Custom reporting tags can be added to your Linux Endpoint Detection and Response (EDR) instance via Red Canary, your config.json file, or the Application Programming Interface (API). All of these methods allow you to sort and filter your Linux EDR endpoints based on the tag(s) you define.

Define Custom Tags in Red Canary

For more information about defining custom tags directly in Red Canary, see Tagging endpoints for context and reporting in the Red Canary Help Center. 

Define Custom Tags in the Config.json File

You can also define arbitrary custom tags in your config.json file, which makes it easy to define a custom tag for a group of servers without the need to add a tag for each device. To add a custom tag to your config.json file, you will need to:

• Add a trailing comma to the end of the last argument on your config.json file
• Add a new line below the comma
• Add a custom tag in the format "reporting_tags": { "example_custom_tag": "tag_value" }, where "example_custom_tag" is the name of the tag you want to define and "tag_value" is the value. Include quote marks around the tag name and value. Note that "reporting_tags" takes an object so be sure to include all custom tags within these curly braces. Multiple tags can be added within this object, delimited by commas.
• Save your config.json file and apply it to your servers
• Restart the Linux EDR sensor using sudo systemctl restart cfsvcd

Example

Original config.json file

{
  "access_token": "YOUR_TOKEN",
  "subscription_plan": "Managed"
}

Config.json file with one custom tag

{
  "access_token": "YOUR_TOKEN",
  "subscription_plan": "Managed",
  "reporting_tags": {
      "example_custom_tag": "tag_value"
  }
}

Config.json file with multiple custom tags

{ 
  "access_token": "YOUR_TOKEN",
  "subscription_plan": "Managed",
  "reporting_tags": {
      "example_custom_tag_1": "tag_value_1",
      "example_custom_tag_2": "tag_value_2",
      "example_custom_tag_3": "tag_value_3"
  }
}

Note: Tags are literal. If you mistype a tag name or value, Linux EDR interprets exactly what you've typed and will create a new tag or edit an existing tag. Please ensure that you add exactly the tag and value you want in the config.json file to avoid errors.

If you want to add more than one tag, do so on separate lines, separated by commas.

Define Custom Tags with the API

For more information about defining customer tags with an API, see Bulk assign Reporting tags to endpoints via API in the Red Canary Help Center. 

View Custom Tags

There are two ways to view custom tags, through the endpoints page, or through a specific endpoint view. 

Endpoints page

From the navigation menu, click Endpoints, and then click the Reporting Tags column. 

Specific endpoint view

Click on an Identifier, and scroll down to the bottom to see the User Defined Reporting Tags section.

Search Tags and Take Bulk Action

You can search or take bulk actions against any custom reporting tag. To search by a reporting tag use the same "example_custom_tag": "tag_value" formatting.

Once you have searched for the value only those servers with the custom reporting tag will be displayed. You can then take bulk actions on this group of servers.

Use Custom Tags in Automations

Custom reporting tags can also be used in automations to help take specific actions based on a group or type of server. Once you've defined a custom reporting tag, you can use it to filter out specific triggers by adding a condition.