Tags¶
TruSTAR supports two types of tags, Report Tags and Indicator Tags.
Report Tags¶
Report tags are simply labels on a report used for organization and indexing for search, allowing reports with a given tag to be searched quickly.
Report tags no longer have IDs. A tag is identified simply by its name. For backwards compatibility, endpoints that returned or accepted IDs of tags now return or accept the tag name in that field, instead. Essentially, the tag’s name behaves as its ID for all endpoints.
Report tags used to be enclave-specific, meaning that each tag was associated with an enclave (possibly different from that of the report), and READ/WRITE access to the tag was governed independently of READ/WRITE access to the report.
This behavior has been removed in order to simplify user flows and improve performance. Report tags are now simply properties of the report, and READ/WRITE access is governed by a user’s access to the report. Specifically, a user can view all of a report’s tags if they can view the report, and they can add or remove tags if they can edit the report.
Indicator Tags¶
Indicator tags are still enclave-specific. When tagging an indicator, an enclave must be specified. A user’s access to view or delete a tag is dependent on their access to the enclave that the tag lives in.
Tag Characters¶
Tag names should contain UTF-8 alpha-numeric characters, hyphens, and underscores only.
A tag is converted to lowercase before saved into the system to maintain consistency.
The “Delete Tag from Indicator” endpoint takes the tag name as a parameter in the URL string, so all characters in tag names should not require encoding if used as a parameter in a URL string.
Endpoints¶
Schema¶
Field | Description |
---|---|
guid | The ID of the tag. NOTE: For report tags, this will be populated with the tag’s name, since IDs for report tags are deprecated. |
name | The name of the tag (i.e. the actual string value of the tag) |
enclaveId | The ID of the enclave of the tag, for indicator tags. For report tags, this will be populated with the enclave ID of the report. |
Sample JSON¶
{
"guid": "malicious",
"name": "malicious",
"enclaveId": "291af346-dbd1-4bc0-9c69-be20af157fb0"
}