Tags can be used for a variety of purposes, including:

A sensor can have any number of tags, and you can use the same tag on multiple sensors.

Classification

You can use tags to classify an endpoint in a number of different ways based on what is important to you. Some examples of classifications are shown below for inspiration.

Departments

Create tags to classify endpoints based on what business department they belong to. e.g. sales, finance, operations, development, support, legal, executives.

Usage Type

You may wish to tag endpoints based on their type of usage. e.g. workstation, server, production, staging.

By having endpoints tagged in this manner you can easily identify endpoints and decide what actions you may wish to take while considering the tag. For example, if you see an endpoint is tagged with `workstation` and `executives`, and you happen to see suspicious activity on the endpoint, it may be worthwhile for you to

You can use tags to automate detection and response.

For example, you can create a detection & response rule so that when a specific user logs in on a device, the box is tagged as 'VIP-sales' and the sensor starts collecting an extended list of events from that box.

You can use tags to create workflows and automations. Some examples of automations are listed below for inspiration.

Access Management

Create a microsegmentation policy to disallow anyone tagged as 'sales' to access their Salesforce account from outside of the company network.

Sending Events & Detections Data

Configure an output (forwarder) to send all detections containing 'VIP-sales' tag to Slack so that you can review them asap, while detections tagged as 'sales' can be sent to an email address.

Trigger Automations

Create a Yara scanning rule so that endpoints tagged as 'sales' are continuously scanned against the specific sets of Yara signatures.

Tags can be applied on-demand or by using automation.