Skip to main content

Create a Custom Tag Schema

This topic has instructions for creating a custom tag schema in Cloud SIEM. 

About tags in Cloud SIEM

Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: keyword tags, which are arbitrary, freeform strings; and schema keys, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo label, as shown in the example below. You can’t edit the built-in schemas.

Built-in schema keys

Schema tags can enforce specific tag values and prevent confusion from variations in tag values. For example, you might want to ensure the use of standard server identifiers, such as “FinanceServer”, rather than “Server-Finance” or “Finance_Server”. 

For more information about tags in Cloud SIEM, see Using Tags with Insights, Signals, Entities, and Rules.

Define a custom tag schema

  1. Classic UI. In the top menu select Configuration, and then under Workflow select Tag Schemas.
    New UI. In the top menu select Configuration, and then under Cloud SIEM Workflow select Tag Schemas. You can also click the Go To... menu at the top of the screen and select Tag Schemas.
  2. On the Tag Schemas page, click +Add Tag Schema.
  3. The Add Tag Schemas popup appears.
    Create tag schema
    1. Key. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the Label field blank.
    2. Label. Enter a label for the tag. If you supply a label, that’s what will appear in the UI for assigning tags to a content item.
    3. Content Types. Select the types that you want the tag to be available for. You can select one or more of the following:
      • Custom Insight
      • Rule
      • Entity The options do not include Signal or Insight. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
    4. Allow Custom Values. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the Value Options section below.
    5. If Allow Custom Values is not checked, you must define at least one value for the tag:
      • Enter Value. Enter an allowable value for the tag.
      • Enter Label. Enter a label for the value.
      • Enter Link (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the Tactic:TA0002 to associated information on the MITRE site.
        Example MITRE link
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.