Set up security tag groups and tags

You can assign tags to security incidents, response tasks, vulnerable items, observables, IoCs, and security cases to create metadata on the responding record and define who should have access to specific types of security content. The tags can be added to security groups to organize them.

Before you begin

Role required: sn_si.admin

Procedure

  1. Navigate to Security Operations > Security Tags > Groups.
    Three default classification groups are included in the base system.
    • Enrichment white/blacklist: This group defines whether a record is to be treated as a whitelist or blacklist record. Records that are tagged as Blacklist can be shared to trusted security circles. Records that are tagged as Whitelist cannot be shared to trusted security circles.
    • Metatag: This group is provided as demo data. You can use it to create custom classification tags that are used by security operations applications.
    • Traffic Light Protocol: This group is used to ensure that sensitive information is shared with the correct audience. It employs four colors (White, Green, Amber, and Red) to indicate different degrees of sensitivity. When sharing observables to a trusted security circle, the tag assigned to the trusted security circle profile determines which TLP-tagged observables can be shared to the circle, as follows:
      • TLP: WHITE: Only observables with TLP: WHITE can be shared to a TLP: WHITE profile.
      • TLP: GREEN: Observables with TLP: GREEN and TLP: WHITE can be shared to a TLP: GREEN profile.
      • TLP: AMBER: Observables with TLP: AMBER, TLP: GREEN, and TLP: WHITE can be shared to a TLP: AMBER profile.
      • TLP: RED: All observables, regardless of their TLP tag, can be shared with a TLP: RED profile since TLP: RED is the highest ranked TLP tag.
      Note: You can add other TLP colors, but any in addition to the four colors included are considered not valid by the Forum for Incident Response and Security Teams (FIRST).
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Name The name of the security group.
    Allow multi-selection Check this box if you want to be able to assign multiple security tags to a record that shares a group.
    Active Turn the group on or off.
    Description A description of this group.
  4. Right-click the form header and select Save.
    The Security Tags related list appears.
  5. In the Security Tags related list, click New.
  6. Fill in the fields on the form, as appropriate.
    Field Description
    Name The name of the classification tag.
    Security Tag Group If the tag was created using the New button in the group related list, this field defaults to the current group. If needed, you can add the tag to a different group, but this is optional.
    Order Specify the order the tag appears on forms or within a list.
    Color Select the color for this tag.
    Enforce restricted access Select this check box to assign read and/or write roles needed by users to read or write to records that have this security tag.
    Active Turn the tag on or off.
    Description A description of this tag.
    Roles read/write access) To assign read or write access roles to a security tag, click the lock icon, select the appropriate roles, and click the lock icon again. These fields appear only if you selected the Enforce restricted access check box.
  7. Repeat as needed to create more security tags.
  8. Click Update.
    Note: You can also create new tags by navigating to Security Operations > Security Tags > Tags. The procedure is the same.