User-created tags, for processes and for the global system, do not persist across reboots of an agent. The rule that attaches the tag must detect the operation it describes and reattach the tag before a rule that uses the tag can discover the tagged process.
A tag may also be explicitly removed by a rule that has a remove tag action defined. There are other conditions that affect tags on different objects:
- Process/thread tag – Process and thread tags persist until the process instance dies. If the agent process (parity.exe) is restarted, then the tags would still be set. If the full system is restarted or if the kernel filter driver (parity.sys) is unloaded and reloaded, then a process would lose its classifications.
- File tag – Currently, a file tag lives only during a single operation.
- Yara Tag – Yara tags persist for the life the hash they apply to in the agent cache.
- Global Tag – Global tags persist until the agent process (parity.exe) is restarted.