Resurgent Atom

Creating tags based on Asset Group Naming Conventions

Discussion created by Resurgent Atom on Nov 24, 2019
  • Comment0

Just want to share a solution to what I think could be a common problem for others.

We've got a naming convention in place for Asset Groups which is based on subnets scanned.

 

The naming convention requires AGs start with the 2 letter ISO country code indicating the country that the subnet is allocated in. e.g.

 

US_SUBNET1_SCAN_INTERNAL

US_SUBNET2_SCAN_INTERNAL

IN_SUBNET1_SCAN_INTERNAL

IN_SUBNET2_SCAN_INTERNAL

NZ_SUBNET1_SCAN_EXTERNAL

NZ_SUBNET2_SCAN_INTERNAL

...

and so on.

 

In order to report per geo/country, I recently needed to create tags that included all the assets in AGs per country code.

For example,

  • The tag "US" should be applied to all assets in US_SUBNET1_SCAN_INTERNAL and US_SUBNET2_SCAN_INTERNAL
  • "IN" for all assets in IN_SUBNET1_SCAN_INTERNAL and IN_SUBNET2_SCAN_INTERNAL
  • "NZ" for all assets in NZ_SUBNET1_SCAN_EXTERNAL and NZ_SUBNET2_SCAN_EXTERNAL

etc.

 

I could of course hard code all the asset group names,

if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
return (asset.hasTag("US_SUBNET1_SCAN_INTERNAL"
  || asset.hasTag("US_SUBNET2_SCAN_INTERNAL")
);

but that would be silly, because it means if I (or someone else) added a new asset group, we would have to remember to update the asset tags as well. Managing Qualys is not a full time role at our organisation, and therefore there is a high likelihood that someone would forget to update tags when adding asset groups. Besides, why should humans have to do a machines job?

 

Luckily, the methods available for Groovy scripts were recently made public.

Public methods available in Groovy Script for invocation on different objects 

 

After some discussions with support, the solution was to use a regular expression with the new Groovy script method: asset.tags

 

Below is the Groovy script I ended up using, to achieve my goal. It should be easy to modify the regular expression to suit your specific naming convention or use case.

 

// Return False if not a host asset
if(asset.getAssetType()!=Asset.AssetType.HOST) return false;
// Return True if Asset Group starts with AU_
return asset.tags.find{it.name.matches("^US_.*")}!=null;

 

This works really well and now all anyone needs to do is add assets into existing asset groups or create new groups per naming convention, and they would get auto-tagged based on your location / reporting rules.

 

You can of course setup business units etc, but in practice it is overhead just to manage them, and I haven't really seen too many organisations derive value from setting up business units etc.

Hope this helps someone!

 

Outcomes