Tags can be used for a variety of purposes, including:

  • to classify endpoints

  • automate detection and response

  • create powerful workflows

A sensor can have any number of tags, and you can use the same tag on multiple sensors.


You can use tags to classify an endpoint in a number of different ways based on what is important to you. Some examples of classifications are shown below for inspiration.


Create tags to classify endpoints based on what business department they belong to. e.g. sales, finance, operations, development, support, legal, executives.

Usage Type

You may wish to tag endpoints based on their type of usage. e.g. workstation, server, production, staging.

By having endpoints tagged in this manner you can easily identify endpoints and decide what actions you may wish to take while considering the tag. For example, if you see an endpoint is tagged with `workstation` and `executives`, and you happen to see suspicious activity on the endpoint, it may be worthwhile for you to

Automating detection and response

You can use tags to automate detection and response.

For example, you can create a detection & response rule so that when a specific user logs in on a device, the box is tagged as 'VIP-sales' and the sensor starts collecting an extended list of events from that box.

Creating workflows

You can use tags to create workflows and automations. Some examples of automations are listed below for inspiration.

Access Management

Create a microsegmentation policy to disallow anyone tagged as 'sales' to access their Salesforce account from outside of the company network.

Sending Events & Detections Data

Configure an output (forwarder) to send all detections containing 'VIP-sales' tag to Slack so that you can review them asap, while detections tagged as 'sales' can be sent to an email address.

Trigger Automations

Create a Yara scanning rule so that endpoints tagged as 'sales' are continuously scanned against the specific sets of Yara signatures.

Applying Tags

Tags can be applied on-demand or by using automation.

  1. Enrollment: When enrolling a new sensor you can have it be pre-tagged by assigning tags to the related installation key.

  2. Manually in the web app: navigate to the Overview page of the sensor you want to update. Under Tags, enter a tag you would like to apply to the endpoint and click Update Tags.

  3. Detection & Response: automated detection and response rules can programmatically add a tag (and check for tags). To achieve this, in the response part of the detection & response rule, specify the add tag action. For example, to tag a device as DESKTOP, you would say:

- action: add tag

Did this answer your question?