Create a Custom Tag Schema
This topic has instructions for creating a custom tag schema in Cloud SIEM.
About tags in Cloud SIEM
Tags are metadata you can attach to Insights, Signals, Entities, and Rules. Tags are useful for adding context to these Cloud SIEM items. You can also search for and filter items by tag. There are two types of tags: keyword tags, which are arbitrary, freeform strings; and schema keys, which are predefined key-value pairs. Cloud SIEM provides built-in schemas keys that display in the Cloud SIEM UI with a Sumo label, as shown in the example below. You can’t edit the built-in schemas.
Schema tags can enforce specific tag values and prevent confusion from variations in tag values. For example, you might want to ensure the use of standard server identifiers, such as “FinanceServer”, rather than “Server-Finance” or “Finance_Server”.
For more information about tags in Cloud SIEM, see Using Tags with Insights, Signals, Entities, and Rules.
Define a custom tag schema
- Classic UI. In the top menu select Configuration, and then under Workflow select Tag Schemas.
New UI. In the top menu select Configuration, and then under Cloud SIEM Workflow select Tag Schemas. You can also click the Go To... menu at the top of the screen and select Tag Schemas. - On the Tag Schemas page, click +Add Tag Schema.
- The Add Tag Schemas popup appears.
- Key. Enter an identifier for the tag you’re defining. It won’t appear in the UI for assigning tags to a content item, unless you leave the Label field blank.
- Label. Enter a label for the tag. If you supply a label, that’s what will appear in the UI for assigning tags to a content item.
- Content Types. Select the types that you want the tag to be
available for. You can select one or more of the following:
- Custom Insight
- Rule
- Entity The options do not include Signal or Insight. Signals and Insights inherit tag values from the rule(s) or Custom Insight definition that triggered the Signal or Insight and involved Entities.
- Allow Custom Values. Check this box to allow users to add additional allowable values to the tag schema. Otherwise, when applying the tag users may only select one of the values you define in the Value Options section below.
- If Allow Custom Values is not checked, you must define at least one value for the tag:
- Enter Value. Enter an allowable value for the tag.
- Enter Label. Enter a label for the value.
- Enter Link (optional). Enter a URL for it to appear in the Actions menu of the tag in any content items to which it’s been applied. Cloud SIEM’s built-in schema tags are examples of schema tags that include a link. The screenshot below shows a link from the Tactic:TA0002 to associated information on the MITRE site.