Set up security tag groups and tags

You can assign tags to security incidents, response tasks, vulnerable items, observables, IoCs, and security cases to create metadata on the responding record and define who should have access to specific types of security content. The tags can be added to security groups to organize them.

Before you begin

Role required: sn_si.admin


  1. Navigate to Security Operations > Security Tags > Groups.
    Three default classification groups are included in the base system.
    • Enrichment whitelist/blacklist: This group defines whether a record is to be treated as a whitelist or blacklist record. Whitelist records are generally of less significance, so they can be ignored. Blacklist records are generally of higher interest.
    • Metatag: This group is provided as demo data. You can use it to create custom classification tags that are used by security operations applications.
    • Traffic Light Protocol: This group is used to ensure that sensitive information is shared with the correct audience. It employs four colors (White, Green, Amber, and Red) to indicate different degrees of sensitivity. You can add other colors, but any in addition to the four colors included are considered not valid by the Forum for Incident Response and Security Teams (FIRST).
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Name Enter name of the security group.
    Allow multi-selection Check this box if you want to be able to assign multiple security tags to a record that shares a group.
    Active Turn the group on or off.
    Description Enter a description of this group.
  4. Right-click the form header and select Save.
    The Security Tags related list appears.
  5. In the Security Tags related list, click New.
  6. Fill in the fields on the form, as appropriate.
    Field Description
    Name The name of the classification tag.
    Security Tag Group If the tag was created using the New button in the group related list, this field defaults to the current group. If needed, you can add the tag to a different group, but this is optional.
    Order Specify the order the tag appears on forms or within a list.
    Color Select the color for this tag.
    Enforce restricted access Select this check box to assign read and/or write roles needed by users to read or write to records that have this security tag.
    Active Turn the tag on or off.
    Description A description of this tag.
    Roles read/write access) To assign read or write access roles to a security tag, click the lock icon, select the appropriate roles, and click the lock icon again. These fields appear only if you selected the Enforce restricted access check box.
  7. Repeat as needed to create more security tags.
  8. Click Update.
    Note: You can also create new tags by navigating to Security Operations > Security Tags > Tags. The procedure is the same.