This topic has instructions for creating a custom tag schema in Cloud SIEM.
About tags in Cloud SIEM
Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: keyword tags, which are arbitrary, freeform strings; and schema keys, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo label, as shown in the example below. You can’t edit the built-in schemas.
Schema tags can enforce specific tag values and prevent confusion from variations in tag values. For example, you might want to ensure the use of standard server identifiers, such as “FinanceServer”, rather than “Server-Finance” or “Finance_Server”.
For more information about tags in Cloud SIEM, see Using Tags with Insights, Signals, Entities, and Rules.
Define a custom tag schema
Click the gear icon at the top of the Cloud SIEM UI and select Tag Schemas under Workflow.
On the Tag Schemas page, click Create.
The Tag Schema popup appears. The screenshot below shows a previously configured tag schema.
- Key. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the Label field blank.
- Label. Enter a label for the tag. If you supply a label, that’s what will appear in the UI for assigning tags to a content item.
- Content Types. Select the types that you want the tag to be
available for. You can select one or more of the following:
- Custom Insight
- Entity The options don't include Signal or Insight. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
- Allow Custom Values. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the Value Options section below.
- Value Options. If Allow Custom Values is not checked, you must define at least one value for the tag:
- Value. Enter an allowable value for the tag.
- Label. Enter a label for the value.
- Link (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the Tactic:TA0002 to associated information on the MITRE site.