Tag Normalization
  • 17 Jan 2024
  • 5 Minutes to read
  • Dark
    Light

Tag Normalization

  • Dark
    Light

Article summary

Overview

System Administrators can create Tag normalization rules in ThreatConnect® that convert one or more synonymous Tags to a main Tag. When a Tag normalization rule is enabled, existing Tags in all owners on the ThreatConnect instance that match one of the rule’s synonymous Tags are converted to the main Tag at that time, and new Tags created on the ThreatConnect instance that match one of the rule’s synonymous Tags are converted to the main Tag whenever they are applied to Indicators, Groups, Victims, and Workflow Cases. This feature simplifies the management and consolidation of Tags and makes it easier for analysts to categorize objects accurately and uniformly.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for viewing details for main Tags and identifying main Tags applied to an object)
  • System role of Administrator (for creating and managing Tag normalization rules)
PrerequisitesNone

Tag Normalization Rules

Creating and Enabling Tag Normalization Rules

  1. Log into ThreatConnect with a System Administrator account.
  2. On the top navigation bar, hover over SettingsSettings iconand select System Settings. The System Settings screen will be displayed with the Settings tab selected.
  3. Select the Tags tab. The Normalization section of the Tags screen will be displayed (Figure 1). Figure%201_Tag%20Normalization_7.4.0

     

  4. Click the + New Rule button at the top right of the screen. The Tag Rule window will be displayed (Figure 2).
    Figure 2_Tag Normalization_7.2.0

     

    • Main Tag: Enter the main Tag to which the synonymous Tags will be converted. If there are existing Tags that match part or all of the entered text, a menu with those Tags will be displayed. In this scenario, select a Tag from the menu to add it as the main Tag.
      Note
      Whenever a main Tag is applied to an object, the Tag’s name will match the letter case used when it was entered on the Tag Rule window.
    • Synonymous Tags: Enter one or more Tags that will be converted to the main Tag. After entering each Tag, click AddAdd Tag buttonor press Enter on your keyboard to add it to the list of synonymous Tags. Because Tag normalization rules do not maintain case sensitivity when searching for synonymous Tags, you can use any letter case when entering them. For example, if you enter “ransomware” as a synonymous Tag, any form of that Tag (e.g., Ransomware, RANSOMWARE, rAnSoMwArE, etc.) will be converted to the main Tag listed in the rule.
      Important
      You cannot use ATT&CK® Tags as synonymous Tags in a Tag normalization rule.
    • Enabled: Select this checkbox to enable the Tag normalization rule. If you do not select this checkbox, you can still save the rule and enable it later, either by editing it, selecting the Enabled checkbox, and saving it again or by using the Enable All button to enable all rules at one time.
    • Click the SAVE button.
      Important
      If a Tag is listed as the main Tag in one Tag normalization rule, it cannot be listed as a synonymous Tag in another rule. Similarly, if a Tag is listed as a synonymous Tag in one Tag normalization rule, it cannot be listed as a synonymous Tag in another rule. Attempting to save a Tag normalization rule while either of these conditions are met will cause an error to be displayed on the Tag Rule window.
  5. If you selected the Enabled checkbox on the Tag Rule window, the Enable Rule window will be displayed (Figure 3). Click the Enable & Merge Tags button to enable the Tag normalization rule and convert all existing synonymous Tags on the ThreatConnect instance to the main Tag.
    Figure 3_Tag Normalization_7.2.0

     

    Warning
    The conversion process cannot be stopped once started, is irreversible, and applies to all owners on the ThreatConnect instance. As part of the conversion process, all existing Tags that are converted to the main Tag will be removed from the ThreatConnect instance.

The Status column on the Normalization screen (Figure 1) indicates the status of the conversion process. If the process is queued or in progress, a Queued status will be displayed. Once the process is complete, the number of synonymous Tags converted to the main Tag will be displayed (e.g., 7 items merged). To refresh the status displayed in the Status column, click the Refresh button at the top right of the screen.

Enabling All Tag Normalization Rules

To enable all Tag normalization rules at once and start the conversion process for each one, click the Enable All button at the top right of the Normalization screen, and then click the Enable & Merge button on the Enable All window.

Disabling All Tag Normalization Rules

To disable all Tag normalization rules at once, click the Disable All button at the top right of the Normalization screen. Note that all rules will be disabled immediately and you will not be prompted for confirmation.

Note
Disabling a Tag normalization rule does not reverse the effects of the rule and restore the converted Tags; rather, it stops the rule from converting newly created Tags that match a synonymous Tag listed in the rule into the main Tag.

Editing Tag Normalization Rules

Click EditPencil icon_Blackin the Options column to edit a Tag normalization rule. If the rule is enabled, you will be prompted to start the conversion process after saving your changes.

Deleting Tag Normalization Rules

Click DeleteTrash icon_Blackin the Options column to delete a Tag normalization rule. When you delete a rule, any newly created Tags that match a synonymous Tag listed in the rule will no longer be converted to the main Tag.

Note
Deleting a Tag normalization rule does not reverse the effects of the rule and restore the converted Tags.

Viewing Main Tag Details

Browse Screen

When viewing Tags on the Browse screen, main Tags will have anMain Tag icon_Browse Screenicon displayed to the left of their name in the Summary column. In addition, a count of synonymous Tags listed in the corresponding Tag normalization rule will be displayed in the Synonymous Tags column. Click on the number displayed in this column to view a list of synonymous Tags associated with the main Tag (Figure 4).

Figure 4_Tag Normalization_7.2.0

 

Note
To view only main Tags on the Browse screen, click Advanced at the top right to toggle to the advanced-query filter, select Tags from the dropdown to the left of the search bar, enter normalized = true into the search bar, and click SearchSearch buttonto the right of the search bar or press the Enter key on your keyboard.

Legacy Details Screen

On a main Tag’s legacy Details screen, all synonymous Tags listed in the corresponding Tag normalization rule will be displayed on the Synonymous Tags card (Figure 5).

Figure 5_Tag Normalization_7.2.0

 

Identifying Main Tags Applied to Objects

On an object’s Details screen and Details drawer , or while viewing a Case, main Tags will have anMain Tag icon_Details Screenicon displayed to the left of their name (Figure 6). This icon is also displayed when applying Tags to an object, under the Standard Tags section.

Figure 6_Tag Normalization_7.2.0

 

Note
On the legacy Details screen, main Tags are not denoted with theMain Tag icon_Details Screenicon.

When you apply a newly created Tag to an object and it matches a synonymous Tag listed in a Tag normalization rule, it will be converted to the main Tag listed in the rule, and a message stating “One or more tags have been changed due to system tag normalization rules” will be displayed at the lower-left corner of the screen.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20155-01 v.01.B


Was this article helpful?