Organize Assets

Tagging and grouping assets makes it easier to analyze, review, and report on data as your organization and asset numbers grow. When tracking assets in your organization, you may want to identify, organize, and report on them according to how they impact your business.

Search functions related to on-prem assets use tags as filters. Applying meaningful and applicable tags to your assets and asset groups helps provide an accurate view of the risk and inventory in your environment.

When to use tags and asset groups

Tags can help to accomplish some of the more complex asset grouping needs you have by allowing for the combination of AND/OR criteria filters. Asset groups help you scope sites and provide meaningful reporting data.

The following table describes the situations when it is best to use Tags and Asset groups.

SituationTagsAsset Groups
Asset filteringYesNo
ReportingYesYes
Adjust risk scores of assetsYesNo
Part of site scopesNoYes
Assign permission to assets for usersNoNo

Organizing assets with tags

Tags help filter your assets. You can use the built-in tags or create your own custom tags to best organize your assets. You can tag an asset individually on the details page for that asset. You also can tag a site or an asset group, which would apply the tag to all member assets.

TagDescriptionExamples
LocationGeographic or physical locations.
  • Data Center
  • Boston
  • Japan
OwnerAsset owner who is responsible for administration of asset security and remediation of any associated vulnerabilities.Specific members of the IT or security team.
CriticalityIndicates the importance or negative impact to your organization if the asset is attacked.

Additionally, you can use numeric values as multipliers that impact the risk score.
  • Low
  • Very High
  • 9.5
  • 430

Filter restrictions for Criticality tags

Certain filters are restricted for criticality tags, in order to prevent circular references. These restrictions apply to criticality tags applied through tag criteria and to those added through dynamic asset groups.

The following filters cannot be used with criticality tags:

  • Asset risk score
  • User-added criticality level
  • User-added custom tag
  • User-added tag (location)
  • User-added tag (owner)
Avoiding circular references when tagging asset groups

You may apply the same tag to an asset as well as an asset group that contains it. For example, you might want to create a group based on assets tagged with a certain location or owner. This may occasionally lead to a circular reference loop in which tags refer to themselves instead of the assets or groups to which they were originally applied. This could prevent you from getting useful context from the tags.

The following example shows how a circular reference can occur with with location and custom tags:

  1. A first user tags a number of assets with the location Cleveland.
  2. The user creates a dynamic asset group called Midwest office with search results based on assets tagged Cleveland.
  3. The user applies a custom tag named Accounting to the Midwest office asset group because all the assets in the group are used by the accounting team.
  4. A second user, who is not aware of the Midwest office dynamic asset group or the Cleveland tag, creates a new dynamic asset group named Financial with search results based on the Accounting tag.
  5. That user tags the Financial group with Cleveland, expecting that all assets in the group will inherit the tag. But because the assets were tagged Cleveland by the first user, the Cleveland tag now refers to itself in a potentially infinite loop.

The following example shows how a circular reference can occur with criticality:

  1. You create a dynamic asset group Priorities for all assets that have an original risk score of less than 1,000. One of these assets is named Server_1.
  2. You tag this group with a Very High criticality level, so that every asset in the group inherits the tag.
  3. Your Security Console has been configured to double the risk score of assets with a Very High criticality level.
  4. Server_1 has its risk score doubled, which causes it to no longer meet the filter criteria of Priorities. Therefore, it is removed from Priorities.
  5. Since Server_1 no longer inherits the Very High criticality level applied to Priorities, it reverts to its original risk score, which is lower than 1,000.
  6. Server_1 now once again meets the criteria for membership in Priorities, so it once again inherits the Very High criticality level applied to the asset group. This, again, causes its risk score to double, so that it no longer meets the criteria for membership in Priorities. This is a circular reference loop.

The best way to prevent circular references is to look at the Tags page to see what tags have been created. Then go to the details page for a tag that you are considering using and to see which assets, sites, and asset groups it is applied to. This is especially helpful if you have multiple Security Console users and high numbers of tags and asset groups. To access to the details page for a tag, simply click the tag name.

Changing the criticality of an asset

Over time, the criticality of an asset may change. For example, a laptop may initially be used by a temporary worker and not contain sensitive data, which would indicate low criticality. That laptop may later be used by a senior executive and contain sensitive data, which would merit a higher criticality level.

Your options for changing an asset's criticality level depend on where the original criticality level was initially applied and where you are changing it:

  • If you apply a criticality level to a site and then change the criticality of a member asset, you can only increase the criticality level. For example, if you apply a criticality level of Medium to a site and then change the criticality level of an individual member asset, you can only change the level to High or Very High.
  • If you apply a criticality level to an asset group, and if any asset has had a criticality level applied elsewhere (in sites, other asset groups, or individually), the asset will retain the highest-applied criticality level. For example, an asset named Server_1 belongs to a site named Boston with a criticality level of Medium. A criticality level of Very High is later applied to Server_1 individually. If you apply a High criticality level to a new asset group that includes Server_1, it will retain the Very High criticality level.
  • If you apply a criticality level to an asset group, and if any asset has had a criticality level applied elsewhere (in sites, other asset groups, or individually), the asset will retain the highest-applied criticality level. For example, an asset named Server_1 belongs to a site named Boston with a criticality level of Medium. A criticality level of Very High is later applied to Server_1 individually. If you apply a High criticality level to a new asset group that includes Server_1, it will retain the Very High criticality level.
  • If you apply a criticality level to an individual asset, you can later change the criticality to any desired level.

Tag assets by site configuration

After creating a site, you can add tags to help organize the assets within the site.

  1. Go to your site and in the Site Configuration > General section, click Add tags.
  2. To apply a new tag, depending on the tag type, enter or select the tag value. To add multiple names, separate names by selecting ENTER.
    • If you select Custom Tag, Location, or Owner, type a new tag name to create a new tag.
    • If you are creating a new custom tag, select a color in which the tag name will appear.
    • If you select Criticality, select a criticality level from the drop-down list.
  3. To apply an previously created tag, start typing the name of the tag until the rest of the name fills in the text box, and click Add.
  4. Click Add.
  5. Click Save.

Tag assets in bulk using a text file

To simplify the management of tags across a large number of assets, you can apply a tag to a set of assets using a text (.txt) file that contains a list of hostnames and/or IP addresses.

The Security Console evaluates these text files using new lines as delimiters, so make sure every hostname or IP address is printed on its own line in the file if you are specifying multiple targets.

To import assets into tags using a text file:

  1. On the Home tab, in the Asset Tags area, select an asset tag.
  2. On the Asset Tag page, in the Assets area, click Add Assets From File.
  3. In the Add Assets From File window, click Choose File, and then select the appropriate text file. Each line in the file can contain only one hostname or IP address.
  4. Select an option:
    • Click Override Tag if you want to replace all of the current assets. This function does not affect asset criteria.
    • Click Append to Tag to add new assets to the current assets.

Removing and deleting tags

Removing a tag is not the same as deleting it. If a tag no longer accurately reflects the business context of an asset, you can remove it from that asset. If a tag no longer has any business relevance at all, you can delete it completely.

You cannot delete a criticality tag.

Remove tags

In the list of tags, click the x button next to the tag name.

If you tag a site or an asset group, all of the member assets will "inherit" that tag. You cannot remove an inherited tag at the individual asset level. Instead, you will need to edit the site or asset group in which the tag was applied and remove it there.

Delete tags

  1. On the Tags page, click the Assets icon, then click the number of tags listed for Tagged Assets, even if that number is zero.
  2. On the Tags page, select the check box for any tag you want to delete.
  3. To select all displayed tags, select the check box in the top row.
  4. Click Delete.

Tip: If you want to see which assets are associated with the tag before deleting it, click the tag name to view its details page. This could be helpful in case you want to apply a different tag to those assets.

Dynamically apply context to tags

You can apply business context based on filters without having to create new sites or groups. You can also add new criteria for which assets should have the tags as you think of them, rather than at the time you first tag assets.

  1. Click the name of any tag to go to the details page for that tag.
  2. Add or edit tag criteria for the tag.
    • To create new, click Add Tag Criteria.
    • To edit an existing, click Edit Tag Criteria.
  3. Select the search filters.
  4. Select Search.
  5. Select Save.
  6. (Optional) To view existing business context for a tag, on the details page for that tag, select View Tag Criteria.
  7. (Optional) To remove all criteria for a tag, on the details page for that tag, select Clear Tag Criteria, and click Save.

Organizing assets with groups and tags

Asset groups allow you to create logical groupings that you can configure to dynamically incorporate new assets that meet specific criteria. Asset groups provide important information about your assets and the security issues affecting them:

  • Their network location
  • The operating systems running on them
  • The number of vulnerabilities discovered on them
  • Whether exploits exist for any of the vulnerabilities
  • Their risk scores

You can create two different kinds of asset groups. The dynamic asset group is a snapshot that potentially changes with every scan and the static asset group is an unchanging snapshot. Each type of asset group can be useful depending on your needs.

Group typeDescription
DynamicA dynamic asset group contains scanned assets that meet a specific set of search criteria. You define these criteria with asset search filters, such as IP address range or hosted operating systems.

The list of assets in a dynamic group is subject to change with every scan. In this regard, a dynamic asset group differs from a static asset group.
StaticA static asset group contains assets that meet a set of criteria that you define according to your organization’s needs. Unlike with a dynamic asset group, the list of assets in a static group does not change unless you alter it manually.

Static asset groups provide useful time-frozen views of your environment that you can use for reference or comparison.
For example, you may find it useful to create a static asset group of Windows servers and create a report to capture all of their vulnerabilities. Then, after applying patches and running a scan for patch verification, you can create a baseline report to compare vulnerabilities on those same assets before and after the scan.

To efficiently organize assets, you can create a filtered search based on tags and then create a group based on those results.

Create and tag a dynamic asset group

Step 2: Create a dynamic asset group based on search results

After you configure asset search filters as described in the preceding section, you can create an asset group based on the search results. Using the assets search is the only way to create a dynamic asset group. It is one of two ways to create a static asset group and is more ideal for environments with large numbers of assets.

  1. In the search results, click Create Asset Group and select Dynamic.
  2. Enter a unique asset group name and description.
  3. Click Add Users to give users access to an asset group so that they can view assets or perform asset-related operations, such as reporting, with assets in that group.
  4. Select the check box for every user account that you want to add to the access list or select the check box in the top row to add all users.
  5. Click Save.
Optional: Change asset membership

After you configure asset search filters as described in the preceding section, you can create an asset group based on the search results. Using the assets search is the only way to create a dynamic asset group. It is one of two ways to create a static asset group and is more ideal for environments with large numbers of assets.

  1. In the search results, click Create Asset Group and select Dynamic.
  2. Enter a unique asset group name and description.
  3. Click Add Users to give users access to an asset group so that they can view assets or perform asset-related operations, such as reporting, with assets in that group.
  4. Select the check box for every user account that you want to add to the access list or select the check box in the top row to add all users.
  5. Click Save.

Create a static asset group from search results

Step 2: Create a static asset group based on search results

After you configure asset search filters as described in the preceding section, you can create an asset group based on the search results. It is one of two ways to create a static asset group and is more ideal for environments with large numbers of assets.

  1. In the search results, click Create Asset Group and select Static.
  2. Enter a unique asset group name and description.
  3. Click Add Users to give users access to an asset group so that they can view assets or perform asset-related operations, such as reporting, with assets in that group.
  4. Select the check box for every user account that you want to add to the access list or select the check box in the top row to add all users.
  5. Click Save.

To bulk add assets to a static asset group you must first build a tag and then create an asset group with the criteria of having that tag.

  1. Go to Assets > Tagged Assets.
  2. Click Add Tags.
  3. Enter a descriptive name for the tag, then click Add.
  4. Click the tag name to open the details of the tag you just created.
  5. Click add assets from file.
  6. Import a file of IP addresses, with one address per line.

Manually create a new static asset group

Step 1: Create a static asset group
  1. On the Assets page, next to Groups, click View.
  2. Click New Static Asset Group.
  3. Type a group name and description in the appropriate fields.
  4. Add tags to the group. Any tag you add to a group is applied to to all of the member assets.
  5. Click Save.
Step 2: Manually add assets to the static asset group
  1. Go to Assets > Asset Group Configuration and select the static asset group you created.
  2. Apply filters to assets, then click Display matching assets. For example, you can select all of the assets within an IP address range that run on a particular operating system.
  3. Select the assets you want to add to the asset group.
  4. To include all assets, select the check box in the header row.
  5. Click Save.

When you use this asset selection feature to create a new asset group, you will not see any assets displayed. When you use this asset selection feature to edit an existing report, you will see the list of assets that you selected when you created, or most recently edited, the report. Click Save to save the new asset group information.

Add tags to an existing group

If you didn't already add tags when creating a static asset group, you can add tags to an existing group.

  1. Go to Assets > Asset Groups Configuration, next to Groups, click View.
  2. Click Edit to change any group listed with a static asset group icon.
  3. On the General tab, click Add Tags.
  4. Add tags to the group. Any tag you add to a group is applied to all of the member assets.
  5. Click Save.

Create tags without applying them

You can create tags without immediately applying them to assets. This could be helpful if, for example, you want to establish a convention for how tag names are written.

  1. Click the Assets icon, then click the number of tags listed for Tagged Assets, even if that number is zero. OR Click the Create tab at the top of the page and then select Tags from the drop-down list.
  2. Click Add tags and add any tags as described in Tagging assets, sites, and asset groups.