Automate tagging asset owners and alerting on orphaned devices

runZero Team

Updated March 22, 2021, 3:00am EDT

Tags help you to organize your asset inventory, allowing you to quickly search, group, and flag assets. You can apply tags to assign ownership, location, criticality, and groups, as well as use them to flag assets that need deeper analysis. In addition to asset tags, you can also apply subnet-level tags in the site configuration, which function as virtual tags for any assets within those networks.

Tags provide better context for your assets #

Tags can provide meaningful context for assets, so you can search or filter based on function or business impact. For example, if there are devices managed by different teams, you can apply tags to specify who owns it. You can slice and dice assets based on different levels of your company.

There are a couple of ways to tag assets. From your inventory, you can run a query and manually tag assets. However, for a more efficient and automated way to tag your assets, you can use the Rules Engine.

Automate tagging with the Rules Engine #

The Rules Engine is an automation framework for monitoring, alerting, and acting on events. It uses rules to define the automated action that occurs when a set of conditions are true. The automated action can be an alert or a modification to an asset field after a scan completes. In this case, a rule will run a query after a scan completes and tag any assets that match the search criteria in the site associated with that scan.

For example, if you know that a device type, like a switch, belongs to the networking team, you can automatically tag them. You can specify tags as a single label, networking, or as a key-value pair, owner=networking.

How to automate asset tagging #

Let's take our example: we want to tag switch owners as the networking team.

Step 1. Create a rule

In the runZero Console, go to the Alerts page, located under Global Settings. From the Rules tab, create a rule.

Step 2. Choose an event type

For the rule, choose asset-query-results. This will apply the query to the asset inventory.

Step 3. Configure a query and conditions for the rule

To search for switches, enter type:"switch"into the Query field and set the minimum matches for the query. Enter >=1.

For the organization, you can limit the scope of this rule to any organization and site.

Step 4. Configure the action

For the action, select Modify asset.

In the Set asset tags field, enter owner=networking.

Save the rule.

Step 5. See the results

The next time a scan completes, this rule, if enabled, will trigger if all the conditions are met. The search will find all assets with type:"switch" and update the tags with owner=networking. You'll see the updated tags in your inventory.

To see the results, go to your asset inventory. In the asset inventory query field, enter owner=networking. All assets tagged with owner=networking will appear in the results.

Step 6. Share the query

For any inventory search, including ones containing asset tags, click the [:link:] icon in the toolbar to get a shareable link to your current search query.

Automate alerts on orphaned devices #

Another way you can use the Rules Engine is to identify orphaned devices. Similarly to how you created a rule to automate owner tagging, you can create a rule that automates alerts for orphaned, or unowned, devices.

How to automate alerts for orphaned devices #

The use case: we want to know when there are assets that don't have an owner.

Step 1. Create a new rule

Go to the Alerts page, located under Global Settings. From the Rules tab, create a rule and choose asset-query-results as the event type.

Step 2. Configure a query for the rule

From the New Rule page, give the rule a name. Then, enter NOT tag:owner in the Query field. This query will find assets that do not have an owner.

Set the minimum matches for the query. Enter >=1.