About asset tags

  • Updated on Mar 7, 2025
  • Published on Oct 2, 2023

Asset tags are groups of related assets with shared characteristics and sensitivity in the organization. With asset tagging, Hunters allows security teams to enrich security events with the business context and importance of the assets in the organization, as well as impact the severity of the security event, and hence the risk evaluation.

Asset tags tell the system to adjust the lead's risk score based on the importance and sensitivity of the involved asset. For instance, leads involving the email address of the company's CEO will be extra-sensitive, as if breached, it could lead to extensive damage to the company.

Tag origin

Tags can originate from 2 different sources:

  • Hunters innate tags

  • User define tags

Hunters innate tags

Hunters provides an innate list of asset tags that are automatically created based on raw security data. These include Domain Controllers, Domain Administrators, Exchange Servers, Google and Okta Admins, and more.

image


Hunters tag

How is it done?

domain_controller

The logic depends on the data provided by the Endpoint Detection and Response (EDR) system. For example, in Crowdstrike we look for (1) an event with the simple name OsVersionInfoand (2) if the raw data indicates that the product type is 2.

exchange_server

Hunters is looking for exchange processes running from %\\program files%\\microsoft\\exchange server%. EDR agents where such a process is observed are automatically tagged as exchange servers.

aad_connect_server

Hunters looks for records where the device_platform is WINDOWS and the lowered_target_process_path contains the path to azureadconnect.exe.

device_platform = 'WINDOWS' AND lowered_target_process_path LIKE 
'%\\windows\\system32\\certsrv.exe'

ad_certificate_services_server

Hunters looks for records where the device_platform is WINDOWS and the lowered_target_process_path contains the path to certsrv.exe.

WHERE device_platform = 'WINDOWS'
  AND lowered_target_process_path LIKE '%\\windows\\system32\\certsrv.exe'

adfs_server

Hunters looks for records in which:

  • The device_platform is WINDOWS

  • The lowered_target_process_path contains the path to microsoft.identityserver.servicehost.exe within the windows\adfs directory, which is specified as the default directory for the Active Directory Federation Service (ADFS).

WHERE device_platform = 'WINDOWS' 
-- windows\\adfs is the default directory of the active directory federation service
 AND lowered_target_process_path LIKE  '%\\windows\\adfs\\microsoft.identityserver.servicehost.exe'


adfs_service_user

This tag will be applied to records in which:

  • The device_platform is WINDOWS

  • The lowered_target_process_path  contains the path to microsoft.identityserver.servicehost.exe within the windows\adfs directory, which is specified as the default directory for the Active Directory Federation Service (ADFS).

  • It excludes records associated with local service accounts by checking that the target_process_windows_user_sid  does not start with s-1-5-21

WHERE device_platform = 'WINDOWS' 
-- windows\\adfs is the default directory of the active directory federation service
AND lowered_target_process_path LIKE  '%\\windows\\adfs\\microsoft.identityserver.servicehost.exe'
-- exclude local service accounts
AND LOWER(target_process_windows_user_sid) LIKE 's-1-5-21%'

citrix_delivery_controller_server

This tag will be applied to Windows devices related to specific Citrix processes.

WHERE device_platform = 'WINDOWS' AND
      lowered_target_process_name IN ('citrix.adidentity.exe', 'citrix.analytics.exe', 'brokerservice.exe',
      'citrix.configurationlogging.exe', 'citrix.configuration.exe', 'citrix.delegatedadmin.exe',
      'citrix.envtest.exe', 'citrix.host.exe', 'citrix.machinecreation.exe', 'citrix.monitor.exe',
      'citrix.storefront.exe')


domain_controller_user

This tag will be applied to users who logged into assets that are tagged as domain controllers and are not:

  • Built-in accounts

  • Local accounts

  • Logon types that don't really signify this is a user with relevant privileges to log into a DC: Network, Unlock, CachedUnlock

linux_server

Currently applicable for Crowdstrike and Sentinel only.
This tag will be applied to Linux devices with serveras product type description.

WHERE PLATFORM_NAME = 'linux' AND PRODUCT_TYPE_DESC = 'server'

vmware_vcenter_server



WHERE device_platform = 'WINDOWS' AND
      -- appears in multiple different paths, but all are under program files\vmware
      lowered_target_process_path LIKE '%\\program files\\vmware\\%' AND
      lowered_target_process_name = 'vpxd.exe'


windows_server

Different logic per EDR.
In CS for example, we look for PLATFORM_NAME=`windows` AND PRODUCT_TYPE_DESC=`server` and also look for a specific event called OsVersionInfo and tag asset where raw:ProductName::VARCHAR LIKE `%windows server%`

okta_ad_service_account

This tag will be added to assets in which event_type matches any of the values specified below.

event_type IN ('system.agent.ad.read_ldap',
               'system.agent.ad.invoke_dir',
               'system.agent.ad.read_topology',
               'system.agent.ad.write_ldap')

okta_admin


event_type = 'user.session.access_admin_app' AND
outcome_result = 'SUCCESS'

gsuite_admin

This tag will be added to assets whose ID_APPLICATION_NAME is admin and whose actor_email is not empty.

WHERE ID_APPLICATION_NAME = 'admin'
 -- some events are not by specific user (thresholds reached, etc.)
   AND actor_email IS NOT NULL

User-defined tags

You can define your own custom tags with rules that will allow assets to be automatically tagged.

User-defined asset tags appear under the Enrichment section of the relevant asset. So when examining a lead, you will need to navigate to the asset's tab and then scroll down to the Enrichment section to locate the Asset tag enrichment, if exists.

📘 Learn more

Learn more about working with user-defined tags here.

🚧Note

Asset tagging will only be applied to new security events, and not retroactively.


Hunters innate tags vs. User defined tags


Hunters innate tags

User-defined tags

Origin

Hunters OOTB

User

Setup

Not required

Manually under Knowledge Center> Tags or using API

Visibility

Under the asset/attribute name

Under the Enrichment section

Retroactive application

Not relevant

Not applied retroactively

Supported asset types

Asset tagging can be applied only to assets from the types below:

Kind
Agent ID
Email
Hostname
Username
OS Username
IP
Person Name
AWS Secret
AWS account ID
AWS user identity ARN
Domain

Available sensitivity levels

When setting up an asset tag you can define the sensitivity level that will be assigned to each asset with this tag. Each sensitivity level has a different impact on the lead's final risk score.

📘 Note

While Custom Scoring allows for control over the Confidence level of leads, asset tags allow a global level of control over the Severity of leads.

Asset sensitivity is an additional scoring layer that influences the severity of the security event.


Sensitivity Level Severity Impact Description
Critical Increase the severity level by 1 This level should be assigned to groups that are considered the organization’s critical assets and crown jewels.
Examples: the organization's critical infrastructure servers, Billing servers, and Domain Controllers.
High Increase the severity level by 0.5 This level should be assigned to groups that are considered important to the organization’s day to day operation and mission.
Examples: service accounts, Exchange servers.
Neutral Do nothing (i.e. informational only) This level should be assigned to groups mainly to enrich the security event with more business context regarding the assets’ essence and role in the organization.
Examples: company employees, domain names.
Low Decrease the severity level by 0.5 This level should be assigned to assets that if impacted as part of a security event, have very low impact on the organization.
Examples: simulation and testing accounts and environments.