Skip to main content

Tag Groups

Notice

This feature is available in Intel Exchange v3.7.5.0 onwards.

Tag Groups help you categorize related tags under a single, logical group, enabling you to organize and retrieve threat data more efficiently across all structured data objects (SDOs).

A tag group acts as a parent tag representing a broader category, while the tags within it act as child tags. This relationship ensures consistent categorization and simplifies searches across large volumes of threat data.

When you apply a child tag to a threat object, the parent tag group is automatically added to that object. This feature allows you to search or filter data using the group tag instead of individual child tags, making it easier to find related intelligence.

However, the reverse is not true; applying a tag group to a threat object does not automatically apply its child tags.

For example, you can create a tag group called Russian Threats and include child tags such as APT28, Sandworm and Cozy Bear. When you apply any of these tags to a threat object, the Russian Threats group tag automatically appends. This allows analysts to later search for all objects related to Russian Threats without specifying each child tag individually.

You can create and manage tag groups that include the following tag types: System, Source, User, or Privileged Access

Create Tag Group

BeforeyouStart

Your user group must have the following permissions to create a tag group:

  • View tags and Create tags permissions.

  • Tag Categories Management Permission for the tag category of the tags you want to add to the Group Tag.

Steps

To create a new Tag group, follow these steps:

  1. Go to Administration > Tag Management > Tag Groups.

  2. Click Add Tag Group.

  3. Enter the following details:

    1. Tag Group Name: Provide a unique name for the tag group. The name must be unique across both tags and tag groups.

    2. Description (Optional): Add a brief description to define the purpose of the group.

    3. Select Tags: Search and select one or more existing tags to include as child tags. You can also create new tags during this step. Tags of all types (System, Source, User, and Privileged Access) can be added to a tag group.

  4. Click Create.

Note

  • A single tag group can include multiple child tags.

  • A child tag can be associated with multiple tag groups.

Manage Tag Groups

You can view and manage existing tag groups from the Tag Groups tab in the Tag Management section.

To manage a tag group, click the ellipsis next to the tag group entry and choose from the available actions:

  • Edit: Modify the group name, description, or add/remove child tags.

  • Enable / Disable: Change the status of the tag group. Disabled groups will not be applied during ingestion or enrichment.

  • Clone: Create a duplicate of the tag group along with its associated child tags. The cloned group name follows the format original-tag-group-name-copy. You can edit the name and tag mappings before saving.

Tag groups in threat data are searchable and filterable using filters or CQL queries. The Tag Category attribute within CQL is used to differentiate between tag types. For more information, see Understand CQL Grammar.

The listing view also supports filtering. By default, all the tag groups are displayed regardless of their status and are sorted by Last Modified Date.