Skip to main content



Cisco Defense Orchestrator

Labels and Filtering

When managing many devices, organizing those devices can quickly become problematic. Applying Labels and using the CDO filtering capability can help realize the abstractions that naturally develop, simplifying the management of large data sets. Labels and label groups are multi-dimensional and provide the ability to structure the data as best meets needs.

Labels are applied per device and can be applied during on-boarding or at anytime afterwards through the right-hand panel. They are created as free-form text and associated to that device, however note that labels applied to devices are not extended to associated CDO objects, for example the policies associated with a given device configuration. 

For example, if an organization required review of configurations before it is pushed to a device, adding a flag "Flagged for Review" could quickly identify those configurations that require review. With a complete review, the label could be removed. As another case, the label "PCI Compliance" could be applied to all devices that enforce PCI compliance.

With the application of labels, the CDO filtering capability can be used to make only the relevant devices visible. This is accomplished by expanding the Filter sidebar and selecting the desired labels.

Label Groups provide another level of refinement by establishing labels in a tag:data format. Label Groups are defined by a colon (:) delimiter, separating the label group from the label. An example of a Label Group would be "Location", indicating the physical location of the device. Specifically, devices one and two could be labeled "Location:Boston", with device three labeled "Location:Singapore". Another use case for Label Groups is "Owner", used to indicate the accountable party of a given device.

Once Label Groups have been applied, CDO filtering will demonstrate each Label Group as its own category in the Filter sidebar. Labels belonging to that Label Group are selectable underneath.

In general, those who want less structured data or operating in a simple environment may be most successful by applying Labels. Those desiring more structured data or operating in complex environments may want to consider adding Label Groups.

Labels and Tags in AWS VPC

When you onboard an AWS VPC to CDO, CDO reads all AWS VPC tags as part of the configuration. That is, they are copied from AWS and stored in CDO's database. These tags are represented as CDO labels, which can be viewed in the Devices & Services page, just like labels on any other device type. If you delete the existing labels or create new labels from CDO, these changes are not synchronized to the AWS VPC. You must manually make the same changes using the AWS console. VPC Tags that are created or modified in the AWS console after the AWS VPC has been onboarded will not be stored in CDO's copy of the configuration or detected as an out-of-band change. 

How to filter

To filter, use the filtering options in the left hand pane of the Devices and Services, Policies, and Objects tabs:

  • All Objects – This filter provides you all the objects available from all the devices you have on-boarded in CDO. This filter is useful to browse all your objects, or as a starting point to search or further apply sub filters.
  • Shared Objects – This quick filter shows you all the Objects that CDO has found to be shared on more than one device.
  • Objects By Device – Lets you pick a specific device so that you can see objects found on selected device.

Sub filters – Within each main filter, there are sub filters you can apply to further narrow down your selection. These sub-filters are based on Object Type – Network, Service, Protocol etc.

  • Was this article helpful?