- 01 Sep 2022
- 2 Minutes to read
- Updated on 01 Sep 2022
- 2 Minutes to read
Minimum Role: Organization Role of Standard User or Community role of Contributor
Prerequisites: An object that has been created
Tags are data objects in ThreatConnect® that can be applied to other objects (Indicators, Groups, Tracks, Victims, and Victim Assets) and Workflow Cases. They create associations between the data to which they are applied, as well as a path from one intelligence item to another. Tagging is a powerful and easy way to add metadata to threat intelligence, allowing you to quickly identify or follow associated activities of a particular interest within your ThreatConnect owners.
Each owner in ThreatConnect has different concerns and therefore different uses for Tags. Creating and following a tagging policy for all objects within an owner enables you to categorize, connect, and identify data more efficiently. This section provides some best practices for creating a tagging policy.
- Create well-thought-out Tags that meet an agreed-upon standard within the owner.
- Assign descriptive Attributes to all Tags, unless the Tags are self-explanatory.
- Create Tags that are clear and concise, with no grammatical or spelling errors.
- Review all Tags to ensure uniqueness.
- Define when the use of acronyms is allowed (e.g., APT vs. Advanced Persistent Threat), particularly for words that have commonly used acronyms.
- Capitalize all Tags that are acronyms (e.g., APT instead of apt).
- Use the proper case in all Tags (e.g., Trojan RAT instead of trojan rat).
- Make sure that Tags that have been shared between owners or that are applied to objects that have been shared between owners have matching configurations.
- Keep Tags updated to reflect analytical or context changes. Maintenance of Tags is key to keeping data accurate and relevant.
Applying a Tag to an Object
- Navigate to an object’s Details screen and scroll down until the Tags card is displayed. Figure 1 shows the Tags card on the Details screen for a Host Indicator. For instructions on accessing an object’s Details screen, see the “Viewing the Details Screen” section of The Details Screen.
- Enter the Tag into the text box and then click the Plus button or press Enter (Figure 2).
- You can use the text box’s auto-complete feature to assign Tags that already exist in the owner. Tags that match part or all of the entered text will be displayed in a list below the text box (Figure 3). Select a Tag from this list to apply it to the object.
- You can also click on Recent Tags… to display a list of recently used Tags (Figure 4). The Tags are sized and ordered according to how recently or how often they were used. Click on a Tag in the list to apply it to the object if desired.
Removing a Tag from an Object
Tags applied to an object are shown on the right side of the card (Figure 2). To remove a Tag, click the on the right side of the Tag.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.