Add Custom Linux EDR Reporting Tags

For more information about defining custom tags directly in Red Canary, see Tag endpoints for context and reporting.

You can also define arbitrary custom tags in your config.json file, which makes it easy to define a custom tag for a group of servers without the need to add a tag for each device. To add a custom tag to your config.json file, you will need to:

• Add a trailing comma to the end of the last argument on your config.json file

• Add a new line below the comma

• Add a custom tag in the format “reporting_tags”: { “example_custom_tag”: “tag_value” }, where “example_custom_tag” is the name of the tag you want to define and “tag_value” is the value. Include quote marks around the tag name and value. Note that “reporting_tags” takes an object so be sure to include all custom tags within these curly braces. Multiple tags can be added within this object, delimited by commas.

  Note: Please ensure there is no whitespace in the tags.

• Save your config.json file and apply it to your servers

• Restart the Linux EDR sensor using sudo systemctl restart cfsvcd

Original config.json file

{
  "access_token": "YOUR_TOKEN",
  "subscription_plan": "Managed"
}

Config.json file with one custom tag

{
  "access_token": "YOUR_TOKEN",
  "subscription_plan": "Managed",
  "reporting_tags": {
      "example_custom_tag": "tag_value"
  }
}

Config.json file with multiple custom tags

{ 
  "access_token": "YOUR_TOKEN",
  "subscription_plan": "Managed",
  "reporting_tags": {
      "example_custom_tag_1": "tag_value_1",
      "example_custom_tag_2": "tag_value_2",
      "example_custom_tag_3": "tag_value_3"
  }
}

Note: Tags are literal. If you mistype a tag name or value, Linux EDR interprets exactly what you've typed and will create a new tag or edit an existing tag. Please ensure that you add exactly the tag and value you want in the config.json file to avoid errors.

If you want to add more than one tag, do so on separate lines, separated by commas.

For more information about defining customer tags with an API, see Bulk assign reporting tags to endpoints via API in the Red Canary Help Center. There are two ways to view custom tags, through the endpoints page, or through a specific endpoint view. 

You can search or take bulk actions against any custom reporting tag. To search by a reporting tag use the same “example_custom_tag”: “tag_value” formatting.

Once you have searched for the value only those servers with the custom reporting tag will be displayed. You can then take bulk actions on this group of servers.

Custom reporting tags can also be used in automations to help take specific actions based on a group or type of server. Once you've defined a custom reporting tag, you can use it to filter out specific triggers by adding a condition.