Tags are a very powerful feature of ThreatConnect®. Tagging adds metadata, or keywords, to intelligence data and provides a way to quickly identify or follow associated activities of a particular interest across ThreatConnect. Each Organization will have different concerns and, therefore, different uses for Tags, and each should come up with its own tagging policy. By writing and following a tagging policy, it will be possible for an Organization to achieve greater efficiency and cohesion. Once an Organization has a tagging policy in place, it can begin applying Tags. (See Applying Tags.) Following are some best practices that will provide a solid base for this policy.
- Create well-thought-out Tags and ones that meet an agreed-upon Organization standard.
- Assign descriptive Attributes to all Tags, unless the Tags are self-explanatory. Create Attributes that are clear and concise, with no grammatical or spelling errors.
- Review all Tags to ensure uniqueness.
- The Organization's tagging policy should define when the use of acronyms is allowed (e.g., APT vs. Advanced Persistent Threat).
- Be careful of words that have common acronyms.
- Capitalize all Tags that are acronyms (e.g., "APT" instead of "apt").
- Create all Tags with the proper case (e.g., "Trojan RAT" instead of "trojan rat").
- Transfer the correct Tags into their respective communities if they have been shared.
- If analysis or context changes, update Tags to reflect the changes. Maintenance of Tags is key to keeping data accurate and relevant.