Overview

Tags are a very powerful feature of ThreatConnect^®. Tagging adds metadata, or keywords, to intelligence data and provides a way to quickly identify or follow associated activities of a particular interest across ThreatConnect. Each Organization will have different concerns and, therefore, different uses for Tags, and each should come up with its own tagging policy. By writing and following a tagging policy, it will be possible for an Organization to achieve greater efficiency and cohesion. Once an Organization has a tagging policy in place, it can begin applying Tags. (See Applying Tags.) Following are some best practices that will provide a solid base for this policy.

Best Practices

• Create well-thought-out Tags and ones that meet an agreed-upon Organization standard.
• Assign descriptive Attributes to all Tags, unless the Tags are self-explanatory. Create Attributes that are clear and concise, with no grammatical or spelling errors.
• Review all Tags to ensure uniqueness.
  • The Organization's tagging policy should define when the use of acronyms is allowed (e.g., APT vs. Advanced Persistent Threat).
  • Be careful of words that have common acronyms.
• Capitalize all Tags that are acronyms (e.g., "APT" instead of "apt").
• Create all Tags with the proper case (e.g., "Trojan RAT" instead of "trojan rat").
• Transfer the correct Tags into their respective communities if they have been shared.
• If analysis or context changes, update Tags to reflect the changes. Maintenance of Tags is key to keeping data accurate and relevant.