Tag Endpoints for Context and Reporting
- 15 Jul 2024
- 2 Minutes to read
- PDF
Tag Endpoints for Context and Reporting
- Updated on 15 Jul 2024
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
Tags are key-value pairs applied either automatically or manually to an endpoint. Key-value pairs are superior to typical single-value tags because they allow a greater level of both flexibility and control.
You can use tags to separate endpoints by geography or business unit/function, denote specific endpoints as "high risk," or tag endpoint types that have specific response playbooks such as critical infrastructure, domain controllers, etc.
Manage, add and remove a tag to an endpoint
Manage tags
Endpoints will have several tags automatically applied that cannot be removed. Additional tags can be added or removed as needed.
Note: please ensure there is no whitespace in the tags.
Add a tag
View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
Click + next to Reporting Tags.
Select whether you want to create a new tag key, or use an existing tag key.
Enter the value for the tag.
Click Add Reporting Tag.
Remove a tag
View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
Scroll down to Reporting Tags.
Click the icon on the tag you want to remove from the endpoint.
Add and remove tags to multiple endpoints
Add tags to multiple endpoints
From your Red Canary dashboard, click Endpoints.
Select multiple endpoints.
Click the Reporting Tags dropdown, and then click Set tag and value.
Enter a tag name.
Enter a tag value.
Click Set Reporting Tag.
Remove tags from multiple endpoints
From your Red Canary dashboard, click Endpoints.
Select multiple endpoints.
Click the Reporting Tags dropdown, and then click the tag you want removed.
Click Yes.
Add and remove tags to all of your endpoints
Add tags to all of your endpoints
From your Red Canary dashboard, click Endpoints.
Click Select All.
Click the Reporting Tags dropdown, and then click Set tag and value.
Enter a tag name.
Enter a tag value.
Click Set Reporting Tag.
Remove tags from all of your endpoints
From your Red Canary dashboard, click Endpoints.
Click Select All.
Click the Reporting Tags dropdown, and then click the tag you want removed.
Click Yes.
Tags that are automatically applied to endpoints
Red Canary automatically applies several tags to endpoints as they are created and updated:
endpoint_type is set to server if the endpoint’s operating system is a known server operating system variant. In all other cases, it is set to workstation.
endpoint_platform is set to Windows, OS X, or Linux depending on the endpoint’s operating system.
endpoint_operating_system is set to the complete operating system name as provided by the EDR/EPP sensor.
endpoint_sensor_group
EDR/EPP platform integrations will provide additional tags based on the data collected by those platforms.
For endpoints discovered in your cloud accounts, additional tags are applied:
cloud_provider is the provider of the cloud, such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform.
cloud_instance_id is the unique identifier the cloud provider uses to identify the instance.
cloud_image_id is the unique identifier of the “image” that the instance was built from (for example, in AWS this is the AMI ID).
You can add your own tags to further classify and label identities.
Was this article helpful?
