Asset Tag "Legacy Filter" Issues

[asreich]

Describe the bug

I'm trying to figure out how to create/edit tags with the appropriate filters to categorize a number of hosts with the Tags API. I have been trying to wrap my head around the filters that are and are not available to the various object types. Specifically, workbench asset filters and asset tag filters.

I'm not sure why some filters that work in the UI do not work through the API.

To Reproduce
Steps to reproduce the behavior:

When I edit the tag via the UI and add "Licensed is True" and then get the details of the tag I get the following:

{
    'uuid': '' < SNIP > ', '
    created_at ': '
    2024 - 04 - 10 T22: 16: 56.403 Z ', '
    created_by ': ' < SNIP > ', '
    updated_at ': '
    2024 - 04 - 11 T17: 18: 13.880 Z ', '
    updated_by ': '
    '<SNIP>',
    'category_uuid': '' < SNIP > ', '
    value ': '
    AE ', '
    description ': '
    Synced 2024 - 04 - 11 ', '
    type ': '
    dynamic ', '
    product ': '
    IO ', '
    category_name ': '
    '<SNIP>',
    'assignment_count': 0,
    'access_control': {
        'current_user_permissions': [ 'ALL', 'CAN_EDIT', 'CAN_SET_PERMISSIONS', 'CAN_USE' ],
        'defined_domain_permissions': [ 'ALL', 'CAN_EDIT', 'CAN_SET_PERMISSIONS', 'CAN_USE' ],
        'all_users_permissions': [],
        'current_domain_permissions': [ {
            'id': '' < SNIP > ', '
            name ': '
            '<SNIP>, '
            type ': '
            USER ', '
            permissions ': ['
            CAN_USE ', '
            CAN_EDIT ']}, {'
            id ': '
            '<SNIP>',
            'name': 'Digital',
            'type': 'GROUP',
            'permissions': [ 'CAN_USE', 'CAN_EDIT' ]
        } ],
        'version': 1
    },
    'saved_search': False,
    'processing_status': 'COMPLETE',
    'processed_at': '2024-04-11T17:18:49.204Z',
    'consecutive_error_count': 0,
    'filters': {
        'asset': '{"and": [{"value": true, "operator": "eq", "property": "is_licensed"}]}'
    }
}

Note the use of the filters key and how is_licensed is present in the workbench_asset_filters(), but not the asset _tag_filters(). I've tried using tag_filters = [("is_licensed", "eq", "true")] and passing that to the create/edit tag command but receive the following error:

is_licensed is not a filterable option
Traceback (most recent call last):
  File "<stdin>", line 4, in <module>
  File "/home/vscode/.local/lib/python3.10/site-packages/tenable/io/tags.py", line 262, in create
    payload['filters'] = self._tag_value_constructor(
  File "/home/vscode/.local/lib/python3.10/site-packages/tenable/io/tags.py", line 135, in _tag_value_constructor
    parsed_filters = self._parse_filters(filters, filterdefs, rtype='assets')['asset']
  File "/home/vscode/.local/lib/python3.10/site-packages/tenable/io/base/v1.py", line 45, in _parse_filters
    raise UnexpectedValueError(
restfly.errors.UnexpectedValueError: is_licensed is not a filterable option

The filter that has worked, but isn't the same and produces a warning in the UI is [("fqdn", "match", list_of_hosts)]. I expected this to work based on this line in the tio.tags.create() docs: "Note that multiple values can be passed in list of string format" but it seems to be parsed differently than I was expecting and gets turned into a single comma separated list.

{
    'uuid': '<SNIP>',
    'created_at': '2024-04-10T22:16:56.403Z',
    'created_by': '<SNIP>'
    ', '
    updated_at ': '
    2024 - 04 - 10 T22: 30: 34.337 Z ', '
    updated_by ': ' < SNIP > '',
    'category_uuid': '<SNIP>'
    ', '
    value ': '
    AE ', '
    description ': '
    Synced 2024 - 04 - 10 ', '
    type ': '
    dynamic ', '
    product ': '
    IO ', '
    category_name ': ' < SNIP > '',
    'assignment_count': 0,
    'access_control': {
        'current_user_permissions': [ 'ALL', 'CAN_EDIT', 'CAN_SET_PERMISSIONS', 'CAN_USE' ],
        'defined_domain_permissions': [ 'ALL', 'CAN_EDIT', 'CAN_SET_PERMISSIONS', 'CAN_USE' ],
        'all_users_permissions': [],
        'current_domain_permissions': [ {
            'id': '<SNIP>'
            ', '
            name ': ' < SNIP > '',
            'type': 'USER',
            'permissions': [ 'CAN_USE', 'CAN_EDIT' ]
        } ],
        'version': 0
    },
    'saved_search': False,
    'processing_status': 'COMPLETE',
    'processed_at': '2024-04-10T22:26:43.338Z',
    'consecutive_error_count': 0,
    'filters': {},
    'legacy_filters': {
        'asset': '{"and":[{"field":"fqdn","operator":"match","value":"host1.mydomain.com,hostN.mydomain.com,"}]}'
    }
}

Expected behavior

Filters passed via creating and editing tags should match the functionality in the UI and not cause the UI to warn on a legacy_filter.

Screenshots

Obscuring full hostname data, but it's comma separated into one string.

System Information (please complete the following information):

• OS: macOS
• Architecture x86_64
• Version 14.4.1 23E224
• Memory 32G

Additional context

pyTenable 1.4.22

[SteveMcGrath]

Looking into it, it appears that the UI is no longer using the tag filters API to determine what filters are available, however pyTenable is still processing that endpoint to determine if the filters are valid. While this isn't a "bug" with the library, its something we need to investigate.

[asreich]

Thanks for your quick response. One additional note which I will mention, but maybe this gets fixed by way of your investigations, is that the FQDN regex matching of all the hostnames seems to not be respected? In a list of 56 hosts the tag is somehow listing 2.1K which I assume is related to the overall "Category" tag count. So the UI says the tag is working but I would not agree.

[asreich]

Not sure if something changed, or maybe there's a kind of argument limit in the number of hosts that start to make the filters break and/or the use of multiple filters, but I just got a very expected looking tags value:

{'uuid': '<SNIP>', 'created_at': '2024-04-10T20:36:22.933Z', 'created_by': '<SNIP>', 'updated_at': '2024-04-11T22:02:40.159Z', 'updated_by': '<SNIP>', 'category_uuid': '<SNIP>', 'value': 'VALUI', 'description': 'THIS TAG IS MANAGED BY <SNIP>, DO NOT MAKE MANUAL CHANGES\nSynced: 2024-04-11', 'type': 'dynamic', 'product': 'IO', 'category_name': '<SNIP>', 'assignment_count': 0, 'access_control': {'current_user_permissions': ['ALL', 'CAN_EDIT', 'CAN_SET_PERMISSIONS', 'CAN_USE'], 'defined_domain_permissions': ['ALL', 'CAN_EDIT', 'CAN_SET_PERMISSIONS', 'CAN_USE'], 'all_users_permissions': [], 'current_domain_permissions': [{'id': '<SNIP>', 'name': '<SNIP>', 'type': 'USER', 'permissions': ['CAN_USE', 'CAN_EDIT']}, {'id': '<SNIP>', 'name': 'Digital', 'type': 'GROUP', 'permissions': ['CAN_USE', 'CAN_EDIT']}], 'version': 1}, 'saved_search': False, 'processing_status': 'COMPLETE', 'processed_at': '2024-04-11T21:45:32.221Z', 'consecutive_error_count': 0, 'filters': {'asset': '{"and": [{"value": ["*host1.my.domain.com*", "*host2.my.domain.com*"], "operator": "wc", "property": "fqdns"}, {"and": [{"value": ["nessus_agent"], "operator": "eq", "property": "sources"}, {"value": ["AWS", "AZURE", "AZURE_FA", "CLOUD_CONNECTOR", "CUSTOM", "GCP", "NESSUS_AGENT", "NESSUS_SCAN", "NNM", "PVS", "SSM", "cloud_runtime", "cloud_iac", "ServiceNow", "WAS"], "operator": "neq", "property": "sources"}]}]}'}}

The hosts are in an expected list of strings format instead of one comma separated string and it's under the filters key instead of legacy_filters.

EDIT: I have changed nothing about the host list counts and the filters are no longer in a weird state of legacy and they are working as expected. I have changed very little besides passing the edit argument slightly differently to include the source filter filters=general_tag_filters + team_tag_filters[team],. Either this is a super fast fix or I must have done something wrong before because everything seems like it's working as expected right now, except being able to use the is_licensed filter which may not be possible.