Tags

TruSTAR supports two types of tags, Report Tags and Indicator Tags.

Report Tags

Report tags are simply labels on a report used for organization and indexing for search, allowing reports with a given tag to be searched quickly.

Report tags no longer have IDs. A tag is identified simply by its name. For backwards compatibility, endpoints that returned or accepted IDs of tags now return or accept the tag name in that field, instead. Essentially, the tag’s name behaves as its ID for all endpoints.

Report tags used to be enclave-specific, meaning that each tag was associated with an enclave (possibly different from that of the report), and READ/WRITE access to the tag was governed independently of READ/WRITE access to the report.

This behavior has been removed in order to simplify user flows and improve performance. Report tags are now simply properties of the report, and READ/WRITE access is governed by a user’s access to the report. Specifically, a user can view all of a report’s tags if they can view the report, and they can add or remove tags if they can edit the report.

Indicator Tags

Indicator tags are still enclave-specific. When tagging an indicator, an enclave must be specified. A user’s access to view or delete a tag is dependent on their access to the enclave that the tag lives in.

Schema

Field Description
guid The ID of the tag. NOTE: For report tags, this will be populated with the tag’s name, since IDs for report tags are deprecated.
name The name of the tag (i.e. the actual string value of the tag)
enclaveId The ID of the enclave of the tag, for indicator tags. For report tags, this will be populated with the enclave ID of the report.

Sample JSON

{
    "guid": "malicious",
    "name": "malicious",
    "enclaveId": "291af346-dbd1-4bc0-9c69-be20af157fb0"
}