Tags are assigned to cases by Chronicle SOAR based on predefined rules and can be used to classify cases or find specific cases faster. Note that you can manually add tags to a case from the Case screen. These tags can be removed from the case, but NOT removed entirely from the system.

You might want to import tags in the following situations. For example, moving from staging to production environment or for backup purposes.

To import tags:

  1. Navigate to Settings > Case Data > Tags.
  2. Click on the  icon. The CSV chart shows the exact structure of how the imported tags should be laid out.
  3. Enter in the tag information.
  4. Click the  icon and import in the filled CSV chart.

The relationship between Assigned Tag and Search Name is many-to-many. That is, more than one Assigned Tag can be associated with one Search Name, and more than one Search Name can be associated with one Assigned Tag. For example, Chronicle SOAR assigns the same tag “DLP” to alerts the SIEM tags as “Data Exfiltration” or “Symantec DLP – Financial Information – Network”.

To add a new tag:

  1. Click on the  icon on the top right of the screen.
  2. Enter a Tag name.
  3. Then choose between Entities, Product, Rule Generator or Vendor. 
  4. Select from the drop-down list one of the following qualifiers: contains, exact, starts with, ends with. Choose the qualifier that best fits your needs.
  5. Select the Entity from the drop-down list, and enter Property and Value if necessary.  Alternatively, select the Product, Rule Generator, or Vendor.
  6. Select the priority for the tag. Note that Chronicle SOAR merges priority with other alerts and entities and events so that the priority here is not an absolute.
  7. Select the Can be a case name if required. When checked, the tag will be assigned as the title of the Case if it meets the conditions. 
  8. Click Save.