Tags Table¶
| Prefix | Tag Name | Comment | Samples |
|---|---|---|---|
| BDA | BLUETOOTH DEVICES AVAILABLE | TAG WITH THE LIST OF DEVICES AVAILABLE | BDA_PXC_550 |
| BDC | BLUETOOTH DEVICE CONNECTED | TAG WITH THE CURRENT CONNECTED DEVICE | BDC_CAR |
| CAI | CA CERTIFICATE ISSUER | TAG WITH THE ISSUER OF A CA CERT | CAI_DIGICERT_ASSURED_ID_ROOT_CA |
| CEP | CALCULATED END POINT | END POINT TYPE BASED ON MLT, EPT & UDT | CEP_DESKTOP, CEP_PRINTER |
| CDT | CUSTOMER DEFINED TAG | ANY TAG DEFINED BY CUSTOMER | CDT_CORPORATE_DEVICE |
| CGF | COMPLIANCE_GROUP_TESTS_FAILED | TAG USED IF GROUP TEST FAILED | CGF_SWITCH_INFO |
| CGP | COMPLIANCE_GROUP_TESTS_PASSED | TAG USED IF GROUP TEST PASSED | CGP_LAN_PORTS |
| CPC | CISCO PRIME CLIENT | TAGS USED WHEN CISCO PRIME AVAILABLE | CPC_APIP_180.125.149.139 CPC_APMAC_006BF1757160 |
| CPM | CALCULATED PROFILING METHOD | METHOD USED TO DEFINE CEP TAG (MLT, EPT, UDT) | CPM_MLT, CPM_EPT, CPM_UDT |
| CRF | COMPLIANCE_RULE_FAILED | TAG USED IF A RULE IS NOT COMPLIANCE | CRF_IOS_PORT_SECURITY |
| CRP | COMPLIANCE_RULE_PASSED | TAG USED IF A RULE IS COMPLIANCE | CRP_SWITCH_MAC |
| CTP | COMPLIANCE TEST PASS | TAG USED BY NETWORK DEVICE COMPLIANCE | CTP_IOS_ACL_PERMIT_CA |
| CTF | COMPLIANCE TEST FAILED | TAG USED BY NETWORK DEVICE COMPLIANCE | CTF_IOS_ACL_PERMIT_CA |
| CVE | COMMON VULNERABILITIES & EXPOSURES | COMMON VULNERABILITIES & EXPOSURES (CVE) | CVE_2007_0994, CVE_2019_1010298 |
| DBW | DEVICE BROWSER | DEVICE BROWSER | DBW_IE, DBW_FF |
| DDP | DEVICE DESTINATION PORTS | DEVICE DESTINATION PORTS BY ENDPOINTS | DDP_TCP_80, DDP_TCP_445, DDP_UDP_53, DDP_UDP_5060 |
| DFP | DHCP FINGERPRINT | FINGERPRINT BASED ON DHCP INFO | DFP_DESKTOP, DFP_PRINTER, DFP_MOBILE, DFP_APPLE |
| DFT | DHCP FILTERED PORT | FINGERPRINT FILTERED PORT | DFT_TCP_80, DFT_UDP_53 |
| DNC | DEVICE NETWORK CIDR | CIDR OF DEVICE IN NETWORK | DNC_192.168.0.15/24 |
| DNN | DEVICE NETWORK NAME | DEVICE HOSTNAME | DNN_USER1_OPENCLOUDFACTORYCOM |
| DNS | DNS QUERIES | DNS QUERIES | DNS_SLS.UPDATE.MICROSOFT.COM, DNS_LOGIN.LIVE.COM |
| DOS | DEVICE OPERATING SYSTEM | DEVICE OS NAME | DOS_WINDOWS_10, DOS_WINDOWS_8 |
| DOP | DEVICE OPEN PORT | DEVICE OPEN PORTS | DOP_TCP_80, DOP_UDP_53 |
| DPA | DEVICE PROFILING ACCURACY | EPT ACCURACY (NUMBER OF RULES MATCHED) | DPA_2, DPA_3 |
| DSN | DEVICE SERIAL NUMBER | DEVICE SERIAL NUMBER | DSN_9S714D112050ZK80324266, DSN_9S714AF12050ZK8016 |
| EPC | END POINT COMPLIANCE | STATUS OF END POING COMPLIANCE | EPC_FULL_COMPLIANCE, EPC_WIN_COMPLIANCE |
| EPT | END POINT TYPE | TYPE OF END POINT | EPT_PC, EPT_VOIP, EPT_PRINTER, EPT_CAMERA, EPT_IOT |
| EHI | END POINT HTTP INFO | ENPOINT HTTP SYSTEM | EHI_PRINTER, EHI_VOIP |
| ESI | END POINT SERVICE INFO | TYPE OF END POINT | ESI_PRINTER, ESI_VOIP, ESI_MOBILE |
| ESB | END POINT SERVICE BANNER | TYPE OF END POINT | ESB_PRINTER, ESB_VOIP |
| HDT | HARDWARE DEVICE TYPE | HARDWARE TYPE DEFINITION PHYSICAL OR VIRTUAL | HDT_VMGUEST, HDT_BAREMETAL. |
| IAI | INTERNAL APPLICATION INSTALLATION | DEVICE INSTALLED APPLICATIONS | IAI_EDGE, IAI_FIREFOX |
| ICT | INTERNAL CACHE TAG | INTERNAL TAG WITH CACHE INFORMATION | ICT_FGA_172.31.1.5 |
| IPT | IP ADDRESS TYPE | TAG WITH THE IP ADDRESS TYPE | IPT_STATIC |
| IAS | INTERNAL APPLICATION STATUS | DEVICE RUNNING APPLICATIONS | IAS_EDGE, IAS_FIREFOX |
| INV | INVENTORY | INVENTORY OF A USER DEVICE | NV_LOADED |
| ISS | INTERNAL SECURITY STATUS | DEVICE SECURITY STATUS | ISS_AV_ENABLED, ISS_AV_UPDATED |
| IRP | IRON CHIP PLUGIN | TAG FOR IRON CHIP PLUGIN LOCATION | IRP_HOME_80, IRP_OFFICE_92, IRP_TRAIN_75 |
| KQC | KERBEROS QUERY CONNECTION | KERBEROS QUERY CONNECTION | KQC_WIN2$/MYCOMPANY.COM, KQC_USER1.LAB/MYCOMPANY.COM |
| LBD | LOCATION BUILDING | TAG FOR NETWORK DEVICE LOCATION | LBD_TORREAGBAR |
| LCI | LOCATION CITY | TAG FOR NETWORK DEVICE LOCATION | LCI_BARCELONA |
| LCO | LOCATION COUNTRY | TAG FOR NETWORK DEVICE LOCATION | LCO_SPAIN |
| LFL | LOCATION FLOOR | TAG FOR NETWORK DEVICE LOCATION | LFL_PLANTA4 |
| MAC | MAC ADDRESS VENDOR | TYPE OF END POINT | MAC_0001E6, MAC_4A4286 |
| MCA | MACHINE CLUSTER ACCURACY | CLUSTER ACCURACY (FROM 0 TO 100, BY 10s) | MCA_0, MAC_10, MCA_50, MCA_80, MCA_100 |
| MDM | MOBILE DEVICE MANAGEMENT | TYPE OF END POINT | MDM_AIRWATCH, MDM_MOBILE_IRON |
| MDN | MOBILE DEVICE NAME | HOSTNAME MOBILE DEVICE | MDN_GENERIC_FEATURE_PHONE, MDN_GENERIC_ANDROID |
| MLA | MACHINE LEARNING ACCURACY | DEVICE TYPE ACCURACY (FROM 0 TO 100, BY 10s) | MLA_0, MLA_10, MLA_50, MLA_80, MLA_100 |
| MLC | MACHINE LEARNING CLUSTER | CLUSTER TYPE ASSIGNED (TIMESTAMP + RAND NUM) | MLC_20210412_3131631, MLC_20210419_9816234 |
| MLT | MACHINE LEARNING TYPE | MACHINE LEARNING DEVICE TYPE | MLT_DESKTOP, MLT_PRINTER |
| MLR | MACHINE LEARNING RESULT | MACHINE LEARNING RESULT STATUS | MLR_MATCH, MLR_NOMATCH, MLR_PARTIAL |
| MME | MAX MAC EXCLUDE | NET DEV TAG FOR MAX MAC PLUGIN EXCLUSION | MME_SWITCH, MME_PORT_14, MME_PORT_21 |
| NCA | NON COMPLIANCE APPLICATION | APPLICATIONS UNDER REQUIRED VERSION | NCA_ACROBAT_READER, NCA_TEAMVIEWER |
| NCS | NON COMPLIANCE SECURITY FEATURES | SECURITY FEATURES NON COMPLIANT | NCS_BITLOCKER, NCS_AVUPDATE, NCS_FWUPDATE |
| NDL | NETWORK DEVICE LOCATION | NETWORK DEVICE LOCATION | NDL_BARCELONA |
| NDT | NETWORK DEVICE TYPE | NETWORK DEVICE TYPE | NDT_WIFI |
| NDW | NON COMPLIANCE WINDOWS UPDATES | NON COMPLIANCE WINDOWS UPDATES | NDW_WINDOWS_10_ADOBE_FLASH |
| ONC | openNAC TAGS | TAG DEFINED BY openNAC | ONC_AUTOLEARNED, ONC_AGENT, ONC_WIN_AGENT, |
| PAF | PALO ALTO FIREWALL | INFORMATION ABOUT PA FIREWALL DEVICES | PAF_APP_DNS, PAF_APP_GOOGLE_BASE |
| PDP | PROFILE DEVICE PARENT | END POINT TYPE PARENT PROFILE | PDP_DESKTOP, PDP_CAMERA |
| PP | PARENT PROFILE {1-9} | PARENT PROFILE HIERARCHY TAG | PP1_DESKTOP, PP2_DESKTOP_WINDWOS |
| RDI | RELEASE DATE ID | DEVICE OS RELEASE DATE ID | RDI_WINDOWS_10_1703, RDI_WINDOWS_10_1803 |
| ROS | ROOT OPERATING SYSTEM | ROOT DEVICE OS NAME | ROS_WINDOWS, ROS_MACOS, ROS_LINUX |
| RQC | RADIUS QUERY CONNECTION | RADIUS QUERY CONNECTION | RQC_DOM_USR.LAB, RQC_HOST/WIN10X64_STD2.DOM.COM |
| SAM | SECURITY ALERT MESSAGE | TAGS RELATED ON SECURITY ALERTS | SAM_THREAT_SCAN |
| SHQ | SSL HOSTNAME QUERY | SSL HOSTNAME QUERY | SHQ_WWW.GOOGLE.COM, SHQ_IMAP.GMAIL.COM |
| SNE | STATIC NETWORK EXCLUDE | STATIC NETWORK EXCLUDE | SNE_Anything |
| SNP | STATIC NETWORK PORT | STATIC NETWORK PORT | SNP_10.10.36.45_50006 |
| SNV | STATIC NETWORK VIOLATION | STATIC NETWORK VIOLATION | SNV_10.10.36.45_50007 |
| SPS | SWITCH PORT STATUS | SWITCH PORT STATUS | SPS_TCP_10_OK |
| SQP | SNMP QUARANTINE PLUGIN | TAG WITH INFO GENERATED BY PLUGIN | SQP_10.10.36.48_02 |
| SRC | SOURCE | IDENTIFY REQUEST SOURCE | SRC_SENSOR, SRC_WIFI, SRC_HOTSPOT |
| SRV | SERVICES | SERVICES | SRV_HTTP, SRV_DNS |
| SSO | SNMP SYSTEM OBJECT | SNMP SYSTEM OBJECT INFORMATION | SSO_PRINTER, SSO_VOIP, SSO_TERMINAL |
| SSC | SSH SERVER CONNECTION | SSH SERVER CONNECTION | SSC_1.2.3.4 |
| SVP | SET VLAN PLUGIN | TAG OF NETWORK DEVICE TWO FORMATS | SVP_PORT_50003_11 |
| TAR | TARGET APPLICATION REQUIRED | APPLICATION REQUIRED VERSION | TAR_TEAMVIEWER_12, TAR_ACROBAT_READER_20 |
| UBD | USB BLOCKED DEVICE | USB BLOCKED DEVICE | UBD_80EE_0030 |
| UCD | USB CONNECTED DEVICE | USB CONNECTED DEVICE | UCD_80EE_0030 |
| UDT | USER DEVICE TAG | DEVICE TAG ASSIGNED MANUALY BY CUSTOME | UDT_DESKTOP, UDT_PRINTER |
| UID | DEVICE UNIQUE IDENTIFIER | DEVICE UUID (STATID) | UID_6F0341D5_86CC_5B55_8F34_376B8AF1B9BB |
| UTC | UNIQUE TAG CHANGE | TAG WAS REPLACED BY NEWONE OF SAMETYPE | UTC_EPT_IP_PHONE |
| VOS | VERSION OPERATING SYSTEM | DEVICE VERSION OS NAME | VOS_WINDOWS_10_PRO, VOS_WINDOWS_10_ENT |
| WCS | WIFI CURRENT SSID | TAG WITH THE CURRENT CONNECTED SSID | WCS_CASA |
| WSA | WIFI SSID AVAILABLE | TAG WITH THE LIST OF SSID AVAILABLE | WSA_WLAN_3021 |
Some Tags are automatically created by openNAC. Bellow are included a few out of the box TAGS examples:
ONC_ prefix are TAGS that are defined to be used by the product.
DNS_ prefix are TAGS that are defined to be used to enrich DNS Queries.
CDT_ prefix are TAGS that are defined to be used by a customer.
DOP_ prefix are TAGS that are created through Nmap Plugins to tag open ports on user devices for its profiling.
DBW_ Could collect the information from openNAC Agent or Captive Portal.
DDP_ Destination Ports where device is trying to connect.
SQP: means SNMP QUARANTINE PLUGIN. The tag has 2 formats, one for user device and another one for network device
- User device: SQP_$switchIP_$swtichPort: The user device was put in quarantine in the switch with IP $switchIP in the port $switchPort
- Network device: SQP_$userDeviceMAC_$swtichPort_$oldVlan : The user device with the MAC $userDeviceMAC put in quarantine the port $swtichPort. The vlan configured in the switch before quarantine was $oldVlan
SVP: means SET VLAN PLUGIN. The tag has 2 formats, both for network devices.
- SVP_GENERAL_$vlanNumber: VLAN number ($vlanNumber) will be insert over user device in case any SVP_PORT TAG doesn’t exists for port where the user device has been connected.
- SVP_PORT_$portNumber_$vlanNumber: VLAN number($vlanNumber) will be insert over user device in case any SVP_PORT TAG exists for port where the user device has been connected.
Where:
- $vlanNumber: VLAN number to insert over user device
- $portNumber: PORT number in switch format sent by switch example: 50004 to port 4
HDT: Hardware Device Type, Definition of the hardware type, showing if the device is physical or virtual. Today, we have 2 possibilities: HDT_VMGUEST o HDT_BAREMETAL. This TAG is originated from an openNAC data payload.
UTC: This tag is used when a DOS_, EPT_, ROS_, SSO_ or VOS_ tag was replace by a new DOS_, EPT_, ROS_, SSO_ or VOS tag respectably, the old tag will be maintained but preceded by UTC. For example if an asset at the beginning was tagged with EPT_IP_PHONE but later was identify as video-conference asset, so the asset will be tagged with EPT_VIDEOCONFERENCE and UTC_EPT_IP_PHONE.
NCS: This tag is added when the service is disable, instead if service is enable IIS_ tag is added to asset. For example NCS_BITLOCKER is added when BITLOCKER service is NOT configured, if the service is configured the added tag will be ISS_BITLOCKER.
MLR: This tag is used to show the status of the Machine Learning, a process of deduction of which type of device is the one analyzed, depending on its behaviour on the net. The results can be:
- Match: Indicated with the tag MLR_MATCH
- Partial: Indicated with the tag MLR_PARTIAL
- No Match: Indicated with the tag MLR_NOMATCH
ICT: Tag used internally as cache. Example: The TAG ICT_FGA_{firewallIP} indicates which FortiGate Radius IP is associated to a Switch IP to speed up the process in the Fortigate Accounting plugin.