Skip to main content

Cyware Threat Intelligence eXchange

Tag Management

Tags are labels or keywords used to categorize and organize threat intel. They help classify and group related data, making it easier for analysts to search, filter, and manage the information within the platform.

The Tag Management feature offers a centralized hub for efficiently managing diverse categories of tags. From user-defined tags to source, system, and privileged access tags, this feature provides a seamless platform to organize and administer tag categories. Users can easily assign, modify, and track tags across different aspects of their intelligence data, enhancing organization, accessibility, and control within their workflow.

You can manage the following tag categories:

  • User Tags: Tags created by the Intel Exchange users. All Intel Exchange users can create these tags and associate them with threat data objects. The default color code for user tags is Blue.

  • Source Tags: Tags reported by various threat intel feed sources, such as API feed sources, STIX sources, and other sources configured in Intel Exchange. You cannot manually create source tags in the platform. The default color code for source tags is Gray.

  • System Tags: Tags that the users create for use within Intel Exchange. All Intel Exchange users can create these tags and associate them with threat data objects. However, internal tags are not published to STIX collections or shared with the subscribers. The default color code for internal tags is Green. By default, the prefix x--internal-- is automatically added to all system tag names.

  • Privileged Access Tags: These tags enable you to restrict user access to the associated threat data objects. For example, if the threat data object 1.1.1.1 is associated with the privileged access tag Restricted_IP, then only users of the groups who are allowed to access the tag can access the object 1.1.1.1 from Threat Data. The default color code for privileged access tags is Brown.

Create Tags

You can create tags in the following tag categories:

  • User Tags

  • System Tags

  • Privileged Access Tags

    Note

    You can create a maximum of 500 privileged access tags.

Before you Start

Your user group must have the following permissions to create a tag:

  • View Tags and Create Tags permissions

  • Tag Categories Management Permission for the tag category in which you want to create tags

Steps

To create tags in a specific category, follow these steps:

  1. Go to Administration > Tag Management.

  2. Go to the tag category tab where you want to create tags. For example, Privileged Access Tags.

  3. Click Add Tag and enter the list of tags separated by commas. For example, AceHash, Sys Target, x--internal--Defence Evasion. You can add a maximum of 15 tags in one operation.

    Note

    While creating system tags, if the prefix x--internal-- is missing in the tag name, the prefix is automatically added. For example, if you enter the system tag name as RSS-IP-address, the system tag is created as x--internal--RSS-IP-address.

  4. (Optional) If you are adding tags in the Privileged Access Tags category, select the user groups who can add or remove the tags in threat data objects. For example, Super Admin and Privileged Access Group. By default, the Admin user group can add or remove all privileged access tags.

  5. Click Add.

Manage Tags

You can view the details of the tags, such as the tag name, created and modified dates, and the email IDs of the creator and modifier, under the respective tag categories. Understand the following points to manage tags:

  • All user groups with View Tags permission can view Source, User, and System tag categories. 

  • Only user groups with Tag Categories Management Permission for Privileged Access tags can view the Privileged Access tag category. Moreover, you can view the privileged tags that your user groups have been granted access to in Tag Management.

  • To modify tags of a category, your user groups must have the Update Tags permission and Tag Categories Management Permission for the specific category.

To manage a tag, you can click the vertical ellipses and perform the following activities:

  • Update: You can update the following details of a tag:

    • Tag Category: The tag will be moved to the new tag category and the color-code of the tag will be updated in all associated threat data objects.

      Note

      • You can update the category for user, source, and privileged access tags only.

      • You cannot move user, source, and privileged access tags to system tags.

      • To update the category of privileged tags, you must remove all associated user groups.

    • User Group: Add or remove user groups for privileged access tags.

  • Disable: Disables a tag in the application. You cannot modify the details of a disabled tag. Disabled tags are hidden from associated threat data objects and cannot be added to other objects.

    Note

    Disabled tags are not permanently deleted from the associated threat data objects. After you enable the tags, you can view them in the associated threat data objects.

To manage multiple tags, you can perform the following activities:

  • Enable or Disable: To enable or disable multiple tags in one operation, select the tags, click Bulk Actions, and then select an action. You can perform bulk actions on a maximum of 1000 tags in one operation.

    Note

    Updating or disabling a tag does not update or remove the tag from the published collections.

  • Search: Search tags based on the tag name.

  • Filter: Filter tags based on the created date, modified date, creator, last modifier, and status.

For more information about tag management, see Tag Management FAQs.