Tags can be used for a variety of purposes, including:
to classify endpoints
automate detection and response
create powerful workflows
A sensor can have any number of tags, and you can use the same tag on multiple sensors.
You can use tags to classify an endpoint in a number of different ways based on what is important to you. Some examples of classifications are shown below for inspiration.
Create tags to classify endpoints based on what business department they belong to. e.g. sales, finance, operations, development, support, legal, executives.
You may wish to tag endpoints based on their type of usage. e.g. workstation, server, production, staging.
By having endpoints tagged in this manner you can easily identify endpoints and decide what actions you may wish to take while considering the tag. For example, if you see an endpoint is tagged with `workstation` and `executives`, and you happen to see suspicious activity on the endpoint, it may be worthwhile for you to
Automating detection and response
You can use tags to automate detection and response.
For example, you can create a detection & response rule so that when a specific user logs in on a device, the box is tagged as 'VIP-sales' and the sensor starts collecting an extended list of events from that box.
You can use tags to create workflows and automations. Some examples of automations are listed below for inspiration.
Create a microsegmentation policy to disallow anyone tagged as 'sales' to access their Salesforce account from outside of the company network.
Sending Events & Detections Data
Configure an output (forwarder) to send all detections containing 'VIP-sales' tag to Slack so that you can review them asap, while detections tagged as 'sales' can be sent to an email address.
Create a Yara scanning rule so that endpoints tagged as 'sales' are continuously scanned against the specific sets of Yara signatures.
Tags can be applied on-demand or by using automation.
Enrollment: When enrolling a new sensor you can have it be pre-tagged by assigning tags to the related installation key.
Manually in the web app: navigate to the Overview page of the sensor you want to update. Under Tags, enter a tag you would like to apply to the endpoint and click Update Tags.
Detection & Response: automated detection and response rules can programmatically add a tag (and check for tags). To achieve this, in the response part of the detection & response rule, specify the add tag action. For example, to tag a device as DESKTOP, you would say:
- action: add tag