Applying Tags
  • 26 Jul 2023
  • 5 Minutes to read
  • Dark
    Light

Applying Tags

  • Dark
    Light

Article Summary

Overview

Tags are data objects in ThreatConnect® that can be applied to Indicators, Groups, Victims, and Workflow Cases. They create associations between the data to which they are applied, as well as a path from one intelligence item to another. Tagging is a powerful and easy way to add metadata to an object, allowing you to quickly identify or follow associated activities of a particular interest within your ThreatConnect owners. Currently, there are two types of Tags you can apply to objects: standard Tags and ATT&CK® Tags.

This article describes how to manage Tags for Indicators, Groups, and Victims. For instructions on managing Tags for Cases, see the “Tags” section of Case Details.

Before You Start

Minimum Role(s)Organization role of Standard User or Community role of Contributor
PrerequisitesAn Indicator, Group, or Victim

Best Practices

Each owner in ThreatConnect has different concerns and therefore different uses for Tags. Creating and following a tagging policy for all objects within an owner enables you to categorize, connect, and identify data more efficiently. This section provides some best practices for creating a tagging policy.

  • Create well-thought-out Tags that meet an agreed-upon standard within the owner.
  • Add a description to all Tags, unless the Tags are self-explanatory.
  • Create Tags that are clear and concise, with no grammatical or spelling errors.
  • Review all Tags to ensure uniqueness.
  • Define when the use of acronyms is allowed (e.g., APT vs. Advanced Persistent Threat), particularly for words that have commonly used acronyms.
  • Capitalize all Tags that are acronyms (e.g., APT instead of apt).
  • Use the proper case in all Tags (e.g., Trojan RAT instead of trojan rat).
  • Make sure that Tags that have been shared between owners or that are applied to objects that have been shared between owners have matching configurations.
  • Keep Tags updated to reflect analytical or context changes. Maintenance of Tags is key to keeping data accurate and relevant.
  • Configure Tag normalization rules to convert Tags using “like terms” to a single main Tag. For instance, creating a Tag normalization rule that converts Tags named APT-28, Fancy Bear, and Threat Group-4127 to a main Tag named APT28 helps ensure all analysts are tagging data related to APT28 uniformly.
  • Use ATT&CK Tags to identify techniques and sub-techniques used by a particular adversary or threat actor, and leverage ATT&CK Tag conversion rules to convert standard Tags into ATT&CK Tags based on whether they exactly or approximately match a specific ATT&CK Tag.

Viewing Tag Details

On the Browse screen, you can view and filter Tags by selecting Tags in the menu on the left side of the screen. You can also access a Tag’s Details drawer or legacy Details screen, both of which display the Indicators, Groups, and Victims to which the Tag is applied and provide the ability to view the Tag in Threat Graph.

Important
Only the legacy Details screen is available for Tags.

Applying a Tag to an Object

New Details Screen

  1. Navigate to the Details screen for an Indicator or Group.
    Important
    The new Details screen is not currently available for Email, Signature, and Task Groups and for Victims. As such, you can apply Tags to these object types on the legacy Details screen only.
  2. On the Overview tab, click EditEdit button_Details card_Details screenat the lower-right corner of the Details card, or click on the Tags section of the Details card. The object’s Tags will now be editable (Figure 1).

    Figure 1_Applying Tags_7.2.0

     

    Note
    Tags without an icon to the left of their name are standard Tags that have not been normalized to a main Tag through a Tag normalization rule. Tags with anMain Tag icon_Details Screenicon are main Tags–that is, standard Tags for which a normalization rule has been enabled so that Tags defined as synonymous to the main Tag are converted to the main Tag when applied to an object. Tags with anATT&CK Tag iconicon are ATT&CK Tags.
    • Begin entering text into the text box. As you type, one of the following menus will be displayed:
      • If there are existing standard Tags or ATT&CK Tags that match part or all of the entered text, a menu containing those Tags listed under Standard Tags and ATT&CK Tags headings, respectively, will be displayed. Select a Tag from the menu to add it to the text box.
      • If there are no existing Tags that match the entered text, a menu with the + Add “<entered text>” as a new tag option will be displayed. Select this option to create a new Tag that matches the entered text and add it to the text box.
    • Click the ConfirmConfirm icon_Details screenbutton to the right of the text box to apply the Tag(s) to the object.

If you created a new Tag that matches a synonymous Tag listed in a Tag normalization rule, it will be converted to the main Tag listed in the rule, and a message stating “One or more tags have been changed due to system tag normalization rules” will be displayed at the lower-left corner of the screen. Similarly, if you created a new Tag that matches an ATT&CK Tag, it will be converted to that ATT&CK Tag.

Note
By default, any new Tag that exactly matches an ATT&CK Tag will be converted to that ATT&CK Tag. If a Tag’s owner is added to the Approximate Match ATT&CK Tag conversion rule, any new Tag created in that owner that exactly or approximately matches an ATT&CK Tag will be converted to that ATT&CK Tag.

Legacy Details Screen

  1. Navigate to the legacy Details screen for an Indicator, Group, or Victim.
  2. Scroll down to the Tags card on the right side of the screen (Figure 2).

    Figure 2_Applying Tags_7.2.0

     

    • Begin entering text into the text box. If there are existing Tags that match part or all of the entered text, a menu with those Tags will be displayed. Select a Tag from the menu to apply it to the object.
    • If there are no existing Tags that match the entered text, click AddAdd Tag buttonor press Enter on your keyboard to create a new Tag and apply it to the object.
    • Click Recent Tags… to display a list of recently used Tags (Figure 3). Tags displayed in this list are sized and ordered according to how recently or how often they were used. If desired, select a Tag from the list to apply it to the object.

      Figure 3_Applying Tags_7.2.0

       

If you created a new Tag that matches a synonymous Tag listed in a Tag normalization rule, it will be converted to the main Tag listed in the rule; however, no notification of this conversion will be displayed. Similarly, if you created a new Tag that matches an ATT&CK Tag, it will be converted to that ATT&CK Tag.

Note
By default, any new Tag that exactly matches an ATT&CK Tag will be converted to that ATT&CK Tag. If a Tag’s owner is added to the Approximate Match ATT&CK Tag conversion rule, any new Tag created in that owner that exactly or approximately matches an ATT&CK Tag will be converted to that ATT&CK Tag.

Removing a Tag from an Object

New Details Screen

You can remove Tags from an object when the Tags section of the Details card is editable (Figure 1). To remove a Tag, click RemoveRemove Tag icon_New Details Screento the right of a Tag and then click the ConfirmConfirm icon_Details screenbutton to the right of the text box.

Legacy Details Screen

Tags applied to an object are displayed to the right of the AddAdd Tag buttonbutton on the Tags card (Figure 2). To remove a Tag from an object, click theRemove Tag icon_Legacy Details Screento the right of the Tag and then click the YES button in the Remove Tag window.


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20024-01 v.10.A


Was this article helpful?


What's Next