Asset Tag Structure and Hierarchy Guide

Document created by Davis Dolezal on Dec 20, 2016
Version 1Show Document
  • View in full screen mode

Asset Tag Structure and Hierarchy Guide

 

1. tagging Structure

 

The general idea is to have a High-Level structure defined by 3 things: Location, Technology, and Exclusion.

 

Location 

The location tag structure should be created within your business units, starting with region, country, etc...

 

Technology
The following images are simple examples to help you get started. Every team/dept/company/etc.. has their own preferences for tagging structure. Your tag structure is defined by the level of granularity that you're company is trying to accomplish i.e. - OS > OS Type  > OS Kernels, etc... 

  1. Operating System Hierarchy (Parent and 2nd level child tags)
  2. Windows Desktop Tag Hierarchy
    Windows Tag Structure
  3. Mobile Devices Hierarchy

  4. Network Devices Hierarchy

  5. Windows Servers Hierarchy

Exclusion

Benefits of creating an exclusion tag
a. Reduces the Qualys subscription costs by decreasing the number of ip's that are scanned.

b. Identifies the technologies that are in scope.

c. Increases accuracy and filtering for reports.

 

Once all your technologies are defined and tagged, move the technology tags (that are out of scope) to your exclusion tag.

 

* In order to remove the excluded ip's from the Qualys ip subscription count (exclude ip's from future scans), you must...

 

1. Verify assets are properly identified and tagged under the exclusion tag.

2. Once you have verified the assets are properly tagged, you can copy the ip lists to your global exclusion list.

3. Purge old data.

 

Exclusion Process 

 

The exclusion process will be managed at two levels – Global and at Scan Time.

 

Old Data will also be purged.

 

  1. Scan Time (Dynamic List) will be managed at every scan.

 

  1. Global (static List) will be managed once a month.

 

  1. Purge old data

 

 

 

A. Exclude hosts at scan time

 Under the Asset View Module: Click the Assets tab and then click Tags. You will notice an asset tag called “Exclude”. This is where all the dynamically tagged (for exclusion) assets will be located.

 

At Scan time click new scan - > Tags

 

Select the tag/tags you want to include first, and then select the “Exclude” tag for the “Do not include” section.

 

Note: Always add the asset tag “Exclude” to the “Do not include”. That should be the only tag that is added here.

 

 

 

B: Globally exclude hosts

There is one global excluded hosts list for the subscription. To see this list, or to make changes, go to Scans > Setup > Excluded Hosts.

 

 

 

1. Exclude Hosts Using Global Exclusion List

 

 

The Excluded Hosts Setup page appears with a list of IPs currently excluded, if any. Click Edit to make changes to the list. You can add or remove hosts. Note that add and remove actions must be performed at different times.

 

 

 

In the Hosts section, enter the IPs you want to add to the list.

 

 

 

Now click Comments on the left side and enter notes about the changes you're making. Comments are required and will be saved in the history log for the excluded hosts list. When you're done, click the Add button to add the hosts to the excluded hosts list. (If you're removing IPs from the list click the Remove button instead.)

 

 

 

A confirmation window will appear. Click Add again to confirm the change.

 

 

 

Which users have privileges to globally exclude hosts?

Managers and Unit Managers have privileges to edit the global excluded hosts list. Managers can add/remove any host. Unit Managers can add/remove any host in their business unit.

 

Can I add IPs to the excluded hosts list that aren't in my subscription?

Yes. IPs not currently in the subscription may be added to the excluded hosts list. This ensures that they will not be scanned even if later added to the subscription.

 

Is it possible for an excluded host to show up in map results?

Excluded hosts may appear in map results if discovered via a DNS method. If the IP belonging to a DNS server is included in the excluded hosts list and this server is used to resolve DNS names for hosts in the map target, then the service will still send normal requests to the DNS server. The server, however, will not be scanned for vulnerabilities.

 

 

C. Purge Old Data

 

  1. Select VM and go to Assets > Asset Searchand find the hosts you'd like to purge.

 

 

Last Scan Date NOT WITHIN the past 90 days 

 

 

  1. In the Asset Search Report, select all or some hosts under Results, and then select Actions: Purgeand click Apply.

 

 

 

Both methods will prompt you with the following Warning:

"Purging hosts will remove all automatic host data as well as associated tickets and exceptions (scan results will not be removed).  This host data will be removed from your account: vulnerability data and compliance data. None of this information will be recoverable. 

Attachments

    Outcomes