Set up security tag groups and tags

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read

    • You can assign tags to security incidents, response tasks, vulnerable items, observables, IoCs, and security cases to create metadata on the responding record and define who should have access to specific types of security content. The tags can be added to security groups to organize them.

    Before you begin

    • Manual security tags are preserved when automatic tags are applied to security incidents to avoid any analyst-curated information loss. The Source column in the Applied Security Tags table tracks whether tags are added manually or automatically by rules.
    • Role required: sn_si.admin

    Procedure

    1. Navigate to All > Security Operations > Security Tags > Groups.
      Three default classification groups are included in the base system.
      • Enrichment allow list/deny list: This group defines whether a record is to be treated as an allow list or deny list record. Allow list records are generally of less significance, so they can be ignored. Deny list records are generally of higher interest.
      • Metatag: This group is provided as demo data. You can use it to create custom classification tags that are used by security operations applications.
      • Traffic Light Protocol (TLP): This group is used to ensure that sensitive information is shared with the correct audience. It employs four colors (White, Green, Amber, and Red) to indicate different degrees of sensitivity. For each color, you can assign the appropriate read/write access roles. When sharing observables to a trusted security circle, the tag assigned to the trusted security circle profile determines which TLP-tagged observables can be shared to the circle, as follows:
        • TLP: WHITE: Only observables with TLP: WHITE can be shared to a TLP: WHITE profile.
        • TLP: GREEN: Observables with TLP: GREEN and TLP: WHITE can be shared to a TLP: GREEN profile.
        • TLP: AMBER: Observables with TLP: AMBER, TLP: GREEN, and TLP: WHITE can be shared to a TLP: AMBER profile.
        • TLP: RED: All observables, regardless of their TLP tag, can be shared with a TLP: RED profile since TLP: RED is the highest ranked TLP tag.
        Note:
        You can add other TLP colors, but any in addition to the four colors included are considered not valid by the Forum for Incident Response and Security Teams (FIRST).
    2. Select New.
    3. Fill in the fields on the form, as appropriate.
      Field Description
      Name Name of the security group.
      Allow multi-selection Option to assign multiple security tags to a record that shares a group.
      The following options are available:
      • True: Multiple tags from this group can be selected simultaneously.
      • False: Only one tag from this group can be active at a time.
      Active Option to turn the group on or off.
      Description Brief description of this group.
    4. Select and hold (or right-click) the form header and select Save.
      The Security Tags related list appears.
    5. In the Security Tags related list, select New.
    6. Fill in the fields on the form, as appropriate.
      Field Description
      Name The name of the classification tag.
      Security Tag Group If the tag was created using the New button in the group related list, this field defaults to the current group. Optionally, you can add the tag to a different group.
      Order The order in which the tag appears on forms or within a list.
      Color The color for this tag.
      Enforce restricted access Option to assign read and/or write roles needed by users to read or write to records that have this security tag.
      Active Option to turn the tag on or off.
      Description A description of this tag.
      Roles (read access) To assign read access to a security tag, select the lock icon, select the appropriate access roles, and select the lock icon again. This field appears only if you have selected the Enforce restricted access check box.
      Roles (write access) To assign write access to a security tag, select the lock icon, select the appropriate access roles, and select the lock icon again. This field appears only if you have selected the Enforce restricted access check box.
    7. Repeat as needed to create more security tags.
    8. Select Update.
      Note:
      You can also create tags by navigating to Security Operations > Security Tags > Tags. The procedure is the same.