Skip to main content
Red Canary help

Tag endpoints for context and reporting

  • Updated .

Tags are key-value pairs applied either automatically or manually to an endpoint. Key-value pairs are superior to typical single-value tags because they allow a greater level of both flexibility and control.

You can use tags to separate endpoints by geography or business unit/function, denote specific endpoints as "high risk," or tag endpoint types that have specific response playbooks such as critical infrastructure, domain controllers, etc.

Manage tags on an endpoint

Endpoints will have several tags automatically applied that cannot be removed. Additional tags can be added or removed as needed. Note: please ensure there is no whitespace in the tags.

Add a tag to an endpoint

  1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
  2. Click ICON_PLUS_CIRCLE next to Reporting Tags.
  3. Select whether you want to create a new tag key, or use an existing tag key.
  4. Enter the value for the tag.
  5. Click Add Reporting Tag.

Remove a tag from an endpoint

  1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.
  2. Scroll down to Reporting Tags.
  3. Click the ICON_TRASH icon on the tag you want to remove from the endpoint.

Add tags to multiple endpoints

  1. From your Red Canary dashboard, click Endpoints.
  2. Select multiple endpoints.
    1.png
  3. Click the Reporting Tags dropdown, and then click Set tag and value.
    2.png
  4. Enter a tag name.
  5. Enter a tag value.
  6. Click Set Reporting Tag.
    3.png

Remove tags from multiple endpoints

  1. From your Red Canary dashboard, click Endpoints.
  2. Select multiple endpoints.
  3. Click the Reporting Tags dropdown, and then click the tag you want removed.
  4. Click Yes.

Add tags to all of your endpoints

  1. From your Red Canary dashboard, click Endpoints.
  2. Click Select All.
    6.png
  3. Click the Reporting Tags dropdown, and then click Set tag and value.
  4. Enter a tag name.
  5. Enter a tag value.
  6. Click Set Reporting Tag.

Remove tags from all of your endpoints

  1. From your Red Canary dashboard, click Endpoints.
  2. Click Select All.
  3. Click the Reporting Tags dropdown, and then click the tag you want removed.
  4. Click Yes.

What tags are automatically applied to endpoints?

Red Canary automatically applies several tags to endpoints as they are created and updated: 

  • endpoint_type is set to server if the endpoint’s operating system is a known server operating system variant. In all other cases, it is set to workstation.
  • endpoint_platform is set to Windows, OS X, or Linux depending on the endpoint’s operating system.
  • endpoint_operating_system is set to the complete operating system name as provided by the EDR/EPP sensor.
  • endpoint_sensor_group 

EDR/EPP platform integrations will provide additional tags based on the data collected by those platforms.

For endpoints discovered in your cloud accounts, additional tags are applied: 

  • cloud_provider is the provider of the cloud, such as Amazon Web Services, Microsoft Azure, or Google Cloud Platform.
  • cloud_instance_id is the unique identifier the cloud provider uses to identify the instance.
  • cloud_image_id is the unique identifier of the “image” that the instance was built from (for example, in AWS this is the AMI ID).

You can add your own tags to further classify and label identities.

Comments

0 comments

Please sign in to leave a comment.