Skip to content

Tags

Tags are key-value pairs used to label inventory items, such as certificates, keys, secrets, and assets, during data collection. Applying tags when running a scan allows you to organize your security posture by business context, such as Environment, Owner, Department, or Application.

Once ingested, these tags become primary filters in the AQtive Guard Inventory dashboard. AQtive Guard tracks the last seen date for every tag association, ensuring your inventory remains current as your environment evolves.

Tag structure

AQtive Guard uses a two-part structure to organize metadata:

  • Category: The broad label or key that defines the type of metadata, such as Region, Department, or Application.
  • Value: The specific descriptor assigned to a category. For example, if the category is Region, the value might be EMEA or US-East.

Together, a category and value form a single tag (category=value).

Adding tags during a scan

When running a sensor, such as the Filesystem Scanner, you can provide tags through command-line arguments. AQtive Guard supports two primary methods for inputting tags to handle both simple and complex metadata.

Standard tagging

Standard tagging uses the --tag parameter and provides a streamlined way to manually categorize data. This method parses categories and values based on specific delimiters, assuming the following characters are not part of the actual tag text:

  • Equals sign (=): Use an equals sign to link a category to its value (for example, category=value).
  • Comma (,): Use a comma to assign several values to one category at once (for example, category=value1,value2).

Example

The following PowerShell command demonstrates how to apply multiple tags during a scan:

PowerShell
.\cs-host-scanner.exe `
  --root C:\data `
  --tag env=production,web-server `
  --tag team=finance `
  --output scan.cst.gz

This example assigns “production” and “web-server” values to the env key, while the team key is labeled as “finance.”

Literal tagging

Literal tagging uses the --tag-pair parameter when your categories or values contain special characters, such as commas or equals signs, that must be preserved. This captures the string exactly as typed.

Important

This flag requires two distinct parameters: the Category name followed by the Value.

Example

The following Bash command demonstrates how to use literal tagging to handle values containing special characters:

Bash
./cs-host-scanner \
  --root /etc/crypto \
  --tag-pair business-unit "Sales, Marketing & PR" \
  --tag-pair version "v1.0=stable"

This example assigns “Sales, Marketing & PR” to the business-unit key, while the version key is labeled as “v1.0=stable.”

Use

Once your data is uploaded, you can view your tags directly in AQtive Guard.

Inventory

Across all tabs in the Inventory table, tags are displayed in the Imported tags column. This provides a high-level view of the metadata associated with each discovered item, allowing you to quickly identify ownership or environment at a glance.

Tip

Beyond just viewing, you can use these tags to narrow down your inventory list. By applying a tag filter, you can create custom views focused on specific business contexts (for example, viewing only “Production” secrets). Refer to Filters for details.

To view imported tags:

  1. Log in to AQtive Guard and select Inventory from the main menu.
  2. Under the Cryptography section, select the data type you’re interested in.
  3. Locate the specific entry you’re interested in and view the Imported tags column to see the metadata associated with that record.

Note

If you don’t see the Imported tags column, select the Columns button, check the box for Imported tags, and select Apply to make it visible.

Secret details

For more granular inspection within the Secrets tab, you can click on Details for any specific entry. This view presents the raw imported tags, ensuring you can see the exact key-value pairs assigned during the scan—including those containing special characters applied via literal tagging.

To view secret details:

  1. Log in to AQtive Guard and select Inventory from the main menu.
  2. Under the Cryptography section, select Secrets.
  3. Locate the specific secret you’re interested in and select Details at the end of the row.
  4. Under the Overview tab, select Raw imported tags.

This view shows the raw imported tags, ensuring you can see the exact key-value pairs assigned during the scan, including those containing special characters applied through literal tagging.

Specialized scanning use cases

Certain scanning environments require specific tagging strategies to ensure that the unique properties of the assets, such as store types or host-specific data, are preserved and easily searchable.

Windows certificate stores

For certificate store scans, use tags to categorize data by machine location or administrative ownership.

The following code demonstrates how to scan local stores while applying both literal and standard tags:

PowerShell
.\cs-host-scanner.exe `
  --scan-windows-stores `
  --tag-pair "store-type" "local-machine" `
  --tag env=prod `
  --output cert-scan.cst.gz

This example assigns the literal value “local-machine” to the store-type key, while the env key is labeled as “prod.”

Tagging parameters reference

The following parameters are used to configure tagging behavior and data transformation:

Parameter Type Description
--tag Ingestion Standard format; interprets = and ,.
--tag-pair Ingestion Literal format; requires 2 arguments (Key Value).
--tag-rewrite Transform Maps a source tag to a destination tag.
--tag-rewrites-may-delete Safety Required to allow a rewrite rule to delete a tag.

Real-world example: Multi-region compliance audit

Imagine your organization is undergoing a security audit. You need to scan all Windows servers across two different data centers (New York and London) to identify expiring certificates. To ensure the results are actionable, you need to know exactly which team owns the server, and which regulatory environment it falls under.

The goal

The objective is to label scan data so that upon uploading to AQtive Guard, you can instantly filter for “High-Priority” servers located in the “London” office.

Implementation

To achieve this, use a combination of Standard tagging for quick categorization and Literal tagging for data containing special characters (such as any team names with ampersands).

An example command is shown below:

PowerShell
.\cs-host-scanner.exe `
  --scan-windows-stores `
  --tag env=production,region=london `
  --tag-pair "owner" "DevOps & Security" `
  --output london_prod_scan.cst.gz

How AQtive Guard helps

  • Filtering: A compliance officer can navigate to the Inventory table and look at the Imported tags column for region=london to isolate UK-based assets.
  • Accountability: If a vulnerable certificate is identified, the Secret Details view displays the raw tag owner=DevOps & Security, identifying the exact point of contact for remediation.
  • Automation: By tagging the env as “production”, you can prioritize the remediation of critical certificates before addressing staging or dev environments.