- 26 Jul 2023
- 5 Minutes to read
- Updated on 26 Jul 2023
- 5 Minutes to read
System Administrators can create Tag normalization rules in ThreatConnect® that convert one or more synonymous Tags to a main Tag. When a Tag normalization rule is enabled, existing Tags in all owners on the ThreatConnect instance that match one of the rule’s synonymous Tags are converted to the main Tag at that time, and new Tags created on the ThreatConnect instance that match one of the rule’s synonymous Tags are converted to the main Tag whenever they are applied to Indicators, Groups, Victims, and Workflow Cases. This feature simplifies the management and consolidation of Tags and makes it easier for analysts to categorize objects accurately and uniformly.
Before You Start
Tag Normalization Rules
Creating and Enabling Tag Normalization Rules
- Log into ThreatConnect with a System Administrator account.
- On the top navigation bar, hover over Settingsand select System Settings. The System Settings screen will be displayed with the Settings tab selected.
- Select the Tags tab. The Normalization section of the Tags screen will be displayed (Figure 1).
- Click the + New Rule button at the top right of the screen. The Tag Rule window will be displayed (Figure 2).
- Main Tag: Enter the main Tag to which the synonymous Tags will be converted. If there are existing Tags that match part or all of the entered text, a menu with those Tags will be displayed. In this scenario, select a Tag from the menu to add it as the main Tag.NoteWhenever a main Tag is applied to an object, the Tag’s name will match the letter case used when it was entered on the Tag Rule window.
- Synonymous Tags: Enter one or more Tags that will be converted to the main Tag. After entering each Tag, click Addor press Enter on your keyboard to add it to the list of synonymous Tags. Because Tag normalization rules do not maintain case sensitivity when searching for synonymous Tags, you can use any letter case when entering them. For example, if you enter “ransomware” as a synonymous Tag, any form of that Tag (e.g., Ransomware, RANSOMWARE, rAnSoMwArE, etc.) will be converted to the main Tag listed in the rule.ImportantYou cannot use ATT&CK® Tags as synonymous Tags in a Tag normalization rule.
- Enabled: Select this checkbox to enable the Tag normalization rule. If you do not select this checkbox, you can still save the rule and enable it later, either by editing it, selecting the Enabled checkbox, and saving it again or by using the Enable All button to enable all rules at one time.
- Click the SAVE button.ImportantIf a Tag is listed as the main Tag in one Tag normalization rule, it cannot be listed as a synonymous Tag in another rule. Similarly, if a Tag is listed as a synonymous Tag in one Tag normalization rule, it cannot be listed as a synonymous Tag in another rule. Attempting to save a Tag normalization rule while either of these conditions are met will cause an error to be displayed on the Tag Rule window.
- Main Tag: Enter the main Tag to which the synonymous Tags will be converted. If there are existing Tags that match part or all of the entered text, a menu with those Tags will be displayed. In this scenario, select a Tag from the menu to add it as the main Tag.
- If you selected the Enabled checkbox on the Tag Rule window, the Enable Rule window will be displayed (Figure 3). Click the Enable & Merge Tags button to enable the Tag normalization rule and convert all existing synonymous Tags on the ThreatConnect instance to the main Tag.WarningThe conversion process cannot be stopped once started, is irreversible, and applies to all owners on the ThreatConnect instance. As part of the conversion process, all existing Tags that are converted to the main Tag will be removed from the ThreatConnect instance.
The Status column on the Normalization screen (Figure 1) indicates the status of the conversion process. If the process is queued or in progress, a Queued status will be displayed. Once the process is complete, the number of synonymous Tags converted to the main Tag will be displayed (e.g., 7 items merged). To refresh the status displayed in the Status column, click the Refresh button at the top right of the screen.
Enabling All Tag Normalization Rules
To enable all Tag normalization rules at once and start the conversion process for each one, click the Enable All button at the top right of the Normalization screen, and then click the Enable & Merge button on the Enable All window.
Disabling All Tag Normalization Rules
To disable all Tag normalization rules at once, click the Disable All button at the top right of the Normalization screen. Note that all rules will be disabled immediately and you will not be prompted for confirmation.
Editing Tag Normalization Rules
Click Editin the Options column to edit a Tag normalization rule. If the rule is enabled, you will be prompted to start the conversion process after saving your changes.
Deleting Tag Normalization Rules
Click Deletein the Options column to delete a Tag normalization rule. When you delete a rule, any newly created Tags that match a synonymous Tag listed in the rule will no longer be converted to the main Tag.
Viewing Main Tag Details
When viewing Tags on the Browse screen, main Tags will have anicon displayed to the left of their name in the Summary column. In addition, a count of synonymous Tags listed in the corresponding Tag normalization rule will be displayed in the Synonymous Tags column. Click on the number displayed in this column to view a list of synonymous Tags associated with the main Tag (Figure 4).
Legacy Details Screen
On a main Tag’s legacy Details screen, all synonymous Tags listed in the corresponding Tag normalization rule will be displayed on the Synonymous Tags card (Figure 5).
Identifying Main Tags Applied to Objects
On an object’s Details screen and Details drawer, or while viewing a Case, main Tags will have anicon displayed to the left of their name (Figure 6). This icon is also displayed when applying Tags to an object, under the Standard Tags section.
When you apply a newly created Tag to an object and it matches a synonymous Tag listed in a Tag normalization rule, it will be converted to the main Tag listed in the rule, and a message stating “One or more tags have been changed due to system tag normalization rules” will be displayed at the lower-left corner of the screen.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.