Tag Rule Operators

Tag operators are used within Tag Rules for automatic tagging or when filtering your Explore Assets. These operators define the logic for how assets are matched to specific categories and values.

Caution: Avoid using leading wildcards in tag filters, especially when applying multiple similar filters within a single container. Using leading wildcards can significantly degrade search performance, cause search timeouts, and prevent the system from successfully applying tags to your assets.

Note: If there is a typo in the tag rule, an error appears in the Rules box with a description of the issue.

Constraints on Tag Rules

To ensure optimal performance and system stability, the following limits apply to the Boolean Filter Conditions within a Tag Rule:

  • Maximum Boolean Filter Conditions: 40
    • A single Tag Rule can consist of up to 40 individual filter conditions joined by AND or OR operators.
  • Maximum Values per Filter Property: 1024
    • Each specific filter property (for example, Operating System, Hostname, or IP Address) supports up to 1,024 unique values.

The available operators depend on the data type (String, Date, or Numeric) of the property you are filtering.

General Logic Operators

When building a rule with multiple conditions, you use these to determine how filters interact:

  • Match All (AND) — The asset must meet every single filter condition to be tagged.

  • Match Any (OR) — The asset is tagged if it meets at least one of the filter conditions.

Common Filter Operators

These are the primary operators used for asset attributes like Hostname, Operating System, or IP Address:

Operator Description
is equal to / = Requires an exact match of the value provided.
is not equal to / != Matches any asset that does not have the exact value provided.
contains Matches if the specified string exists anywhere within the attribute.
does not contain Matches if the specified string is absent from the attribute.
matches Used for pattern matching (often supporting wildcards like *).
does not match Used to exclude assets based on a specific pattern.
exists Matches if the attribute has any value assigned (is not null).
does not exist Matches if the attribute is empty or null.

Date and Time Operators

These operators are used for fields like Last Seen, Last Authenticated Scan, or First Discovered:

  • is equal to / = (Specific date)

  • is greater than / > (After a specific date)

  • is less than / < (Before a specific date)

  • between (Within a specific date range)

  • older than (for example, older than 30 days)

  • newer than (for example, newer than 7 days)

  • within last (for example, within the last 24 hours)

Numeric and Rating Operators

These operators are used for scores like Vulnerability Priority Rating (VPR) or Asset Criticality Rating (ACR):

  • = (Equal to)

  • != (Not equal to)

  • > (Greater than)

  • >= (Greater than or equal to)

  • < (Less than)

  • <= (Less than or equal to)

Pro-Tip: The Wildcard Operator

Tenable supports the asterisk (*) as a wildcard for most string-based filters.

Example

Using *Linux* in a "matches" filter for Operating System will tag any asset where "Linux" appears anywhere in the OS string (e.g., "Ubuntu Linux 20.04" or "Red Hat Enterprise Linux").

Note: Avoid using leading wildcards (e.g., *test) if possible, as they can significantly slow down the dynamic tagging engine compared to trailing wildcards (e.g., test*).