Tag Management

• Overview

• Tag Types

• Tag Examples

• Tag Management

• View Your Tags

• Search for a Tag

• Add a New Tag

• Manage a Tag Permission

• Users tab

• Roles tab

 

Overview

A Tag is a kind of container which holds 1 or more Targets (for example, Marketing Laptops, Windows Servers, HR Databases, etc.) or Assets for the purpose of scanning those Targets/Assets.

• Tags are useful for purposes such as organizing Targets/Assets for reporting, policy management, Role-Based Access Control, and other operations within the console.

• Bulk actions can be performed on Assets which are grouped within a single Tag.

  • See Working with Data Assets and Targets

Note: An Asset can be both an Asset and a Target. For example, a single workstation acts as both an Asset and a Target (the workstation is scanned for sensitive data by Sensitive Data Platform).

Tag Types

There are three types of Tags:

• IP Range: Includes Agents and Targets based on an IP range.

• Manual: Includes Agents and Targets manually added to your tag.

• Conditional: Includes Agents and Targets captured by a set of user-defined parameters.

  • Note: Conditional tags do not update instantly. When you save the tag the conditions are evaluated and applicable endpoints are assigned. A background job runs every hour to re-evaluate and make adjustments as necessary.

    • For example, you create a conditional Tag filtered for > 13 agents. When the Tag is saved, it shows 2 endpoints.

      • Shortly after the Tag is saved, a new v13 Agent registers with the console.

      • It may take up to an hour before the new Agent appears in the Tag.

Tag Examples

• The Tag Marketing Laptops is a IP Range type Tag that includes a hundred employee laptops (associated machines)

• The Tag HR Databases is a manual type Tag that includes databases used by the HR department.

  • For example: Oracle_holiday, SQL1, and MayDay2025

• The Tag Cloud Sources is a manual type Tag that includes targets in the cloud.

  • For example: Box2021, S3_dev1, and GitHub2025

• The Tag "macOS" is a Conditional type Tag that captures Agents/Targets (desktops, laptops, servers etc.), also called endpoints, referred to here as "Endpoint Platform," which have MacOS ("MAC" also can be used) in their endpoint platform name. See the image below:
  
  

Tag Management

See the topics below for more information:

Access the Tag Management Screen

To access this screen:

1. From the left menu, click Data Asset Inventory.
   
   

2. Click Tag Management.
   
   

View Your Tags

The left-hand side All Tags section displays the Tags.

To view your Tags, use the following steps:

1. Click the chevron (>) icon to view the nested tags.
   
   

2. Click a Tag to display its information in the Tag Summary Details section on the right-hand side.
   The section displays fields:

   • Tag Name: The name of the Tag.
   • Tag Type: The method of adding a target to a tag.
     • IP range
     • Manual
     • Conditional
   • Targets: List of Targets associated with the selected tag. Search entry field enables you to search for specific Targets in the list.
     
     

Search for a Tag

1. In the search box, type a Tag name.
   
   

2. Click the lens icon () or click Enter.

3. The search results are displayed in the All Tags section.
   
   

4. Click the chevron (>) icon next to a tag in the list to expand the tag and view any child tags.
   
   
   

5. The Tag Summary Details display for the selected tag, and, if applicable, the child tag(s) display in the list.

6. Click Go Back to return to the main view.

Using Filters to View Tags

Use the Filter feature to view results based on different criteria.

To search with filters:

1. In the top left of the screen, select a tag type from the Filter by option.
   
   

2. The search results display in the All Tags section below.

3. Click Clear All to clear your search results.
   
   

Add a New Tag

There are 3 types of Tags you can add:

• Add an IP Range Tag

• Add a Manual Tag

• Add a Conditional Tag

Add an IP Range Tag

To add an IP Range tag:

1. In the top right of the screen, click Add Tag.

2. In the Create New Tag pop-up window, complete the following:

   • Tag Name: Enter the tag name.

     • Maximum of 50 characters

     • Alphanumeric and Special characters are supported

     • Duplicate Names are not allowed.

     • All Microsoft Special Characters are allowed:

       • ~`!@#$%^&*()_-+={}|[]:"<>?;',./]

   • Select IP Range from the Tag Type drop-down list.
     
     

   • IP Range: Enter the IP range.

   • Tag Placement:

     • Set as High Level Tag: Select this option to set the new tag as high-level (parent) tag under which child tags can be nested.

     • Nest Tag: Select a high-level (parent) tag to nest this new tag under as a child tag.
       
       

3. Click Save to save the tag, Save & Create Another Tag to save this tag and create another, or Cancel to discard.

Add a Manual Tag

To add a Manual tag:

1. In the top right of the screen, click Add Tag.

2. In the Create New Tag pop-up window, complete the following:

   1. Tag Name: Enter the tag name.

      • Maximum of 50 characters

      • Alphanumeric and Special characters are supported

      • Duplicate Names are not allowed.

      • All Microsoft Special Characters are allowed:

        • ~`!@#$%^&*()_-+={}|[]:"<>?;',./]

   2. Select Manual from the Tag Type drop-down list.
      
      

   3. In the Tag Placement section, select an option:

      • Set as High Level Tag: Select this option to set the new tag as high-level (parent) tag under which child tags can be nested.

      • Nest Tag: Select a high-level (parent) tag to nest this new tag under as a child tag.
        
        

3. Click Save to create the tag, Save & Create Another Tag to save this tag and create another, or Cancel to discard.

Add a Conditional Tag

To add a Conditional tag use the following steps:

1. In the top right of the screen, click Add Tag.

2. In the Create New Tag pop-up window, complete the following:

   1. Tag Name: Enter a name in the Tag Name box.

      • Maximum of 50 characters

      • Alphanumeric and Special characters are supported

      • Duplicate Names are not allowed.

      • All Microsoft Special Characters are allowed:

        • ~`!@#$%^&*()_-+={}|[]:"<>?;',./]

      • Select Conditional from the Tag Type drop-down list.
        
        

3. Select an option from the Action Type (left) drop-down list.
   
   

4. Select an option from the Operator (center) drop-down list.
   The values available depend on the selection in the Action Type drop-down list.
   
   

5. Enter or choose a value in the Value Input (right) box.
   The values available depend on the selection in the Action Type drop-down list.
   
   

6. To add or remove conditions:

   1. Click the Add icon () to add an additional group or value.

   2. Click the Remove icon () to delete a group or value.

7. In the Tag Placement section, select an option:

   • Set as High Level Tag: Select this option to set the new tag as high-level (parent) tag under which child tags can be nested.

   • Nest Tag: Select a high-level (parent) tag to nest this new tag under as a child tag.

8. Click Save to save the tag, Save & Create Another Tag to save and create another tag, Cancel to discard.

The following table details the available options for Conditional Tags.

Note: A single result matches all of the conditions: Selecting this option requires a single result in a search location to match all of the conditions in a definition for the rule to be applied.

A group of results match all of the conditions: Selecting this option requires a group of results in a search location to match all of the conditions in a definition for the rule to be applied. Additionally, when the filter is set to Quantity, Action, or Data Types; you can create horizontal AND groups. Within a horizontal AND group all conditions must be met by a single result to be considered a match.

Action Type	Operator	Description	Value Input
ACL: Ace Type	Contains Does Not Contain Is Empty Is Not Empty	A filter which restricts based upon the ACE (Access Control Entry) Type.	Specify the value to be used to qualify the data. Options include: Allow, Deny, System Alarm, and System Audit
ACL: Authorization		A filter which restricts based upon the specific rights granted to the trustee, such as the ability to read, write or delete the file.	Specify the value to be used to qualify the data. Filter by ACL type to view specific options: None Windows: Append Data, Delete, Execute, Full Control, Generic Execute, Generic Read, Generic Write, No Access, Read Acl, Read Attributes, Read Control, Read Data, Read Extended Attributes, Synchronize, Take Ownership, Write Acl, Write Attributes, Write Data, Write Extended Attributes Posix: Full Control, Generic Execute, Generic Read, Generic Write, No Access Nfs 4: Append Data, Delete, Execute, Full Control, Generic Execute, Generic Read, Generic Write, No Access, Read Acl, Read Attributes, Read Control, Read Data, Read Extended Attributes, Synchronize, Take Ownership, Write Acl, Write Attributes, Write Data, Write Extended Attributes
ACL: Trustee		A filter which restricts based upon the individual user or group to which the access rights apply.	Specify the value to be used to qualify the data.
Client Activity State		A filter which restricts based on an the activity state of the client endpoint. When using "Action" as a filter and Type is set as "A group of results match all of the conditions", another plus sign displays to the right of the Definition. This plus sign allows for the creation of horizontal AND groups. Within that horizontal group all conditions must be met by a single row to be considered a match.	Specify the value to be used to qualify the data. Options include: Endpoint Closed, Endpoint Completed, Endpoint Opened, Endpoint Paused, Endpoint Searching, Endpoint Stopped, Executed, Failed, None, Offline, Search Canceled, Search Completed, Search Paused, Search Started, Skipped, Task Acknowledged, Task Initiated, Task Paused, Upgrade Delayed, Upgrade Failed, Upgrade Successful
Endpoint GUID	Equals Does Not Equal Contains Does Not Contain Begins With Does Not Begin With Ends With Does Not End With Is Empty Is Not Empty	A filter which restricts by the GUID of the Agent/Target (endpoint)	Specify the GUID number of the Agent/Target (endpoint) to use to qualify the data. GUIDs are typically 32-character strings divided into 5 hyphen-separated groups with an 8-4-4-4-12 format. Example: 6B29FC40-CA47-1067-B31D-00DD010662DA
Endpoint Name		A filter which restricts by the endpoint name of the Agent/Target (endpoint)	Specify the name of the Agent/Target (endpoint) to use to qualify the data. Examples: WIN11, MACBOOK, ORACLE-DB-HOST, DESKTOP, SQL-DB-100
Endpoint Platform		A filter which restricts by the endpoint platform of the Agent/Target (endpoint) For example Mac, Win (Windows), Lin (Linux)	Specify the platform of the Agent/Target (endpoint) to use to qualify the data. For example, Mac, Win (Windows), Lin (Linux)
Endpoint Version		A filter which restricts by the version of the Agent (endpoint). In the example below, only Agents (displayed as Targets - Agents can act as Targets) whose version number contains a 13 (v13-13.6) are shown.	Specify the Agent version to use to qualify the data. Examples: v13.6 Agents only Select "Endpoint Version" from the list of filters Select "Contains" from the list of operators Enter a value of 13.6 All version 13.6 Agents are returned v12.x Agents Select "Endpoint Version" from the list of filters Select "Contains" from the list of operators Enter a value of 12 All version 12.x Agents are returned. This includes v12.2, v12.5, v12.6, v12.6.1, v12.6.5 v12.x Agents Available to Scan Select "Search in Progress" from the list of filters Select "No" from the drop-down menu. Click the '+' symbol at the end of the row to add an additional condition. Select "Endpoint Version" from the list of filters Select "Contains" from the list of operators Enter a value of 12 All version 12.x Agents not actively scanning Targets are returned.
Last Poll Time	On Not On After On Or After Before On Or Before Today Yesterday Not Empty Empty Last 7 Days Last 30 Days Last 365 Days (1 Year) Last Week This Week Last Month This Month Last Year This Year Last X Days Last X Weeks Last X Months Last X Years Last X Hours Older Than X Days Older Than X Weeks Older Than X Months	A filter which restricts by the specified date/time the Agent/Target (endpoint) was polled. Use the available operators to customize how the date is used.	Toggle the All Day switch ()on or off, as applicable. Click the Value Input box and click a date on the calendar. Click the Set Time tab, and set the time of the scan (24 hour). Click OK to set the time or Clear to discard.
MAC Address	Equals Does Not Equal Contains Does Not Contain Begins With Does Not Begin With Ends With Does Not End With Is Empty Is Not Empty	A filter which restricts by the MAC address of the Agent/Target (endpoint)	Specify the MAC address to use to qualify the data. MAC address is a unique identifier composed of 12 hexadecimal digits. The most common format is six pairs of digits separated by: Colons - 00:1A:2B:3C:4D:5E Hyphens - 00-1A-2B-3C-4D-5E
Match Quantity	Equals Does Not Equal Greater Than or Equals Greater Than Less Than or Equals Less Than Is Empty Is Not Empty	A filter which restricts by the quantity of sensitive data matches on the Agent/Target (endpoint).	Specify the value to be used to qualify the data. For example, if you create a rule with the following: Select Match Quantity from the list of filters Select Equals (=) from the list of operators Enter a value of 10 Then only Agents/Targets (endpoints) with exactly 10 total sensitive data matches would match this rule.
Number of Searches		A filter which restricts by the number of searches performed on the Agent/Target (endpoint)	Specify the value to be used to qualify the data. For example, if you selected: Number of Searches from the list of filters Greater Than or Equals from the list of operators Enter a value of 120 Then only Agents/Targets (endpoints) searched a total of 120 or more times are returned. Typically, the greater the number of searches, the fewer Agents/Targets returned.
Platform Type	Contains Does Not Contain Is Empty Is Not Empty	A filter which restricts by the Platform type of the Agent/Target (endpoint).	Specify the Platform type to be used to qualify the data. Platform types include: Desktop Laptop Server Unknown *You can select more than 1 platform type.
Policies		A filter which restricts by the user-specified Policy or Scan used by the Agent/Target (endpoint).	Specify the policy or scan to be used to qualify the data. For example: Data Permissions Scan Data Risk Scan Full Logging (policy) DateofBirth Anyfind Policy Oracle Scan Scan MSSQL etc.
Protected Quantity	Equals Does Not Equal Greater Than or Equals Greater Than Less Than or Equals Less Than Is Empty Is Not Empty	A filter which restricts Agents/Targets (endpoints) by the amount of sensitive data matches with "Protected" status. "Protected" sensitive data matches have at least one of the following actions applied to them: Quarantine, Redact, Encrypt, Shred, Permissions/Restrict Access *Data matches labeled "MIP" and/or "Classified" do not qualify as Protected.	Specify the value to be used to qualify the data. For example, if you created a rule with the following: Select Protected Quantity from the list of filters Select Equals (=) from the list of operators Enter a value of 5 Then only those Agents/Targets (endpoints) with exactly 5 total Protected sensitive data matches are returned.
Search Date/Time	On Not On After On Or After Before On Or Before Today Yesterday Not Empty Empty Last 7 Days Last 30 Days Last 365 Days (1 Year) Last Week This Week Last Month This Month Last Year This Year Last X Days Last X Weeks Last X Months Last X Years Last X Hours Older Than X Days Older Than X Weeks Older Than X Months	A filter which restricts based on the date and time that the file was last accessed.	If the (All day) option is selected, the time portion of the filter does not display. If the (All day) option is not selected, the time portion of the filter displays and is applied. Toggle the All Day switch ()on or off, as applicable. Click the Value Input box and click a date on the calendar. Click the Set Time tab, and set the time of the scan (24 hour). Click OK to set the time or Clear to discard.
Search In Progress	No Yes	A filter which restricts based on the status of the Agent/Target (endpoint). Are the endpoints being actively scanned by a Spirion Agent? This setting is useful for testing, monitoring, and troubleshooting your Agents/Targets (endpoints).	Specify the value to be used to qualify the data. No - All Agents/Targets (endpoints) not actively being scanned by Spirion Agents are returned Yes - All Agents/Targets (endpoints) actively being scanned by Spirion Agents are returned
Tags	Contains Does Not Contain Is Empty Is Not Empty	A filter which restricts by specific Tags, manually selected by you when you create this Tag.	Specify the value to be used to qualify the data. For example, if you created a rule as follows: Select multiple Tags from the list of filters Select "Contains" from the list of operators Then all Agents/Targets (endpoints) captured by all the Tags selected in the rule, are be returned. All endpoints included in Tags such as: Older than a week Older than a month Older than a day
Tag Name	Equals Does Not Equal Contains Does Not Contain Begins With Does Not Begin With Ends With Does Not End With Is Empty Is Not Empty	A filter which restricts by the name of the Tag the Agent/Target (endpoint) is a member of.	Specify the value to be used to qualify the data. For example, if you created a rule as follows: Select Tag Name from the list of filters Select "Contains" from the list of operators Enter the term "Older" Then all Agents/Targets (endpoints) captured by tags with the term "Older" in the tag name are returned. Such Tags could include: Older than a week Older than a month Older than a day
Unprotected Quantity	Equals Does Not Equal Greater Than or Equals Greater Than Less Than or Equals Less Than Is Empty Is Not Empty	A filter which restricts Agents/Targets (endpoints) by the amount of sensitive data matches with "Unprotected" status. Unprotected means sensitive data matches with no actions applied or the following actions applied: None No Action Taken MIP Classified	Specify the value to be used to qualify the data. For example, if you created a rule with the following: Select Total Matches from the list of filters Select Equals (=) from the list of operators Enter a value of 10 Then only those locations with 10 total matches would match this rule.

Manage a Tag Permission

To manage a Tag Permission:

1. In the Tag list, locate a tag for which you want to manage permissions.

2. In the Tag Summary Details section, click Manage Permissions.
   
   

Use the USERS and ROLES tabs to manage the permissions for your Tag (see below).

Users Tab

Procedure:

1. Select the USERS tab.

2. Search the user for which you want to edit the tag permission.
   
   

3. Click Edit Permission from the more options menu.
   

4. On the Edit Tag Permissions pop-up window, select any of the following options from the Result Permission drop-down list.

   • Inherited

   • None

   • View

   • Unmask view
     
     

5. Select any of the following options from the Tag Permission drop-down list.

   • Inherited

   • None

   • Modify

   • Add/Remove Tags

   • Add/Remove Targets
     
     

6. Click Confirm to save or Cancel to discard.

Roles Tab

Procedure:

1. Select the ROLES tab.

2. Search the user role for which you want to edit the tag permission.
   
   

3. Click Edit Permission from the options menu .
   
   

4. On the Edit Tag Permissions pop-up window, select any of the following options from the Result Permission drop-down list.

   • Inherited

   • None

   • View

   • Unmask view

   • Playbook Override
     
     

5. Select any of the following options from the Tag Permission drop-down list.

   • None

   • Modify

   • Add/Remove Tags

   • Add/Remove Targets
     
     

6. Click Confirm to save or Cancel to discard.

Remove a Tag Permission

To remove a Tag Permission:

1. In the Tag list, locate a tag you want to remove.

2. In the Tag Summary Details section, click Manage Permissions.
   
   

3. On the Manage Permissions for Tag pop-up window, use the following topics.

Users tab

Search the user for which you want to remove the tag permission.

1. Click Remove Permission from the more options menu.
   

2. On the Remove User Permissions pop-up window, click Confirm to revert the user permissions to its default state else click Cancel.
   

Roles tab

Search the user role for which you want to remove the tag permission.

1. Click Remove Permission from the more options menu.
   
   

2. On the Remove User Permissions pop-up window, click Confirm to revert the user role permissions to its default state else click Cancel.
   
   

Edit a Tag

To edit a Tag:

1. In the Tag list, locate a tag you want to edit.

2. In the Tag Summary Details section, click the icon.
   

3. Make changes to any of the following:

   • Tag Name: Enter a new tag name.

   • Tag Type: Select an option from the drop-down list.

     • IP Range: Delete the existing text and type a new range.
     • Manual:
     • Conditional: Delete existing conditions and input new conditions.
   • Tag Placement: Select an option from the drop-down list:
     • Set as a High Level Tag or Nest Tag
       

4. Click Save to save or Cancel to discard.

Delete a Tag

To delete a Tag:

1. In the Tag list, locate the tag you want to delete.

2. In the Tag Summary Details section, click the delete icon.
   

3. In the Delete Tag pop-up window, click Delete to confirm deletion or Cancel to discard.