Help Center
News
Help Center
News
Popular
Architecture and High-level Information
Scans
Agents
How to Use Dashboards
How to Use Data Asset Inventory
How to Use Tags
What is a Tag?Tag Management - OverviewHow to Create a TagHow to Manage Your Target TagsHow to Manage the Permissions of a TagHow to View and Search for TagsHow to Edit a TagHow to Delete a TagHow to Filter TagsTag Examples
How to Manage Business Processes
How to Work with Data Assets and Targets
How to Install\Uninstall and Set Up Spirion Sensitive Data Platform
How to Use Logs
How to Manage Users and Roles
Settings and Resources
Additional Resources
Reports
Reporting API
Customer Support Articles

Tag Examples

Use the examples of Tags in this article to inspire your own Tags, or else create and use the exact Tags provided in this article.

What are Tags Used for?

  • Organization - Tags are used in Spirion Sensitive Data Platform to organize your Targets and/or Agents (Agents can also act as Targets).
    • Tags typically group Agents/Targets by operating system, Spirion Agent version, Department, Target Type such as OneDrive, Exchange, etc.
  • Functions - Tags provide guides for very important functions such as troubleshooting and maintenance.
    • In a typical organization, various Agents are configured to scan on a daily, weekly, or monthly basis.
    • A conditional Tag that shows you all Agents that have not performed a scan in over a week or month can quickly show you all Agents which have failed to scan their intended data sources.
    • The source (Target) that is not being scanned has had days or weeks to accumulate potentially large amounts of highly sensitive data: data which cannot receive remedation actions as it is invisible to the Spirion console.
    • This data is considered deeply at-risk.

Tag Types

Recall, you can capture Agents/Targets into your Tag in different ways, as follows:

  • IP Range - Add Agents and Targets by IP range.
    • Seldom used
  • Manual - Add Agents and Targets, manually, yourself.
    • Commonly used
  • Conditional - Add Agents and Targets by condition. In this type, an Agent/Target must satisfy the conditions of the Tag, set by you, to be a member of the Tag group.
    • Commonly used
    • Note: Conditional tags cannot be nested
    • Note: Conditional Tags do not update instantly. When you save the Tag the conditions are evaluated and the applicable endpoints are assigned. A background job runs every hour to re-evaluate and make adjustments as necessary. For example, you create a conditional Tag filtered for v13 Agents. When the Tag is saved, it shows 2 endpoints. Shortly after the Tag is saved, a new v13 Agent registers with the console. It may take up to an hour before the new Agent appears in the Tag.

Common Tags and Their Purpose

Typically, Tags organize your Agents by categories, actions, specific Targets, specific Tag names, etc.

Endpoint Platform Conditional Tags - Operating System

archTIS recommends you use "Endpoint Platform" conditional Tags. These are commonly used in organizations and have proven to be very effective.

Endpoint platforms include:

  • Windows
  • Mac
  • Linux

Benefits of using Enpoint Platform Conditional Tags

  • Grouping Agents by endpoint platform (Operating System) enables users to focus on Agents which share the same upgrade, security, and monitoring requirements
  • For example, macOS Agents may be scheduled for IT updates and will appear offline for a day, but no longer

Endpoint Name Conditional Tags - Org Department

archTIS recommends you use "Endpoint Name" conditional Tags. These are commonly used in organizations and have proven to be very effective.

  • Typically used when the start of the machine name or hostname begins with the department letters/term
    • Examples: "HR" - Human Resources, "Fin" - Finance, etc.

Benefits of using Enpoint Name Conditional Tags

  • You can use the machine or hostname to extract department codes (or other identifying metadata) to Tag by department.  
    • You can capture multiple Agents/Targets using a Conditional type Tag when the department terms such as "-HR-", "-Fin-", "-Legal-", etc, are contained within the host name or machine name  
    • Examples: HR-MARKMACHINE1, MARKMACHINE1-HR, MARK-HR-MACHINE1

  • Grouping Agents by Department enables users to focus on a specific subset of Agents and their results, which may be high-risk sensitive data matches

Search Date/Time Conditional Tags

archTIS strongly recommends you use "Search Date/Time" conditional Tags. These are commonly used in organizations to track the date and time of Agent scans and have proven very effective.

This conditional tag let's you pose the question: "Show me Agents that last completed a scan over a day/week/month ago"

Search Date/Time conditional Tags include:

  • Older than Last X Weeks
  • Older than Last X Months
  • Last Week
  • Last X Hours
  • Last X Months

Benefits of using Search Date/Time Conditional Tags

  • Grouping Agents by scan date/time enables users to focus on Agents that have completed or failed scanning on a fixed iteration - 1 week, 1 month, older than 1 week, older than 1 month, etc.
  • This enables users to spot failing Agents and troubleshoot any problems quickly
  • Time intervals are selected from the drop-down menu in the "Add Tag" pop-up window when you create your Tag.

    Conditional Tag Search Date/Time - Older than one month

Agent (Endpoint) Version Conditional Tags

archTIS recommends you use Endpoint version conditional Tags. These are commonly used in organizations and have proven very effective for managing Agents by version and planning/performing upgrades.

Endpoint Version conditional Tags include:

  • Endpoint Version - The version of the Agent, which can be general - version 12, 13, etc., or specific - version 13.4, 12.6.4, 12.6.5.1
  • Operator - Use the operator "Contains" to include Agents by version, or the operator "Does Not Contain" to exclude Agents by version

Example

  • To group Agents by version, such as v13.5 (Windows) or v12.6.5 (Mac/Linux/Legacy) create a Tag which uses the following logic
    • Logic:
      • Tag Type: Conditional
      • Action Type: Endpoint Version
      • Operator: Contains
      • Value: 13.5

To see a visual, see the screenshot below

Benefits of using Endpoint Version Conditional Tags

  • Grouping Agents by version enables the user to see which machines (laptops, workstations, servers) are or are not running the latest Spirion Agent
  • Pre-v13.6 Agents cannot perform specific functions such as Global Ignore or use the updated queueing system PostgreSQL (and pgBouncer).
  • Pre-v13.4 Agents cannot perform specific functions, such as Differential Scanning.
    • Pre-v13.5 Agents cannot peform Differential Scanning on Gmail Targets.

      Endpoint Version Contains version 13.5 Agents

Endpoint Name Conditional Tags - Targets

archTIS recommends you use Endpoint Name conditional Tags to focus on Targets. This Tag is commonly used in organizations and have proven very effective at organizing Targets and Targets by type.

  • Target types include: Cloud sources, File Servers, Databases, etc.

Examples

  • Potential Targets vary by environment but can include: Azure, OneDrive, SharePoint, Exchange Online, Gmail, SQL, Oracle, Snowflake, Informix, etc.

Exchange Target

Conditional Tag Endpoint Name Contains Exchange

  • To create a Tag to help you examine your Exchange Targets, both on-premise and online, create a tag which uses the following logic
    • Logic:
      • Tag Type: Conditional (optionally, use Manual, but this requires adding each Exchange Target manually)
      • Action Type: Endpoint Name
      • Operator: Contains
      • Value: "Exchange"

File Server Targets (Target by Type)

  • To create a Tag to help you examine your File Server Targets, create a tag which uses the following logic
    • Logic:
      • Tag Name: File Servers
      • Tag Type: Manual
        • Manual Tag types require you to manually add endpoints (Targets or Agents) to the Tag
      • Action Type: Endpoint Name

Benefits of using Endpoint Name Tags for Targets

  • Grouping Agents by Target or Target type enables you to focus on Agents from the viewpoint of the source being scanned - SQL database, Exchange endpoints, etc.
  • For example, You may routinely discover exposed sensitive data on your Exchange mail servers and instruct your Exchange Agents to scan them daily or weekly instead of monthly.
  • You may add Agents or build custom reports to collect more information about the number and kind of sensitive data matches

Use the Tag examples in this topic to help you create your own custom Tags, or else create the Tags listed here to give your platform a starting collection of useful Tags.

Legacy/Mac/Linux Agents, Windows v13+, Tags, and Target Icons used in Spirion Sensitive Data Platform

Tags by Endpoint Platform Example: macOS Machines (Laptops, Workstations)

This Tag collects all of the Spirion Agents installed on Mac endpoint platforms (macOS laptops or workstations) in your environment.

  • Tag Name: Mac Endpoints
  • Tag Type: Conditional
  • Logic:
    • Action Type: Endpoint Platform
    • Operator: Contains
    • Value: "Mac"
  • In the screenshot below the Targets captured by this conditional tag include multiple Agents on Mac machines, indicated by the Legacy/Mac/Linux Agent icon.
  • Agent Management page: All Agents/Targets captured by this Tag, "Mac Endpoints," are shown on the Agent Management page.
    • These Agents satisfy the Tag's condition of being macOS Endpoint Platforms
    • Critical information such as Status, Last Heartbeat, Policy, and Agent version

Tags by Endpoint Name Example: Departments (HR, IT, Sales, Accounting)

This Tag collects all of the Spirion Agents installed on machines labeled as a specific department in your environment.

The SPIglass dashboard contains a tile which displays the amount of sensitive data matches across machines in different departments in your organization.

SPIglass Dashboard - Areas of Exposure

  • Tag Name: Department names such as "HR" or "IT." Note that you can nest child tags within parent tags as shown below (Manual tag types only):

  • Tag Type: Manual or Conditional

Tags by Endpoint Name Example:Oracle Database

This Tag collects all of the Oracle databases (Targets) installed on the different servers, workstations, or laptops in your environment.

  • Tag Name: OracleDB
  • Tag Type: Conditional
  • Logic:
    • Action Type: Endpoint Name
    • Operator: Contains
    • Value: "Oracle"
  • In the example below the Targets captured by this manual tag include an Oracle database ("OracleTesting" Target) and an Oracle database server (Oracle19c).
  • A similar Tag could be set up for SQL database Targets, or any other configured Target type.

Available Conditional Tags, Settings, and Values

The following table details the available settings and options for Conditional Tags.

A single result matches all of the conditions: Selecting this option requires a single result in a search location to match all of the conditions in a definition for the rule to be applied.
A group of results match all of the conditions: Selecting this option requires a group of results in a search location to match all of the conditions in a definition for the rule to be applied. Additionally, when the filter is set to Quantity, Action, or Data Types; you can create horizontal AND groups. Within a horizontal AND group all conditions must be met by a single result to be considered a match. *This does not apply to endpoint-specific filters such as Endpoint Versionor Endpoint Platform.

Action Type

Operator

Rule Description

Value Input

ACL: Ace Type

Contains

Does Not Contain

Is Empty

Is Not Empty

A filter which restricts based upon the ACE (Access Control Entry) Type.

Specify the value to be used to qualify the data.

  • Options include: Allow, Deny, System Alarm, and System Audit
  • Note: ACLs are viewable in the playbook executor for results.

ACL: Authorization

A filter which restricts based upon the specific rights granted to the trustee, such as the ability to READ, WRITE or DELETE the file.

Specify the value to be used to qualify the data.

Filter by ACL type to view specific options:

  • None
  • Windows: Append Data, Delete, Execute, Full Control, Generic Execute, Generic Read, Generic Write, No Access, Read Acl, Read Attributes, Read Control, Read Data, Read Extended Attributes, Synchronize, Take Ownership, Write Acl, Write Attributes, Write Data, Write Extended Attributes
  • Posix: Full Control, Generic Execute, Generic Read, Generic Write, No Access
  • Nfs 4: Append Data, Delete, Execute, Full Control, Generic Execute, Generic Read, Generic Write, No Access, Read Acl, Read Attributes, Read Control, Read Data, Read Extended Attributes, Synchronize, Take Ownership, Write Acl, Write Attributes, Write Data, Write Extended Attributes
  • Note: ACLs are viewable in the playbook executor for results.

ACL: Trustee

A filter which restricts based upon the individual user or group to which the access rights apply.

Specify the value to be used to qualify the data.

Client Activity State

A filter which restricts based on an the activity state of the client endpoint.

  • When using "Action" as a filter and Type is set as "A group of results match all of the conditions", another plus sign displays to the right of the Definition.
  • This plus sign allows for the creation of horizontal AND groups.
  • Within that horizontal group all conditions must be met by a single row to be considered a match.

Specify the value to be used to qualify the data.

  • Options include: Endpoint Closed, Endpoint Completed, Endpoint Opened, Endpoint Paused, Endpoint Searching, Endpoint Stopped, Executed, Failed, None, Offline, Search Canceled, Search Completed, Search Paused, Search Started, Skipped, Task Acknowledged, Task Initiated, Task Paused, Upgrade Delayed, Upgrade Failed, Upgrade Successful

Endpoint GUID

Equals

Does Not Equal

Contains

Does Not Contain

Begins With

Does Not Begin With

Ends With

Does Not End With

Is Empty

Is Not Empty

A filter which restricts by the GUID of the Agent.

  • The agent GUID is visible in the agent management view details dialog. 
  • Labeled as Agent ID.

Specify the GUID number of the Agent to use to qualify the data.

  • GUIDs are typically 32-character strings divided into 5 hyphen-separated groups with an 8-4-4-4-12 format.
  • Example: 6B29FC40-CA47-1067-B31D-00DD010662DA

Endpoint Name

A filter which restricts by the endpoint name of the Agent/Target (endpoint)

Specify the name of the Agent/Target (endpoint) to use to qualify the data.

  • Examples: WIN11, MACBOOK, ORACLE-DB-HOST, DESKTOP, SQL-DB-100

Endpoint Platform

A filter which restricts by the endpoint platform of the Agent/Target (endpoint)

  • For example Mac, Win (Windows), Lin (Linux)

Specify the platform of the Agent/Target (endpoint) to use to qualify the data.

  • For example, Mac, Win (Windows), Lin (Linux)

Endpoint Version

A filter which restricts by the version of the Agent (endpoint).

In the example below, only Agents (displayed as Targets - Agents can act as Targets) whose version number contains a 13 (v13-13.6) are shown.

Specify the Agent version to use to qualify the data.

Examples:

v13.6 Agents only

  1. Select "Endpoint Version" from the list of filters
  2. Select "Contains" from the list of operators
  3. Enter a value of 13.6
  4. All version 13.6 Agents are returned

v12.x Agents

  1. Select "Endpoint Version" from the list of filters
  2. Select "Contains" from the list of operators
  3. Enter a value of 12
  4. All version 12.x Agents are returned.
    1. This includes v12.2, v12.5, v12.6, v12.6.1, v12.6.5

v12.x Agents Available to Scan

  1. Select "Search in Progress" from the list of filters
  2. Select "No" from the drop-down menu.
  3. Click the '+' symbol at the end of the row to add an additional condition.
  4. Select "Endpoint Version" from the list of filters
  5. Select "Contains" from the list of operators
  6. Enter a value of 12
  7. All version 12.x Agents not actively scanning Targets are returned.

Last Poll Time

On

Not On

After

On Or After

Before

On Or Before

Today

Yesterday

Not Empty

Empty
Last 7 Days

Last 30 Days

Last 365 Days (1 Year)

Last Week

This Week

Last Month

This Month

Last Year

This Year

Last X Days

Last X Weeks

Last X Months

Last X Years

Last X Hours

Older Than X Days

Older Than X Weeks

Older Than X Months

A filter which restricts by the specified date/time the Agent/Target (endpoint) was polled. Use the available operators to customize how the date is used.

  1. Toggle the All Day switch on or off, as applicable.
  2. Click the Value Input box and click a date on the calendar.
  3. Click the Set Time tab, and set the time of the scan (24 hour).
  4. Click OK to set the time or Clear to discard.

MAC Address

Equals
Does Not Equal
Contains
Does Not Contain
Begins With
Does Not Begin With
Ends With
Does Not End With
Is Empty
Is Not Empty

A filter which restricts by the MAC address of the Agent/Target (endpoint)

Specify the MAC address to use to qualify the data.

MAC address is a unique identifier composed of 12 hexadecimal digits.

The most common format is six pairs of digits separated by:

  • Colons - 00:1A:2B:3C:4D:5E
  • Hyphens - 00-1A-2B-3C-4D-5E

Match Quantity

Equals
Does Not Equal
Greater Than or Equals
Greater Than
Less Than or Equals
Less Than
Is Empty
Is Not Empty

A filter which restricts by the quantity of sensitive data matches on the Agent/Target (endpoint).

Specify the value to be used to qualify the data.

For example, if you create a rule with the following:

  1. Select Match Quantity from the list of filters
  2. Select Equals (=) from the list of operators
  3. Enter a value of 10

Then only Agents/Targets (endpoints) with exactly 10 total sensitive data matches would match this rule.

Number of Searches

A filter which restricts by the number of searches performed on the Agent/Target (endpoint)

Specify the value to be used to qualify the data.

For example, if you selected:

  1. Number of Searches from the list of filters
  2. Greater Than or Equals from the list of operators
  3. Enter a value of 120

Then only Agents/Targets (endpoints) searched a total of 120 or more times are returned. Typically, the greater the number of searches, the fewer Agents/Targets returned.

Platform Type

Contains

Does Not Contain

Is Empty

Is Not Empty

A filter which restricts by the Platform type of the Agent/Target (endpoint).

Specify the Platform type to be used to qualify the data.

Platform types include:

  • Desktop
  • Laptop
  • Server
  • Unknown

*You can select more than 1 platform type.

Policies

A filter which restricts by the user-specified Policy or Scan used by the Agent/Target (endpoint).

Specify the policy or scan to be used to qualify the data.

For example:

  • Data Permissions Scan
  • Data Risk Scan
  • Full Logging (policy)
  • DateofBirth Anyfind Policy
  • Oracle Scan
  • Scan MSSQL
  • etc.

Protected Quantity

Equals

Does Not Equal

Greater Than or Equals

Greater Than

Less Than or Equals

Less Than

Is Empty

Is Not Empty

A filter which restricts Agents/Targets (endpoints) by the amount of sensitive data matches with "Protected" status.

"Protected" sensitive data matches have at least one of the following actions applied to them:

  • Quarantine, Redact, Shred, Permissions/Restrict Access

*Sensitive data matches labeled "MIP" and/or "Classified" do not qualify as Protected matches.

Specify the value to be used to qualify the data.

For example, if you created a rule with the following:

  1. Select Protected Quantity from the list of filters
  2. Select Equals (=) from the list of operators
  3. Enter a value of 5

Then only those Agents/Targets (endpoints) with exactly 5 total Protected sensitive data matches are returned.

Search Date/Time

On

Not On

After

On Or After

Before

On Or Before

Today

Yesterday

Not Empty

Empty

Last 7 Days

Last 30 Days

Last 365 Days (1 Year)

Last Week

This Week

Last Month

This Month

Last Year

This Year

Last X Days

Last X Weeks

Last X Months

Last X Years

Last X Hours

Older Than X Days

Older Than X Weeks

Older Than X Months

A filter which restricts based on the date and time the file was last reported by a search per the filter.

If the (All day) option is selected, the time portion of the filter does not display.

If the (All day) option is not selected, the time portion of the filter displays and is applied.

  1. Toggle the All Day switch ()on or off, as applicable.
  2. Click the Value Input box and click a date on the calendar.
  3. Click the Set Time tab, and set the time of the scan (24 hour).
  4. Click OK to set the time or Clear to discard.

Search In Progress

No

Yes

A filter which restricts based on the status of the Agent/Target (endpoint). Are the endpoints being actively scanned by a Spirion Agent?

This setting is useful for testing, monitoring, and troubleshooting your Agents/Targets (endpoints).

Specify the value to be used to qualify the data.

  • No - All Agents/Targets (endpoints) not actively being scanned by Spirion Agents are returned
  • Yes - All Agents/Targets (endpoints) actively being scanned by Spirion Agents are returned

 

Tags

Contains

Does Not Contain

Is Empty

Is Not Empty

A filter for Agents/Targets (endpoints) assigned to the Tags applied via the filter conditions.

Specify the value to be used to qualify the data.

For example, if you created a rule as follows:

  1. Select multiple Tags from the list of filters
  2. Select "Contains" from the list of operators

Then all Agents/Targets (endpoints) captured by all the Tags selected in the rule, are be returned. All endpoints included in Tags such as:

  • Older than a week
  • Older than a month
  • Older than a day

Tag Name

Equals

Does Not Equal

Contains

Does Not Contain

Begins With

Does Not Begin With

Ends With

Does Not End With

Is Empty

Is Not Empty

A filter which restricts by the name of the Tag the Agent/Target (endpoint) is a member of.

Specify the value to be used to qualify the data.

For example, if you created a rule as follows:

  1. Select Tag Name from the list of filters
  2. Select "Contains" from the list of operators
  3. Enter the term "Older"

Then all Agents/Targets (endpoints) captured by tags with the term "Older" in the tag name are returned. Such Tags could include:

  • Older than a week
  • Older than a month
  • Older than a day

Unprotected Quantity

Equals

Does Not Equal

Greater Than or Equals

Greater Than

Less Than or Equals

Less Than

Is Empty

Is Not Empty

A filter which restricts Agents/Targets (endpoints) by the amount of sensitive data matches with "Unprotected" status.

Unprotected sensitive data matches are those with no actions applied to them or have the following actions applied to them:

  • No Action Taken
  • MIP
  • Classified

Specify the value to be used to qualify the data.

For example, if you created a rule with the following:

  1. Select Total Matches from the list of filters
  2. Select Equals (=) from the list of operators
  3. Enter a value of 10

Then only those locations with 10 total matches would match this rule.


Was this article helpful?

Powered by Product Fruits