12.4 Tagging Events

Tags are user-defined values that can be used to logically group data collection objects such as event routing rules, report templates, and report results. Tags help you to filter object lists for the data collection objects and also to augment incoming data. You can search for events, report templates, and report definitions that are tagged with a particular tag.

You can associate objects with more than one tag. You can, for example, create tags related to regulations (PCI) or compromised systems or network infrastructure such as routers, switches, and firewalls. Some organizations need to define data retention or data viewing policies based on the geographic location, so tags can be used to tag event sources based on different locations.

The Tag icon allows you to quickly add tags to the desired data collection objects such as report templates, and report results.

Following sections provide information about tagging:

12.4.1 Creating a Tag

To create a tag:

  1. Select Tags in the navigation panel on the left or click the Tag icon in the appropriate data object interface to which you want to associate tags.

  2. Click Create.

  3. Specify a name for the tag.

    Tags have the following naming conventions, and a warning message is displayed if the name you specify does not comply with the following conventions:

    • Tag names should not be more than 20 characters.

    • There should not be any white space as part of the tag name.

    • A tag name is not case-sensitive. You cannot create two tags with identical names except for capitalization. For example, you cannot have the tag names IDM and idm, because both are perceived as the same name.

  4. Specify an optional description for the tag.

    If the tag name is available, a message is displayed.

    If a tag with the same name already exists, a message is displayed indicating the name is not unique. You must specify a different name for the tag.

  5. Click Save.

12.4.2 Viewing Tagged Events

You must have the appropriate permission to view events that are tagged with specific tags. For example, only users in the PCI Compliance Auditor role can view events that are tagged with at least one of the regulation-related tags such as PCI, SOX, HIPAA, NERC_CIP, FISMA, GLBA, NISPOM, JSOX, and ISO/IEC_27002:2005.

To view tagged events, do any of the following:

  • From the Tags panel, select the tag for which you want to view events, then select Search.

  • In the Search field, click the Tag icon, select the desired tags, then click OK. Click Search.

  • In the Search field, specify rv145:<tagname> or @<tagname> as the search criteria, then click Search.

12.4.3 Managing Tags

You can add and remove to favorites, view, edit, and sort tags

Following section provide information about managing tags.

Adding and Removing Tags from Favorites

You can add your frequently used tags to the Favorites section so that it is easier to locate them and associate them with objects. When a tag is added to the Favorites section, it is removed from the Other section.

To add or remove a tag from Favorites:

  1. Log in as a user in the Manage Tags role.

  2. Select Tags in the navigation panel on the left.

  3. To add or remove a tag from Favorites, select the tag, then click the Favorites icon.

Sorting Tags

You can sort tags either based on their names or based on the number of objects associated with the tags.

To sort tags:

  1. Log in as a user in the Manage Tags role.

  2. Select Tags in the navigation panel, then click More.

  3. (Conditional) To sort the tags in the alphabetical order, select Sort by Name.

  4. (Conditional) To sort the tags based on the number of objects associated with them, select Sort by Count.

The Tags are sorted according to the selection.

Viewing and Modifying Tags

You can modify only the description of a tag.The tag name cannot be modified because it might be used to tag events and other data collection objects, and it is not an accepted practice to modify events that are already stored. Therefore, to modify the name of a tag, you must create a new tag.

To view or modify a tag:

  1. Log in as a user in the Manage Tags role.

  2. Select Tags in the navigation panel on the left.

  3. Select the tag that you want to edit, and click the Edit icon.

  4. Modify the description as necessary, then click Save.

12.4.4 Performing Text Searches for Tags

This option is useful when you want to look for a particular tag.

To search a tag:

  1. Log in as a user in the Manage Tags role.

  2. Select Tags in the navigation panel on the left.

  3. To search for a particular tag, specify the name or description of the tag or a keyword. To search for multiple tags, specify the tag names separated by the space character.

    The tag that matches the keyword is displayed.

12.4.5 Deleting Tags

To delete a tag:

  1. Log in as a user in the Manage Tags role.

  2. Select Tags in the navigation panel on the left.

  3. Select the tag that you want to delete, then click the Delete icon.

    The Change Guardian tag is a system tag that tags all Change Guardian internal events, and cannot be deleted.

  4. Click Delete to confirm deletion.

12.4.6 Associating Tags with Objects

You can associate tags with event routing rules, and reports and report templates. You can add more than one tag to a data collection object. However, the rv145 field, which stores the tag value, can hold a maximum of 256 characters. Therefore, the maximum number of tags that you can associate with an object depends on the length of the tag name.

Associating Tags with Event Routing Rules

To associate tag with event routing rules:

  1. Click Routing in the toolbar, then click Create.

  2. Specify a name and filter criteria for the rule.

  3. Click Select tag, then select the tags that you want to associate with the rule.

  4. Click Set.

Associating Tags with Report Results and Report Definitions

NOTE:When a tag is set on a report definition, the report results under the report definition inherit the tag by default. Inherited tags for a report result appear disabled in the Tag selector dialog box.

To associate a tag with reports:

  1. Select Reports in the navigation panel on the left.

  2. Select the report result or the report definition that you want to associate with a tag.

  3. Do one of the following:

    • Select Tags from the more drop-down list.

    • Click Edit at the bottom left pane.

  4. Select one or more tags that you want to associate with selected reports.

  5. Click Set.