Part 3: Creating Static and Dynamic Tags
This is part 3 of a multi-part tutorial introducing QualysGuard Asset Management and Dynamic Tagging. In these tutorials we will guide you through the activation and setup of the new tagging features, and demonstrate some best practices to get the most value out of these powerful features.
Although we already have some tags imported from the asset groups and business units (Part 2), it’s very useful to create our own tags. The two types of tags which can be created are:
Static. A static tag can be manually assigned to assets in your account and do not have tag rules (meaning, they will not be automatically added to assets by the application). Assigning a tag to an asset is achieved with a simple drag and drop after the tag has been created.
Dynamic. A dynamic tag is automatically assigned to assets in your account according to its tag rule. The rules can be configured at the time the tag is created, and modified again later. Tag rules are evaluated anytime an asset changes, or is scanned, or if you choose to force immediate re-evaluation.
There are several ways to create tags, we will focus on these five in this article:
- Creating a tag using the "Create Tag" button
- Adding a simple child tag within the Tag Tree
- Creating a dynamic tag
- Creating a dynamic tag using the filters in the Asset Management module
- Creating a dynamic tag from the asset search tool in the Vulnerability Management module
Adding a Simple Child Tag in the Tag Tree
To begin, let's start with the "Create Tag" button on the top of the Tag Tree. To access this, click the small icon on the top left of the Asset List:
This will open the Tag Tree. Now click the "Create Tag" button at the top of the tree.
This will open a small wizard like this:
Simply choose a name (we will use "Operating Systems"), and a color, and click "Continue". For now, we won't change anything in the "Tag Rule" step of the wizard, so just click "Continue" and then click "Finish". You will see that the new tag has appeared as a new "root tag" in the tree:
Adding a Simple Child Tag in the Tag Tree
Now, lets add a child tag to the "Operating Systems" tag we just created, and call it "Unix". Later, we'll associate with an asset running Unix. First, right click on the parent tag (which in this case is "Operating Systems") and you will notice a menu appears:
Click on "New Sub-Tag". An empty tag box will appear under the parent tag. Type in the name of the tag which in this case is "Unix", and hit return to save it.
Click on the newly created Unix tag, and while keeping the mouse help down, drag the tag over to the target asset (which in case is an asset running Solaris). The Unix tag will now appear along with the other tags of that asset. That's it - you've now assigned a static tag to an asset!
You can use this same approach to start oragnizing your other tags. For example, I have made a new tag in my account named "Global Sites". I then used drag & drop to take some of the tags out of the Asset Groups tags and put them into "Global Sites". (We covered re-organizing Tags with drag & drop in the last article).
Now that all the site tags are sitting under a unified tag - Global Sites - we will be able to run reports and scans using the "Global Sites" tag which would include all the assets with the child tags. Notice that you can drag and drop Asset Group and Business Unit tags under the custom tags you make - so you can completely re-organize your tag tree to suit your needs.
Creating a Dynamic Tag
The process to create a dynamic tag is identical to creating a static tag, except that we will add a "Rule" configuration on the second step. This will tell the application when to add the tag automatically to assets.
When you define a dynamic tag, you have multiple rule engines to choose from. For example, you may define a rule for tagging hosts that have a specific operating system or a particular software application and version installed. For this example we've selected "Operating System Regular Expression". This will allow us to use a regular expression pattern to compare the operating system on the asset. In the Rule Text field, enter a regular expression (Perl format) to identify the operating system to be tagged. In our example we're creating a dynamic tag for assets with a Windows OS. If you don't wish to write regular expression syntax, simply enter a value, select "ignore case" and we will treat it as a "substring match".
Testing Rule Applicability on Selected Assets. (optional) Often, when constructing a dynamic tag, it is helpful to "test it" on specific assets. Select assets in your account to test the rule using the "Add Asset" drop-down menu. The result for each selected asset appears below the Add Asset drop down menu. A check mark indicates a selected asset matches the rule and would get the tag. A red "x" mark indicates a selected asset does not match the rule, and would therefore not get the tag.
When you click Save, the service automatically adds the new tag to all assets in your account that match the tag rule as they are scanned. If you wish to apply the tag to all assets which match the rule immediately, check the "Re-Evaluate Rule on Save" checkbox to the right of the Rule Engine drop down. Use caution as doing this often on large sets of assets will slow your overall tag evaluation time. It is recommended not to check this box and to instead let the tag appear as scans are processed.
Creating a Dynamic Tag using the Filters in the Asset Management Module
You can create a tag based on filter criteria you enter. The tag will be created with a rule based on your filter criteria. Click the Assets tab, and click "show filters" on the top-right of the Asset List.
You can create a tag based on these asset filters. Define your filters and then click "Search Assets". If you are satisfied with your search results, click "Create Dynamic Tag", and when prompted, enter a name for the tag. The tag will appear as a "top-level" tag, but you are free to drag & drop it to any location in your tag tree you wish.
Creating a Dynamic Tag from the Asset Search Tool in the Vulnerability Management Module
An easy way to create tags with advanced tagging rules for automatic assignment to assets is through the Asset Search Portal in the VM module. When you create a tag in the Asset Search Portal, the search criteria is saved as a tagging rule. Go to VM > Assets > Asset Search. Specify the host attributes you want to search for and then click Search. When you are satisfied, click Create Tag. When prompted enter a name for the tag and click OK.
The service creates the tag with a tag rule based on your search criteria. Within the Asset Tagging module, the new tag appears in your tag tree as a sub-tag of the "Asset Search Tags" parent tag. If you create multiple asset search-based tags, they will all appear here. You can drag and drop them to a new location in your tag tree if you wish.
The new tag is automatically added to all scanned assets in your account that match your search criteria - though this process may take some time and is not instant when the tag is created. To find all the assets with a specific tag, go to the Tags tab, hover over the new tag’s row, and select “Find assets” from the Quick Actions menu.
The assets list is filtered to display only assets that match the new tag.
In Part 1 and 2 we were able to see to see and organize tags which had been automatically imported from the Vulnerability Module. In Part 3 we have seen the different ways to create our own tags. The simplest way is using the "Create Tag" button. We saw how newly created tags can be moved around in the tree, and how we can nest other tags under them if we wish. We also saw how we can assign static tags to assets using simple drag and drop in the user interface.
Dynamic tags allow automated association of tags to assets. For example, whenever an asset has Adobe installed, then we can automatically tag that asset with an "Adobe" Tag. The Asset Management module will continually look through the asset database created by scans and associate tags which match to the assets. By empowering the application to automatically assign tags to assets, we have reduced our manual effort dramatically. It can also help us focus attention on specific types of assets in ways previously impossible: for example, the fact that an asset has Adobe Acrobat Reader installed can now make it part of a special group for scanning and reporting without the need for manual tracking.
Finally there are other indirect ways to create tags. Using the asset management filter capability or the asset search capability within Vulnerability Management module, more complex tag rules can be created without having to understand more advanced scripting languages. A later blog will deal the subject of scripting and the advanced tagging capabilities it can expose.
Part 4 of this blog series - "Examining the Different Types of Dynamic Tags" will be posted soon.