Tagging is a means of associating a label with an attribute-value match. When a record appears with that attribute-value match, the record is appended with that label. This simple concept has powerful implementations.
There are three types of tags in the system:
Tags are often used to mark data while scoping an issue.
Data already in the system **will not** be updated by a tag created after the data is imported. Only incoming data goes through the tagging process. Logs represent data known at that time, and do not reflect later knowledge.
When an issue is discovered, the analyst will derive a tag that makes sense. It might be a combination of the threat and the site:
Phish_example_com. The analyst marks the data with the following pattern using the same label:
- mark external sites that are part of the issue, with an issues tag.
- mark internal attributes (such as the user name, MAC address or internal IP address) with the same issue name, but use an information tag
The total tagging of the threat will create a set of hostnames, IP addresses, files and alerts that triggered. This set of data is often referred to as indications of compromise (IoC). Later, clicking on the issues tag with the IoC name, the analyst can confirm if all the internal attributes that reference an IoC attribute.
This scoping and confirming allows analysts to determine the total impact of a threat. Often with so many flows, victim systems can be lost. By marking the victims with an information tag that is the same as the incident name, unmarked victims can quickly be found.
Tracking is the evaluation of incoming flows that have issue tags.