Tagging & Classification

Astral provides native capabilities for event tagging and classification, enabling security events to be contextualized according to organizational structure and operational boundaries. This capability ensures that security data can be segmented, filtered, and analyzed based on business-relevant attributes such as departments, sectors, organizational units, or similar classifications.

In Astral, event classification is primarily performed at the data collection layer, through the Astral Agent. Each agent can be associated with organizational context information such as department, business unit, environment, location, or similar attributes. This context is automatically applied to all events collected by the agent, ensuring that security data is consistently tagged at the point of ingestion.

In addition to agent-based classification, Astral supports classification based on event attributes. Tags and labels can be derived from message content, log source metadata, or network-related attributes such as source addresses. This approach allows events originating from shared infrastructure or centralized services to be correctly classified even when collected through common collection points.

All classification metadata is preserved throughout Astral’s processing pipeline. Tagged events can be used for filtering, aggregation, and segmentation in searches, dashboards, and analytics, as well as for correlation and detection logic. This enables security teams to analyze activity by organizational unit, apply context-aware detections, and support clear separation of responsibilities.

By combining agent-level context with attribute-based classification, Astral delivers a flexible and scalable tagging model aligned with organizational structures. This approach improves visibility, governance, and operational efficiency across complex and distributed environments.