Daniel Dallmann, Senior Information Security Engineer, is a guest blogger from Payworks and a valued LogRhythm contributor. Dan was on the SOAR Customer Panel at LogRhythm’s third annual user conference, RhythmWorld, and was generous enough to share some of the tagging schema he presented at the conference with our blog readers.
If you’re a LogRhythm user, you’ve probably dabbled quite a bit in Case Management on a day-to-day basis. Whether you’re grinding through alarms or working on reported issues and incidents, Case Management provides the tools you need to collaborate, store evidence, initiate playbooks, and work through the incident management process.
But what about the tagging section in the Case Management editor?
If you haven’t explored Case Tags in some way or another, you’re not alone. A quick poll of the RhythmWorld 2019 SOAR User Panel audience demonstrated that many LogRhythm users aren’t using the feature even though they would like to. They just don’t know where to start.
LogRhythm’s Case Tags feature is extremely flexible and dynamic. With the feature, you can tag anything you want, how you want it. My team was first introduced to the Case Management Tags in this blog post on the topic. We saw the level of detail we could add to our cases and incidents using tags and were inspired to use a tagging schema.
Being a small- to mid-size enterprise (SME), we found the taxonomy described in LogRhythm’s blog post to be quite advanced for the departmental reporting we needed at the time. So, we brainstormed about what type of information we found most valuable at a high level, not only to improve the analysis process, but to also provide insights into the types of cases the security operations center (SOC) worked on.
Using Case Tags can be extremely powerful, but without a properly defined schema and guidelines for tagging, it can quickly turn to chaos. Tags are only as effective if they are consistent.
Our team worked together to create a taxonomy like the diagram below. At a high level, we came up with a set of primary attributes that were assigned a prefix, such as 1_, to make them easy to identify.
Every case we create follows a step-by-step Case Tagging playbook, which states that each case should have one or more of the primary case classifications, and one of the sub-classifications when applicable.
As a case progresses, you can include one or more of the related sub-classifications that will also have a prefix to indicate what primary classification it derived from. If a sub-classification doesn’t exist, then you might consider making one for tracking and reporting purposes.
Figure 1: Sample tagging taxonomy
Along with a primary taxonomy, you can also use what I refer to as dynamic tags. Dynamic tags relate to a person, asset, entity, or environment and are created by simply tagging a username, email address, identity, computer, or asset name.
Dynamic tags offers many benefits. They help your team dig deeper into cases that are related to a specific user or asset, and build a great foundation for contextual case search and reporting.
Figure 2: Filtering cases using tags
Let’s walk through a real-world scenario of how an analyst would use tagging on a day-to-day basis.
Figure 3: Adding more tags within the case
Figure 4: Adding dynamic tags within the case
Figure 5: An exception tag is added to the case
After you’ve had the chance to go through this process a few times, you will be able to reference the tags you’ve added to previous cases that will help your team:
Here are a few tips that can help you build your own taxonomy. You can even use these tips to build on the above example.
However, there’s always room for automation using LogRhythm APIs and SOAR solution, SmartResponse™ automations. LogRhythm has several resources like the SmartResponse™ Automation Plugin Library to familiarize you with the plugins they support.
What taxonomy are you using in your organization? Please let us know in the comments below and provide feedback. We also encourage you to share your own tagging schema or questions with other LogRhythm users in Community.
Dan is a valued LogRhythm contributor and has earned 40 Community badges.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…