Auto tagging using global query

Auto tagging using global query

This article provides details on how to create auto tag rules using a global query.

Currently, auto tagging using a global query can be achieved using API only. GUI based solution will be available in release 77.

Global query based auto tag rules can be created by using a POST on /tagRules API call.

upt_asset_id and tag column from the global query determine the assets to be assigned with a particular tag.

Use interval for scheduled tags rules

Use runOnce for one time tag rules.


Scheduled auto tag rule based on Global query

{
      "name": 'Mac osx auto tag rule Global',
      "description": 'Tag all whoose os_version is mac os x',
      "query": "with latest_row as (
        select
          name,
          upt_assets.upt_asset_id,
          max(os_version.upt_time) as maxtime
        from
          os_version
          inner join upt_assets on os_version.upt_asset_id = upt_assets.id
        where
          upt_day >= CAST(
            date_format(
              localtimestamp - INTERVAL '3' DAY, '%Y%m%d'
            ) AS INTEGER
          )
        group by
          name,
          upt_assets.upt_asset_id
      )
      select
        distinct upt_asset_id,
        'usmacbook' as tag
      from
        latest_row
      where
        name = 'Mac OS X'",
      "interval": 3600,
      "source": 'global'
}

One time tag rule

{
      "name": 'Mac osx auto tag rule Global',
      "description": 'Tag all whoose os_version is mac os x',
      "query": "with latest_row as (
        select
          name,
          upt_assets.upt_asset_id,
          max(os_version.upt_time) as maxtime
        from
          os_version
          inner join upt_assets on os_version.upt_asset_id = upt_assets.id
        where
          upt_day >= CAST(
            date_format(
              localtimestamp - INTERVAL '3' DAY, '%Y%m%d'
            ) AS INTEGER
          )
        group by
          name,
          upt_assets.upt_asset_id
      )
      select
        distinct upt_asset_id,
        'usmacbook' as tag
      from
        latest_row
      where
        name = 'Mac OS X'",
      "runOnce": true,
      "source": 'global'
}


    • Related Articles

    • Tips for designing Investigate query parameters

      Query parameters allow users to create variables to be used in an individual query and can be referenced multiple times within the query. This feature facilitates writing queries that often refer to changing values the user would otherwise have to ...

    • Installing Uptycs Agent on MacOS using JAMF

      Overview This document outlines the procedure on how to install the Uptycs osquery agent on macOS using JAMF. Procedure  Installation Download the installer. Login to JAMF. You must have a JAMF Plus plan to be able to deploy custom macOS packages     ...

    • osqueryd Flags and command line guide

      $ sudo osqueryd --help Password: osquery 3.3.2.45-Uptycs, your OS as a high-performance relational database Usage: osqueryd [OPTION]...  osquery command line flags: --flagfile PATH Line-delimited file of additional flags --D Run as a daemon process ...

    • Proxy support

      Overview Uptycs agent (osquery) needs cloud connectivity to function properly. However, endpoints might not be accessing the internet directly. A lot of scenarios have emerged where the endpoint uses proxy servers to connect to internet. This is ...

    • How To Limit Endpoint Resource Utilization

      Introduction The Uptycs osquery agent is designed for low resource utilization on your endpoints, however there may still be some cases where you need to limit resource utilization, this article describes how.  Watchdog  'Configuration -> Flag ...