Skip to main content
Sumo Logic

Using Tags with Insights, Signals, Entities, and Rules

Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these CSE items. You can also search for and filter items by tag.

What are tags?

Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these CSE items. You can also search for and filter items by tag.

There are two types of tags: 

  • Schema keys. These are predefined key-value pairs that map to particular CSE schema attributes. Currently, there are two such tags: Tactic and Technique, which relate to the Mitre ATT&CK framework. You can assign schema key tags to custom Rules you’ve developed, but not to built-in rules. (Built-in rules are associated with the appropriate Mitre tactics and techniques out-of-the-box.) You can also assign schema key tags to Insights, both CSE-generated and custom.
  • Keyword tags. These are arbitrary labels that you define yourself. You can assign keyword tags to custom Rules, Entities, and Insights, both CSE-generated and custom.

A tag attached to a Rule is applied to Signals that the Rule generates. Similarly, tags applied to a Signal are applied to the Insights the Signal contributes to. All of the tags applied to an Insight's contributing Signals are aggregated, de-duplicated, and applied to the Insight. Note that an item is tagged when it is created. So, if you add a tag to a rule, Signals and Insights created before you updated the rule will not have that tag applied.

View tags

You can view tags on the pages that provide summary views of Insights, Signals, Entities, and Rules. You can also view the tags assigned to an item on the detailed page you see when you navigate to a particular Insight, Signal, Entity, or Rule. 

This is an overview of an Insight from the Insights page. Multiple schema schema key tags have been attached to the Insight.

insight-list-tags.png

The screenshot below shows an Entity to which several keyword tags have been attached.

entity-list-tags.png

Find the tagging UI

The procedure for tagging Rules, Entities, and Insights is similar. The difference is where you do the tagging. 

UI for tagging a Rule

  1. Select Rules from the Content menu.
  2. Navigate to a custom rule.
  3. The UI for tagging is at the bottom of the Then Create a Signal area of the Rule Editor.
  4. To add a tag, follow the instructions in Add a schema key tag or Add a keyword tag.tag-a-rule.png

UI for tagging an Entity

  1. Click the Entities tab at the top of the CSE UI.
  2. Navigate to the Entity to which you want to attach a tag.
  3. The UI for tagging is at the bottom of the Details pane.
  4. To add a tag, follow the instructions in Add a keyword tag.
    tag-an-entity.png

UI for tagging an CSE-generated Insight

  1. Click the Insight tab at the top of the CSE UI.
  2. Navigate to the Insight to which you want to attach a tag.
  3. The UI for tagging is at the bottom of the Details pane.
  4. To add a tag, follow the instructions in Add a schema key tag or Add a keyword tag.
    tag-an-insight.png

UI for tagging a custom Insight

  1. Select Custom Insights from the Content menu.
  2. Navigate to a custom Insight.
  3. The UI for tagging is at the bottom of the Then Create a Signal area of the Insight Editor.
  4. To add a tag, follow the instructions in Add a schema key tag or Add a keyword tag.custom-insight.png

Add a schema key tag

There are currently two schema key tags you can apply: Tactic and Technique, which relate to the Mitre ATT&CK framework. For more information, see https://attack.mitre.org/.

  1. Navigate to the Rule or Insight to which you want to add a tag, as described in the previous section. 
  2. In the tagging section, click the chevron icon.
    chevron-icon.png
  3. Under Schema Keys, click Tactic or Technique.
    tag-list-1.png
  4. A list of values appears. 
    values.png
  5. As you type text in the field, a list of matching values appears.
    type-ahead.png
  6. Select a tag value, and press Return to add it to the item. 

Add a keyword tag

  1. Navigate to the Rule, Entity, or Insight to which you want to add a tag, as described in Find the tagging UI.
  2. In the tagging section, click the chevron icon.
    chevron-icon.png
  3. A list of keyword tags that have already been assigned to items of the current type (Rule, Entity, or Insight) appears. You can select an existing tag, or add a new one. Enter text in the field to see a list of matching values.
    freeform-tag-list.png
  4. To add a new tag, enter it and press Return. 
    add-freeform-tag.png
  5. The tag is added to the item.
    freeform-added.png

Search by tag

Search Insights, Signals, or Entities by tag

  1. Click in the search area and then click the funnel icon.
    funnel-icon.png
  2. Select Insights, Signals, or Entities from the Sources list.
    sources.png
  3. Select Tags from the Fields list.
    tags-field.png
  4. Choose contain or do not contain from the Operators list.
    operators.png
  5. Select a tag from either the Schema Keys or Keyword Tags list. If you select a tag from the Schema Keys list, you are prompted to select a value, and items that match are listed. If you select a tag from the Keywords list, items that match are listed.

Search Rules by tag

  1. Select Rules from the Content menu.
  2. Click in the Filters area and select Tags from the Fields list.
    search-rules-by-tag.png
  3. Choose contain or do not contain from the Operators list.
    operators.png
  4. Select a tag from either the Schema Keys or Keyword Tags list. If you select a tag from the Schema Keys list, you are prompted to select a value, and items that match are listed. If you select a tag from the Keywords Tags list, items that match are listed.

    Note that if an item has a Mitre-related tag, an icon appears next to it. Click the icon to view a Mitre page on the Tactic or Technique.search-results.png

Filter a list view by clicking a tag

On the Insights, Signals, Rules, or Entities page, you can click a tag to filter the list. For example, if you click the Tactic:TA0005 - Defense Evasion tag on an Insight, like this:filter-list-by-tag.png

the page will be filtered to show only Insights that have that tag:

filtered-list.png