Salesforce

Complete Tag List

Printable View
« Go Back

Information

 
TitleComplete Tag List
URL Name000005818
Created Modified ByDocument created by Colton Pepper on Apr 23, 2020. Last modified by Colton Pepper on May 19, 2023.
Description
Note: This document is associated with Asset Tags: Are You Getting The Best Value? 

Updated Complete Tag List
The wait is finally over

Thank you to everyone who has spread the word about tagging and have continuously referenced my tagging documents. I am both thrilled and humbled by everyone's warm reception to tagging within the Qualys tool. Lastly, thank you to everyone for being patient with the long awaited update of this document. The original version of this document can be found Here.
 

Before We Begin, Here Are a Couple things...

Firstly, although this is a long list of tags, I have helped create hundreds of tags that are not included in this list because the use case around the tag was so hyper specific, that customer was likely the only customer who could benefit from the tag. The point is this document is not intended to be a comprehensive list of tags. The intention of this document is to provide guidance on the “foundational” tags you should be using and how to structure them. This is simply the beginning of a nearly endless list of possibilities.

Secondly, each tag in this paper is grouped into different categories where each tag should reside. Of course, organizing your tags in the way I propose here is not strictly required, however many of the concepts I explain in conversations with customers and demonstrate/recommend to customers, are built on the framework that is laid out below.

Lastly, the Groovy Scriptlet tagging rule engine is not enabled in any subscription by default and having the rule listed in the drop-down for rule engines, does not mean the feature is enabled. If you receive an error message when creating a Groovy tag, please reach out to your Technical Account Manager (TAM). Your TAM will be able to assist with enabling the feature in your organization’s subscription.

 

How To Use This Document

Each tag in this document is sorted by a Tag Category. Each category is a group of tags and is recommended to group the tags with their respective category. A [static] parent tag is used to group each category. Many tag categories use a prefix in their names that identify the tag’s category, whereas some do not (e.g., Informational Tags). The parent tag of each category should include the categories prefix if one is used. For example, operating system tags all begin with “OS:” followed by the concise name of the operating system (e.g., “OS: Windows 10”). The parent tag that groups all of these OS category tags is named “OS: Operating System.” These prefixes are important to include in the name of each tag that uses them.

It is recommended to copy the tag name from the lists below and paste it into the tag name field, select the required Tag Rule (e.g., Asset Inventory, Cloud Asset Search, Vuln(QID) Exist, etc.), and copy/paste the logic into the tag. When finished, be sure to check the box “Evaluate Rule on Creation.”

 

Table of Contents

*Click on the tag category to jump to it
Tag CategoryExample TagsDescription
Informational Tags
  • "Firewall Detected"
  • "Scan Time (>30m)"
Tags that are used to assist with troubleshooting, awareness, spot checking, and so on.
Authentication Status
  • "Authentication Successful"
  • "Authentication Failed"
Generic authentication statuses (pass/fail/etc.) for Windows, Linux, and SNMP authentication record types.
Authentication Details
  • "No Sudo"
  • "NULL Session Allowed"
Enhanced information related to authentication
Type: Asset Type Tags
  • "Type: Client"
  • "Type: Domain Controller"
Generic asset categorization that is agnostic to the operating system publisher, market version, release, etc.
OS: Operating System Tags
  • "OS: MacOS 13 Ventura"
  • "OS: RHEL Server 9.x"
Specific to the asset’s operating system publisher, name, and market version.
SW: Software Tags
  • "SW: Antivirus Installed"
  • "SW: iTunes"
Tags created to easily identify assets that have specific applications installed or missing.


 

Informational Tags

Category:Informational
Category Prefix:<None>
Category (Parent) Tag Name:“Informational Tags”

Informational tags are used for multiple reasons. They can be used for troubleshooting a range of scenarios, providing awareness to remediation teams and the administrative team, and more.
 
Tag NameRule EngineLogic
Agent Correlation UsedVuln(QID) ExistQID= 48143
Agentless Tracking ErrorsVuln(QID) ExistQID= 45180
Agentless Tracking UsedVuln(QID) ExistQID= 45179
Asset In Multiple GroupsGroovy Scriptlet 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() > 1;
Asset In One GroupGroovy Scriptlet 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() == 1;
DHCP EnabledAsset Search 
<?xml version=""1.0"" encoding=""UTF-8""?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>45099</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>EnableDHCP = 1</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>
Dissolvable Agent FailedVuln(QID) ExistQID= 90918
Dissolvable Agent UsedVuln(QID) ExistQID= 90821
Firewall DetectedVuln(QID) ExistQID= 34011
Live AssetAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>70004</QID>
   <QID>82040</QID>
   <QID>12230</QID>
   <QID>90399</QID>
   <QID>70038</QID>
   <QID>105296</QID>
   <QID>105297</QID>
  </QID_LIST>
 </DETECTION>
 <LAST_SCAN_DATE>
  <SEARCH_TYPE>WITHIN</SEARCH_TYPE>
  <DAYS>1</DAYS>
 </LAST_SCAN_DATE>
</TAG_CRITERIA>

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

Multiple IPsGroovy Scriptlet 
// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;

// Set minimum number of lines to require.
lineMinimum = 2

// Check QID results.
results = asset.resultsForQid(45099L)

// return false if the asset doesn't have QID 45099
if(results == null) return false;

// Count number of lines.
int num = (results =~ /(?m)$/).size()

// Some results do not start with Interface details.
if(results.startsWith("#table cols")) num--

// Test.
if(num >= lineMinimum)

 // QID results has at least lineMinimum.
 return true;

// QID results has less than lineMinimum.
return false;
New AssetAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <FIRST_FOUND_DATE>
  <SEARCH_TYPE>WITHIN</SEARCH_TYPE>
  <DAYS>7</DAYS>
 </FIRST_FOUND_DATE>
</TAG_CRITERIA>

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

No Asset GroupGroovy Sciptlet 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.tags.reservedType.findAll { it.toString().equals("ASSET_GROUP") }.size() < 1;
No HostnameGroovy Scriptlet 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getHostName()==null || asset.getHostName().trim().length()<=0;
No NetBIOS NameGroovy Scriptlet 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getNetbiosName()==null || asset.getNetbiosName().trim().length()<=0;
No OS DetectedGroovy Scriptlet 
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return asset.getOperatingSystem()==null || asset.getOperatingSystem().trim().length()<=0;
Possible Scan InterferenceVuln(QID) ExistQID= 42432
Scan Time (>30m)Groovy Scriptlet 
// Skip testing on non-VM hosts.
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;

// Tag if scan time for host takes longer than threshold_minutes minutes.
threshold_minutes = 30
host_scan_time = asset.resultsForQid(45038L);

// return false if the asset doesn't have QID 45038
// or the results for some reason is not the expected length
if(host_scan_time == null || host_scan_time.length() <= 16)
 return false;

// Parse for duration.
 host_scan_time = host_scan_time.substring(15,host_scan_time.indexOf(' seconds'));

// Convert number of seconds to integer
host_scan_time = host_scan_time.toInteger();
return host_scan_time > (threshold_minutes*60);

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

Stale AssetAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <LAST_SCAN_DATE>
  <SEARCH_TYPE>NOT_WITHIN</SEARCH_TYPE>
  <DAYS>90</DAYS>
 </LAST_SCAN_DATE>
 <FIRST_FOUND_DATE>
  <SEARCH_TYPE>NOT_WITHIN</SEARCH_TYPE>
  <DAYS>90</DAYS>
 </FIRST_FOUND_DATE>
</TAG_CRITERIA>

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

Web Server Stopped RespondingVuln(QID) ExistQID= 86476
 

Authentication Status

Category:Authentication Status
Category Prefix:<None>
Category (Parent) Tag Name:“Authentication Status”

Authentication Status tags are assigned to assets to indicate if the last scan successfully used authentication, if it failed, or if it was not attempted.

 

Tag NameRule EngineLogic
Authentication FailedAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>105053</QID>
   <QID>105015</QID>
  </QID_LIST>
 </DETECTION>
</TAG_CRITERIA>

*Only works with Windows and Unix/Cisco/Network SSH Authentication Record types.

Authentication Not AttemptedAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>105296</QID>
   <QID>105297</QID>
  </QID_LIST>
 </DETECTION>
</TAG_CRITERIA>

*Only works with Windows and Unix/Cisco/Network SSH Authentication Record types.

Authentication SuccessfulAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>38307</QID>
   <QID>70053</QID>
  </QID_LIST>
 </DETECTION>
</TAG_CRITERIA>

*Only works with Windows and Unix/Cisco/Network SSH Authentication Record types.

Authentication Successful (username)Asset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>38307</QID>
   <QID>70053</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>User_Name useraccountnamehere</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

*Only works with Windows and Unix/Cisco/Network SSH Authentication Record types.

NULL Session AllowedAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>70028</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>Authentication_Scheme NULL_session</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>

*Only works with Windows Authentication Record types.

SNMP Authentication FailedVuln(QID) ExistQID= 105192
SNMP Authentication Not AttemptedVuln(QID) ExistQID= 105298
SNMP Authentication SuccessfulVuln(QID) Exist

QID= 78049

 

Authentication Details

Category:Authentication Details
Category Prefix:<None>
Category (Parent) Tag Name:“Authentication Details”

Where Authentication Status tags provide pass/fail/not attempted information on assets, Authentication Details provide more information related to authentication that can be valuable to Qualys administrators to determine where in the environment an Authentication Record is being used, if any service accounts used for scanning is locked out of any Windows assets, and so on. It is possible to have one or more Authentication Details tags and no Authentication Status tags.
  
Tag NameRule EngineLogic
Account Locked Out (username)Asset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>105052</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>username</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

*Only works with Windows Authentication Record types.

AR: [authentication_record_name]Asset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>38307</QID>
   <QID>70053</QID>
   <QID>105053</QID>
   <QID>105015</QID>
   <QID>105296</QID>
   <QID>105297</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>AUTHENTICATION_RECORD_NAME</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>

>>> Edit only the HIGHLIGHTED string(s) to customize <<<

Auth Scheme (Public Key)Asset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>38307</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>Authentication_Scheme publickey</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>

*Only works with Unix/Cisco/Network SSH Authentication Record types.

No SudoAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
 <DETECTION>
  <QID_LIST>
   <QID>38307</QID>
  </QID_LIST>
  <RESULTS>
   <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
   <SEARCH_TERM>Using_sudo No</SEARCH_TERM>
  </RESULTS>
 </DETECTION>
</TAG_CRITERIA>

*Only works with Unix/Cisco/Network SSH Authentication Record types.

 

Type: Asset Type Tags

Category:Asset Type
Category Prefix:Type:
Category (Parent) Tag Name:“Type: Asset Type”

Asset Type tags are completely operating system agnostic; meaning that the “Type: Server” tag logic is designed to be assigned to any asset where its operating system is considered a server operating system by its publisher. The tags should not be confused with several of the Operating System categorical tags since they are intended to be used (or convey) different things.
 
Tag NameRule EngineLogic
Type: Cisco ASAAsset Inventoryhardware.manufacturer:`Cisco Systems` and hardware.product:"ASA"
Type: Cisco SwitchAsset Inventoryhardware.manufacturer:`Cisco Systems` and hardware.category2:`Switch`
Type: Cisco Wireless ControllerAsset Inventoryhardware.manufacturer:`Cisco Systems` and hardware.product:"Wireless Controller"
Type: ClientAsset InventoryoperatingSystem.category2:`Client`
Type: Conferencing EquipmentAsset Inventoryhardware.category2:`Conferencing Equipment`
Type: Dell DRACAsset Inventoryhardware.manufacturer:`Dell EMC` and hardware.product:"DRAC"
Type: Domain ControllerVuln(QID) ExistQID= 90036
Type: Firewall DeviceAsset Inventoryhardware.category2:`Firewall Device`
Type: HP iLOAsset Inventoryhardware.manufacturer:`HPE` and hardware.product:`iLO`
Type: IP PhoneAsset Inventoryhardware.category2:`IP Phone`
Type: Load BalancerAsset Inventoryhardware.category2:`Server Load Balancer`
Type: Load Balancer [Citrix]Asset Inventoryhardware.category2:`Server Load Balancer` and hardware.manufacturer:`Citrix`
Type: Load Balancer [F5]Asset Inventoryhardware.category2:`Server Load Balancer` and hardware.manufacturer:`F5 Networks`
Type: MainframeAsset InventoryoperatingSystem.category1:`Mainframe` or hardware.category2:`Mainframe`
Type: Mobile DeviceAsset Inventoryhardware.category1:`Mobile`
Type: Mobile Device [Smartphone]Asset Inventoryhardware.category1:`Mobile` and hardware.category2:`Smartphone`
Type: Mobile Device [Tablet]Asset Inventoryhardware.category1:`Mobile` and hardware.category2:`Tablet`
Type: NAS DeviceAsset Inventoryhardware.category2:`Network Attached Storage (NAS) Device`
Type: NCR ATM MachineAsset Search 
<?xml version="1.0" encoding="UTF-8"?>
<TAG_CRITERIA>
<DETECTION>
 <QID_LIST>
  <QID>45304</QID>
  <QID>90235</QID>
  <QID>90074</QID>
 </QID_LIST>
 <RESULTS>
  <SEARCH_TYPE>CONTAINING</SEARCH_TYPE>
  <SEARCH_TERM>Unified Agent</SEARCH_TERM>
  <SEARCH_TERM>NCR Remote Agent</SEARCH_TERM>
  <SEARCH_TERM>ImageMark Passport ATM Agent</SEARCH_TERM>
  <SEARCH_TERM>NCR_START</SEARCH_TERM>
  <SEARCH_TERM>NCR.APTRA.CollectorProxy</SEARCH_TERM>
 </RESULTS>
 </DETECTION>
</TAG_CRITERIA>
Type: Network SwitchAsset Inventoryhardware.category2:`Switch`
Type: Palo Alto DeviceAsset Inventoryhardware.manufacturer:`Palo Alto Networks`
Type: Palo Alto FirewallAsset Inventoryhardware.manufacturer:`Palo Alto Networks` and hardware.category2:`Firewall Device`
Type: Print ServerAsset Inventoryhardware.category1:"Networking Device" and hardware.category2:"Print Server"
Type: PrinterAsset Inventoryhardware.category1:`Printers`
Type: RouterAsset Inventoryhardware.category2:`Bridges and Routers`
Type: ServerAsset InventoryoperatingSystem.category2:`Server`
Type: SharePoint ServerAsset Inventorysoftware:(publisher:`Microsoft` and name:"SharePoint Server") and services:(name:"SPAdmin" and status:"started")
Type: SQL ServerAsset InventoryoperatingSystem.category2:`Server` and (services:(name:`MSSQLSERVER` and status:`started`) or services:(name:`mssql-server.service` and status:`running`))
Type: Terminal ServerAsset Inventoryhardware.category2:`Terminal Server`
Type: Virtual MachineAsset Inventoryhardware.category2:`Virtual Machine`
Type: Web ServerAsset Inventorysoftware:(category2:`Web Servers`) and operatingSystem.category2:`Server`
Type: Wireless Access PointAsset Inventoryhardware.category2:`Wireless Access Point`
 

OS: Operating System Tags

Category:Operating System
Category Prefix:OS:
Category (Parent) Tag Name:“OS: Operating System”

Operating System tags provide general grouping of assets by operating system and market versions. For example, Windows 10 has several different editions and releases. Instead of having 10+ tags for all the different editions and releases of Windows 10, we create only one tag “OS: Windows 10” that is used to capture all Windows 10 assets, regardless of edition and release.

You may notice the “Type: Client” tag and see “OS: Windows Client (All)” tag and think these two tags are redundant. However, the “OS: Windows Client (All)” tag groups all Windows client operating systems (Windows XP, Windows 8, Windows 10, etc.) whereas “Type: Client” includes all client operating systems such as Windows, MacOS, Fedora, etc. Although, on the surface, these two categories appear to be so similar, they could be redundant, they have very different uses.
 
Tag NameRule EngineLogic

OS: AIX 5.x

Asset Inventory

operatingSystem.publisher:`IBM` and operatingSystem.name:`AIX` and operatingSystem.marketVersion:`5`

OS: AIX 6.x

Asset Inventory

operatingSystem.publisher:`IBM` and operatingSystem.name:`AIX` and operatingSystem.marketVersion:`6`

OS: AIX 7.x

Asset Inventory

operatingSystem.publisher:`IBM` and operatingSystem.name:`AIX` and operatingSystem.marketVersion:`7`

OS: AIX x.x

Asset Inventory

operatingSystem.publisher:`IBM` and operatingSystem.name:`AIX`

OS: Amazon Linux

Asset Inventory

operatingSystem.publisher:"Amazon Web Service" and operatingSystem.name:"Linux" and not operatingSystem.name:"AMI"

OS: Amazon Linux AMI

Asset Inventory

operatingSystem.publisher:"Amazon Web Service" and operatingSystem.name:"Linux" and operatingSystem.name:"AMI"

OS: Android

Asset Inventory

operatingSystem.category1:`Mobile` and operatingSystem.name:"Android"

OS: Apple Airport

Asset Inventory

hardware.manufacturer:Apple and hardware.product:AirPort

OS: Apple iOS

Asset Inventory

operatingSystem.category1:`Mobile` and operatingSystem.publisher:`Apple` and operatingSystem.name:"iOS"

OS: CentOS 4.x

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.name:"Centos" and operatingSystem.marketVersion:`4`

OS: CentOS 5.x

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.name:"CentOS" and operatingSystem.marketVersion:`5`

OS: CentOS 6.x

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.name:"CentOS" and operatingSystem.marketVersion:`6`

OS: CentOS 7.x

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.name:"CentOS" and operatingSystem.marketVersion:`7`

OS: CentOS 8.x

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.name:"CentOS" and operatingSystem.marketVersion:`8`

OS: CentOS 8.x Stream

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.publisher:`The CentOS Project` and operatingSystem:"Stream" and operatingSystem.marketVersion:`8`

OS: CentOS x.x

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.name:"CentOS"

OS: Cisco ASA

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"ASA"

OS: Cisco IOS 11.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS" and operatingSystem.marketVersion:"11"

OS: Cisco IOS 12.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS" and operatingSystem.marketVersion:"12"

OS: Cisco IOS 13.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS" and operatingSystem.marketVersion:"13"

OS: Cisco IOS 14.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS" and operatingSystem.marketVersion:"14"

OS: Cisco IOS 15.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS" and operatingSystem.marketVersion:"15"

OS: Cisco IOS 16.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS" and operatingSystem.marketVersion:"16"

OS: Cisco IOS x.x

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS"

OS: Cisco IOS XE

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"IOS XE"

OS: Cisco IP Phone

Asset Inventory

operatingSystem.publisher: Cisco and hardware.category2:"IP Phone"

OS: Cisco NX-OS

Asset Inventory

operatingSystem.category1:`Network Operating System` and operatingSystem.publisher:`Cisco Systems` and operatingSystem.name:"NX-OS"

OS: Cisco PIX

Asset Inventory

operatingSystem.publisher:Cisco and operatingSystem.name:PIX

OS: F5 Networks TMOS

Asset Inventory

operatingSystem.publisher:`F5 Networks` and operatingSystem.name:`TMOS`

OS: Fedora

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Fedora"

OS: Fedora xx

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Fedora" and operatingSystem.marketVersion:`33`

OS: FreeBSD

Asset Inventory

operatingSystem.publisher:`The FreeBSD Project`

OS: FreeBSD xx

Asset Inventory

operatingSystem.publisher:`The FreeBSD Project` and operatingSystem.marketVersion:`8`

OS: Juniper IVE OS

Asset Inventory

operatingSystem.publisher:`Juniper Networks` and operatingSystem.name:"IVE OS"

OS: Juniper JUNOS

Asset Inventory

operatingSystem.publisher:`Juniper Networks` and operatingSystem.name:"JUNOS"

OS: Juniper ScreenOS

Asset Inventory

operatingSystem.publisher:`Juniper Networks` and operatingSystem.name:"ScreenOS"

OS: Kali Linux

Asset Inventory

operatingSystem.publisher:`Offensive Security` and operatingSystem.name:"Kali"

OS: Linux (All)

Asset Inventory

operatingSystem.category1:`Linux`

OS: Linux Client (All)Asset InventoryoperatingSystem.category1:`Linux` and operatingSystem.category2:`Client`
OS: Linux Server (All)Asset InventoryoperatingSystem.category1:`Linux` and operatingSystem.category2:`Server`

OS: MacOS

Asset Inventory

operatingSystem.category1:`Mac`

OS: MacOS 10.12 Sierra

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`Sierra`

OS: MacOS 10.13 High Sierra

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`High Sierra`

OS: MacOS 10.14 Mojave

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`Mojave`

OS: MacOS 10.15 Catalina

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`Catalina`

OS: MacOS 11 Big Sur

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`Big Sur`

OS: MacOS 12 Monterey

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`Monterey`

OS: MacOS 13 Ventura

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.marketVersion:`Ventura`

OS: MacOS X

Asset Inventory

operatingSystem.category1:`Mac` and operatingSystem.name:X

OS: Oracle ACME Packet OS

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"ACME Packet OS"

OS: Oracle Linux 4.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Linux" and operatingSystem.marketVersion:`4`

OS: Oracle Linux 5.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Linux" and operatingSystem.marketVersion:`5`

OS: Oracle Linux 6.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Linux" and operatingSystem.marketVersion:`6`

OS: Oracle Linux 7.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Linux" and operatingSystem.marketVersion:`7`

OS: Oracle Linux 8.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Linux" and operatingSystem.marketVersion:`8`

OS: Oracle Linux x.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Linux"

OS: Oracle Solaris 7.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Solaris" and operatingSystem.marketVersion:`7`

OS: Oracle Solaris 8.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Solaris" and operatingSystem.marketVersion:`8`

OS: Oracle Solaris 9.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Solaris" and operatingSystem.marketVersion:`9`

OS: Oracle Solaris 10.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Solaris" and operatingSystem.marketVersion:`10`

OS: Oracle Solaris 11.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Solaris" and operatingSystem.marketVersion:`11`

OS: Oracle Solaris x.x

Asset Inventory

operatingSystem.publisher:`Oracle` and operatingSystem.name:"Solaris"

OS: Palo Alto Networks PAN-OS 7.x

Asset Inventory

operatingSystem.publisher:`Palo Alto Networks` and operatingSystem.name:"PAN-OS" and operatingSystem.marketVersion:`7`

OS: Palo Alto Networks PAN-OS 8.x

Asset Inventory

operatingSystem.publisher:`Palo Alto Networks` and operatingSystem.name:"PAN-OS" and operatingSystem.marketVersion:`8`

OS: Palo Alto Networks PAN-OS 9.x

Asset Inventory

operatingSystem.publisher:`Palo Alto Networks` and operatingSystem.name:"PAN-OS" and operatingSystem.marketVersion:`9`

OS: Palo Alto Networks PAN-OS x.x

Asset Inventory

operatingSystem.publisher:`Palo Alto Networks` and operatingSystem.name:"PAN-OS"

OS: Red Hat CoreOS

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"CoreOS"

OS: RHEL Server 5.x

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Linux Server" and operatingSystem.marketVersion:`5`

OS: RHEL Server 6.x

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Linux Server" and operatingSystem.marketVersion:`6`

OS: RHEL Server 7.x

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Linux Server" and operatingSystem.marketVersion:`7`

OS: RHEL Server 8.x

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Linux Server" and operatingSystem.marketVersion:`8`

OS: RHEL Server 9.x

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Linux Server" and operatingSystem.marketVersion:`9`

OS: RHEL Server x.x

Asset Inventory

operatingSystem.publisher:`Red Hat` and operatingSystem.name:"Linux Server"

OS: Ubuntu 14.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"14."

OS: Ubuntu 15.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"15."

OS: Ubuntu 16.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"16."

OS: Ubuntu 17.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"17."

OS: Ubuntu 18.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"18."

OS: Ubuntu 19.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"19."

OS: Ubuntu 20.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"20."

OS: Ubuntu 21.x

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu" and operatingSystem.version:"21."

OS: Ubuntu xx

Asset Inventory

operatingSystem.publisher:`Canonical` and operatingSystem.name:"Ubuntu"

OS: Unidentified

Asset Inventory

operatingSystem.category1:`Unidentified` or operatingSystem.category1:`Unknown`

OS: Unidentified [Linux]

Asset Inventory

operatingSystem.category1:`Linux` and operatingSystem.publisher:`Unidentified`

OS: Unidentified [Unix]

Asset Inventory

operatingSystem.category1:`Unix` and operatingSystem.publisher:`Unidentified`

OS: Unidentified [Windows]

Asset Inventory

operatingSystem.category1:`Windows` and (operatingSystem.category2:`Unidentified` or operatingSystem.category2:`Unknown`)

OS: Unix (All)

Asset Inventory

operatingSystem.category1:`Unix`

OS: Unix Server (All)Asset InventoryoperatingSystem.category1:`Unix` and operatingSystem.category2:`Server`

OS: NIX (All)

Asset Inventory

operatingSystem.category1:`Linux` or operatingSystem.category1:`Unix`

OS: vCenter Server Appliance 5.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"Server Appliance" and operatingSystem.marketVersion:`5`

OS: vCenter Server Appliance 6.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"Server Appliance" and operatingSystem.marketVersion:`6`

OS: vCenter Server Appliance 7.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"Server Appliance" and operatingSystem.marketVersion:`7`

OS: vCenter Server Appliance x.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"Server Appliance"

OS: VMware ESX 3.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESX" and operatingSystem.marketVersion:`3` and not operatingSystem:(name:"ESXi" or name:"vCenter")

OS: VMware ESX 4.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESX" and operatingSystem.marketVersion:`4` and not operatingSystem:(name:"ESXi" or name:"vCenter")

OS: VMware ESX x.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESX" and not operatingSystem:(name:"ESXi" or name:"vCenter")

OS: VMware ESXi 3.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESXI" and operatingSystem.marketVersion:`3`

OS: VMware ESXi 4.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESXI" and operatingSystem.marketVersion:`4`

OS: VMware ESXi 5.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESXI" and operatingSystem.marketVersion:`5`

OS: VMware ESXi 6.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESXI" and operatingSystem.marketVersion:`6`

OS: VMware ESXi x.x

Asset Inventory

operatingSystem.publisher:`VMware` and operatingSystem.name:"ESXi"

OS: Windows 7

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client` and operatingSystem.marketVersion:`7`

OS: Windows 7 Embedded

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Embedded` and operatingSystem.marketVersion:`7`

OS: Windows 8

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client` and operatingSystem.marketVersion:"8"

OS: Windows 8 Embedded Industry Enterprise

Asset Inventory

operatingSystem.category1:Windows and operatingSystem.category2:Embedded and operatingSystem.marketVersion:8 and operatingSystem.edition:Enterprise

OS: Windows 8 Embedded Industry Pro

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Embedded` and operatingSystem.name:"Industry" and operatingSystem.edition:`Pro` and operatingSystem.marketVersion:"8."

OS: Windows 10

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client` and operatingSystem.marketVersion:`10`

OS: Windows 11

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client` and operatingSystem.marketVersion:`11`

OS: Windows 95

Asset Inventory

operatingSystem.category1:Windows and operatingSystem.category2:Client and operatingSystem.marketVersion:"95"

OS: Windows 2000

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.marketVersion:`2000`

OS: Windows CE

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Embedded` and operatingSystem.name:"CE"

OS: Windows Client (All)

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client`

OS: Windows Embedded

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Embedded`

OS: Windows Embedded Standard

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Embedded` and operatingSystem.edition:`Standard`

OS: Windows NT

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.marketVersion:`NT`

OS: Windows Server (All)

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server`

OS: Windows Server 2003

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2003"

OS: Windows Server 2008

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2008"

OS: Windows Server 2012

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2012"

OS: Windows Server 2016

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2016"

OS: Windows Server 2019

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2019"

OS: Windows Server 2022

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2022"

OS: Windows Storage Server 2003

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2003" and operatingSystem.name:"Storage"

OS: Windows Storage Server 2008

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2008" and operatingSystem.name:"Storage"

OS: Windows Storage Server 2012

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2012" and operatingSystem.name:"Storage"

OS: Windows Storage Server 2016

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Server` and operatingSystem.marketVersion:"2016" and operatingSystem.name:"Storage"

OS: Windows Vista

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client` and operatingSystem.marketVersion:`Vista`

OS: Windows XP

Asset Inventory

operatingSystem.publisher:`Microsoft` and operatingSystem.category2:`Client` and operatingSystem.marketVersion:`XP`

 

SW: Software Tags

Category:Software
Category Prefix:SW:
Category (Parent) Tag Name:“SW: Software”

Software tags are used to easily identify and group assets by the software that is installed or missing on an asset. There are many use cases around these tags and the list below is far from comprehensive. What applications your organization uses and consider to be critical applications, can have an associated asset to quickly and easily report on assets based on what software an asset has or doesn’t have.

Software tags can be used in conjunction with others. For example, you may want to identify Windows servers with iTunes installed. Using “OS: Windows Server (All)” and “SW: iTunes” will return the information you are after. A real-world scenario where these tags were used during an incident response investigation at a Fortune 500 organization, is when the organization’s Security Operations Center (SOC) received alerts on outbound network traffic from an internal server that is communicating with a target host associated with ransomware. The source host was identified and was quickly determined to be missing antivirus software. Using the QQL query below:
  
(tags.name:`AG: Example Asset Group` and tags.name:`Type: Server`) and not tags.name:`SW: Antivirus Installed`

the customer was able to quickly identify which servers on the same subnet were at risk of the ransomware spreading to, and quickly notify system owners and other key players to assess potential impact spread and to implement mitigating actions.
 
Tag NameRule EngineLogic
SW: Antivirus InstalledAsset Inventory(operatingSystem.category2:`Server` or operatingSystem.category2:`Client`) and software:(category2:`Antivirus`)
SW: Antivirus MissingAsset Inventory

(operatingSystem.category2:`Server` or operatingSystem.category2:`Client`) and not software:(category2:`Antivirus`)

SW: CS Falcon Sensor InstalledAsset Inventory

(operatingSystem.category2:`Server` or operatingSystem.category2:`Client`) and software:(product:`Falcon Sensor`)

SW: CS Falcon Sensor MissingAsset Inventory

(operatingSystem.category2:`Server` or operatingSystem.category2:`Client`) and not software:(product:`Falcon Sensor`)

SW: Docker EngineAsset Inventory

software:(publisher:`Docker` and product:`Docker Engine`)

SW: iTunesAsset Inventorysoftware:(product:`iTunes` and publisher:`Apple`)
SW: QuickTimeAsset Inventorysoftware:(product:`QuickTime` and publisher:`Apple`)
SW: SharePoint ServerAsset Inventorysoftware:(publisher:`Microsoft` and product:`SharePoint Server`)
SW: Splunk Universal Forwarder InstalledAsset Inventorysoftware:(publisher:`Splunk`) and software:(product:`Universal Forwarder`)
 

 
Powered by