied to assets in the Tag list. All tags are imported and searchable in the Custom Query String box, but only 300 will be displayed in this list. 

AT4.png

 

View the Tags that are Applied to an Asset

You can also view which tags are applied to an asset on the VM Explore page. To add the tags section on the Assets tab, click the Display drop-down list and select Tags. You will then see the tags that reside on the asset in the Tags column. 

AT5.png 

View Asset Details

When you click on an asset, the asset detail page opens. On the right-hand side of the page, you will see the tags on the asset and whether they can be removed. A person icon indicates a User Created Tag, and a computer icon indicates a Scanner Created Tag. You can add and remove tags from this view as well. 

AT6.png

Use Tags in Searches 

A very common function in Cisco Vulnerability Management is using tags to create risk meters or saved searches. From the VM Explore page, you can use the list of Tags or the Custom Query String box to search for assets that have particular tags. Using custom queries, you can perform searches on complete tag names or partial names with a wildcard.  

Some common search strings are: 

tag:”Web Servers” 

This will search for any asset that has the tag Web Servers applied to it 

tag: DMZ* 

This will search for any asset that has a tag with DMZ in the name 

-_exists_:tag 

This will search for any asset that does not contain any tags 

tag:(”DMZ” OR “Web Servers”) 

This will search for any asset that contains a tag of DMZ or Web Servers 

 

Save Searches as a Risk Meter 

Once you have searched for the assets you are looking for, you can click the Save Group button to save your search as a Risk Meter Group. 

AT7.png

By saving a group based on Tag searches, any time a new asset gets added with that Tag (and matching the other criteria of the group) it will be automatically added to the risk meter. 

 

Best Practices for Asset Tags 

  • Investigate and fix tag discrepancies at their source. 
  • Ensure that on a recent connector run the scanner has seen and reported assets that need to have their Scanner Tags updated.
  • Ensure assets that the scanner has not seen, and therefore have not had their Scanner Tags synchronized, are removed through asset inactivity and purge period settings. 
  • Keep standard naming conventions for all tags. 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.