Automate tagging asset owners and alerting on orphaned devices

|
Updated

Tags help you to organize your asset inventory, allowing you to quickly search, group, and flag assets. You can apply tags to assign ownership, location, criticality, and groups, as well as use them to flag assets that need deeper analysis. In addition to asset tags, you can also apply subnet-level tags in the site configuration, which function as virtual tags for any assets within those networks.

Tags provide better context for your assets #

Tags can provide meaningful context for assets, so you can search or filter based on function or business impact. For example, if there are devices managed by different teams, you can apply tags to specify who owns it. You can slice and dice assets based on different levels of your company.

There are a couple of ways to tag assets. From your inventory, you can run a query and manually tag assets. However, for a more efficient and automated way to tag your assets, you can use the Rules Engine.

Set condition for matches

Automate tagging with the Rules Engine #

The Rules Engine is an automation framework for monitoring, alerting, and acting on events. It uses rules to define the automated action that occurs when a set of conditions are true. The automated action can be an alert or a modification to an asset field after a scan completes. In this case, a rule will run a query after a scan completes and tag any assets that match the search criteria in the site associated with that scan.

For example, if you know that a device type, like a switch, belongs to the networking team, you can automatically tag them. You can specify tags as a single label, networking, or as a key-value pair, owner=networking.

How to automate asset tagging #

Let's take our example: we want to tag switch owners as the networking team.

Step 1. Create a rule

In the runZero Console, go to the Alerts page, located under Global Settings. From the Rules tab, create a rule.

Create rule button

Step 2. Choose an event type

For the rule, choose asset-query-results. This will apply the query to the asset inventory.

Rules Engine

Step 3. Configure a query and conditions for the rule

To search for switches, enter type:"switch"into the Query field and set the minimum matches for the query. Enter >=1.

Set condition for matches

For the organization, you can limit the scope of this rule to any organization and site.

Step 4. Configure the action

For the action, select Modify asset.

Modify asset fields

In the Set asset tags field, enter owner=networking.

Modify asset fields

Save the rule.

Step 5. See the results

The next time a scan completes, this rule, if enabled, will trigger if all the conditions are met. The search will find all assets with type:"switch" and update the tags with owner=networking. You'll see the updated tags in your inventory.

To see the results, go to your asset inventory. In the asset inventory query field, enter owner=networking. All assets tagged with owner=networking will appear in the results.

Inventory with tagged assets

Step 6. Share the query

For any inventory search, including ones containing asset tags, click the [:link:] icon in the toolbar to get a shareable link to your current search query.

Share link to query

Automate alerts on orphaned devices #

Another way you can use the Rules Engine is to identify orphaned devices. Similarly to how you created a rule to automate owner tagging, you can create a rule that automates alerts for orphaned, or unowned, devices.

How to automate alerts for orphaned devices #

The use case: we want to know when there are assets that don't have an owner.

Step 1. Create a new rule

Go to the Alerts page, located under Global Settings. From the Rules tab, create a rule and choose asset-query-results as the event type.

Step 2. Configure a query for the rule

From the New Rule page, give the rule a name. Then, enter NOT tag:owner in the Query field. This query will find assets that do not have an owner.

Orphaned devices query

Set the minimum matches for the query. Enter >=1.

For the organization, you can limit the scope of this rule to any organization and site.

Step 3: Configure the notification

For the action, select Notify. Choose the channel you want to use to receive the notification.

Notify action

Save the rule.

Next time a scan runs, it will trigger this rule if all conditions are met. If Rumble finds any devices without an owner tag, you will receive an alert.

Try the runZero Rules Engine #

The Rules Engine is available with the free trial of runZero Professional and Enterprise editions. Sign up for a free trial to see what you can do with runZero.

Written by runZero Team

Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

More about runZero Team
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved