Tagging Agents by Agent Group in Tenable.io
When trying to understand risk we almost always gravitate towards logical groupings of assets; location, department, technology, software, form-factor, compute type, etc.
These logical groupings help infer context and when used strategically can influence quick positive change in your risk posture. Think gamifying results between departments to yield a better outcome.
In Tenable.io, tagging is the method at which you group assets and they can be used throughout the platform for scanning, reporting, exporting and more.
To learn more about tagging, watch a 3 minute video on the Tenable YouTube channel.
Tenable One is built on this concept around of understanding risk by logical grouping and in Tenable.io there are thousands of different tagging combinations that help you dig into the data where it matters most.
If you are not familiar with Tenable One, it’s an Exposure Management Platform helping you gain visibility across the modern attack surface.
I came here for Agent Tagging!?!
Ah yes, now that I got WHY anyone would want to tag an asset out of the way I can explain why I wrote this article and built the solution.
Agent groups were created to organize and manage agents linked to Tenable.io. Their most useful in managing scans by helping you avoid scanning all of your agents at once or scanning one at a time. As I write this, there isn’t a build in way to tag your agents using their Agent Group name.
However, implementing the solution is crazy simple; a single command per Agent Group like below:
navi tag --c "Agent Group" --v "Linux" --group "Linux"In the above example, I’m naming my Tag Category, “Agent Group” while mirroring the tag value with the Agent Group Name, “Linux”.
In order to get this to work properly, you will need to have the navi.db populated with agent data. So ensure you run the below command if you don’t already use navi:
navi update fullIntroducing Tagging with Navi
Navi is a command-line interface that I created and have supported since Tenable.io was launched four years ago. It allows the user to navigate the Tenable.io APIs and unlock complicated features like tagging in advanced ways.
To get more information on Navi, check out my article “Getting Started with Navi” and check out the Navi github page.
How does it work?
Like most things once you see how it is done it ends up being very simple. In this case, I’m making a few calls to the API to get the Agent UUID and then using the Tenable.io tagging endpoint to tag those assets using the category and value supplied.
I use the provided group name “Linux” and send a GET request to the Agent group endpoint so I can pull the relevant agents:
Then I loop through each agent grabbing their UUID. The UUID doesn’t have dashes, so I restructure it using the UUID python library:
Now that I have the UUIDs, I can tag them using the tagging endpoints. Shown below:
You need to create a Tag Category and Tag Value then update that tag with the correct assets UUIDs. Keep in mind that the API has a limit of 2000 UUIDs per PUT request which makes the code a bit more complex.
If you are developer and not afraid of complexity and what to reinvent the wheel take a look a my GitHub page under tag.py and tag_helper.py.
Conclusion
Now that you have your Agent groups tagged, you can integrate it with your other workloads; Export by tag, dashboard by tag, report by tag and generally make your Agent reporting life much better!
Thank you for reading!
