Sequences and Evaluations may include two types of tags:
- General Tags: these tags can be already assigned (Validation Tags which have a black background) or added by users (which have a white background)
- Threat Actor Aliases (if you have the Threat Actor Assurance Module (TAAM))
These tags provide additional information about what the Sequence or Evaluation is related to (malware, TTPs such as MITRE ATT&CK Tactics, Techniques, and Sub-Techniques, and Threat Actors). They also offer guidance on how to run the Action and provide information about the type of controls that are tested against.
User Tags further refine the content. For example, a Sequence that models behaviors associated with TeslaCrypt ransomware, can be tagged with "TeslaCrypt" and "Ransomware". All Actions that are included in that Sequence can include the same tags. Tags are searchable and may be used in various reports.
Users can create tags that are the same as Validation Tags. When you filter content using tags, the tag will only appear once. However, the filter results include content that has either a Validation Tag or User Tag that matches the filter.
When you clone an Evaluation or Sequence, the tags are added to the clone. Validation Threat Actor Alias tags are copied to the new Evaluation as Validation Threat Actor Alias tags so results of Jobs appear on the TAAM Dashboard. All other tags are copied over as User Tags.
General Tags
Here you will find tags that categorize the Evaluation or Sequence. Compared to Actions, there are fewer tags applied to Sequences and Evaluations because they require broader categories. For example, you may see ATT&CK Tactics but not ATT&CK Techniques or Sub-Techniques. When you add tags, you should use the following formats.
| Tag category | Recommended Format |
|---|---|
| MITRE ATT&CK Tactics | ATT&CK:TA#### |
| MITRE ATT&CK Techniques | T#### |
| MITRE ATT&CK Sub-Techniques | T####.### |
| Malware families | Malware:malware family (no spaces) |
| CVEs | CVE-yyyy-### |
| Threat Actors | threat actor |
| general | general |
When in doubt, use the Tags Filter to search for a Validation Tag and follow that format. You can add User Tags that are the same as Validation Tags.
Threat Actor Aliases
When you have the Threat Actor Assurance Module (TAAM), you can associate any existing Evaluation and Sequence to a Threat Actor by adding its Threat Actor Alias tag. When you do this step, the Evaluation or Sequence appears in the Sequences and Evaluations section of the Threat Actor's profile.

Threat Actor Aliases on a Sequence or Evaluation
Add Tags to Sequences and Evaluations
- Navigate to the Sequence or Evaluation that you want to add a tag to.
- Add User Tags
- In the User Tags section, click Add. The list of existing Tags is displayed.
- Select a Tag from the list. You can also click in the enter Tag field and type a full or partial tag to limit the list of available tags. If the tag you want to add doesn't exist, type it and then click New Tag: tag. The tags you enter or add appear with a white background. The Sequence or Evaluation will now appear on the Threat Actor.
Add Threat Actor Aliases.
This section is only available if you have the TAAM module.
- In the Threat Actor Aliases section, click Add. The list of existing Tags is displayed.
Select a Tag from the list. You can also click in the enter Tag field and type a full or partial tag to limit the list of available tags. If the tag you want to add doesn't exist, type it and then click New Tag: tag. The tags you enter or add appear with a white background. The Sequence or Evaluation will now appear on the Threat Actor.
If you create a new Tag, you need to edit the Threat Actor to include that tag as well.

User Tag and Threat Actor Aliases on a Sequence