Skip to main content

Understanding Tags in Qevlar AI

Updated

πŸ’‘ A Guide to Using Tags for Enhanced Security Investigations

Overview

Tags are a powerful feature in Qevlar AI that provide quick, accurate, and actionable intelligence about investigations and observables. They help you rapidly understand threats, prioritise your response efforts, and make informed decisions about security incidents.

Qevlar AI uses two types of tags to organise and present investigation findings:

Types of Tags

Observable Tags

Observable tags appear in the Observables table within investigation reports. They are attached to specific observables (such as IP addresses, domains, URLs, files, email addresses, and users) to provide context and indicate what the investigation has discovered about them.

Observable tags help you quickly identify:

  • Risk indicators associated with specific observables
  • Actions that have been taken (blocked, quarantined, removed)
  • User interactions with threats (clicked, downloaded, executed)
  • Context about the observable's characteristics (country, private, trusted)

Insight Tags

Insight tags appear in the header of investigation reports and provide a high-level summary of the most important findings. They aggregate information from multiple observable tags to give you an immediate understanding of the threat landscape for that investigation.

Up to 4 insight tags are displayed, prioritised by their significance to your security posture. These tags help you:

  • Quickly assess the severity and type of threat
  • Understand the scope of impact (how many users, which VIPs)
  • Identify critical actions that occurred (malicious URL clicked, file executed)

Tag Categories

Tags are organised into several categories based on the type of information they convey. Understanding these categories helps you quickly interpret what each tag means for your investigation.

Threat Classification Tags

These tags identify the nature and severity of threats detected in your environment.

  • Malicious – The observable has been confirmed as malicious through threat intelligence or analysis
  • Suspicious – The observable exhibits suspicious characteristics that warrant investigation
  • Phishing – Email or URL identified as part of a phishing campaign
  • Reconnaissance – Email classified as reconnaissance activity by Qevlar Eye
  • Scam – Content identified as fraudulent or deceptive
  • Spam – Unsolicited bulk email detected
  • Marketing – Email identified as marketing/promotional content
  • Grayware – Software that exhibits unwanted behaviour but may not be outright malicious
  • Hacktool – Legitimate security tools that could be used maliciously
  • Malware – Malware has been detected
  • PUA – Potentially Unwanted Application

Advanced File Threat Classifications

These specialised tags identify specific malware behaviours and characteristics detected through sandbox analysis.

  • Ransomware – File can potentially encrypt files or restrict access until a ransom is paid
  • Trojan or Bot – File capable of covertly executing commands or being controlled remotely
  • Spyware – File may steal sensitive information and track user activity
  • Banker – Malware that monitors or modifies e-banking transactions
  • Evader – File can potentially bypass OS protections and obfuscate its behaviour
  • Exploiter – File can cause the system to execute code unintentionally by exploiting vulnerabilities
  • Spreading – File exhibits behaviour that could infect other devices or network systems
  • Miner – File can use the host device to mine cryptocurrencies
  • Adware – File potentially injects advertisements into browser results

User Interaction Tags

These tags indicate how users have interacted with potentially malicious content, helping you assess the level of exposure and potential compromise.

  • Clicked – A user clicked on a URL
  • Visited – A URL was visited by a user
  • Downloaded – A file was downloaded by a user
  • Executed – A file or process was executed (Coming soon!)
  • Opened – A file was opened by a user (Coming soon!)
  • Replied – A recipient replied to a suspicious email
  • Forwarded – A recipient forwarded a suspicious email to others

Containment Action Tags

These tags show what security controls have automatically or manually acted upon threats, helping you understand the current containment status.

  • Blocked – Observable was blocked by a preventative security system (currently available for Email and File observables)
  • Quarantined – File has been quarantined
  • Removed – Email or file was removed by security systems
  • Junked – Email was delivered to the junk folder

Email Authentication Tags

These tags indicate the results of email authentication checks, which are critical for identifying spoofed or forged emails.

  • Email Authentication Failed - When any of the below is observed
  • DMARC Failed – Email failed DMARC authentication
  • SPF Failed – Email failed SPF authentication
  • DKIM Failed – Email failed DKIM authentication
  • CompAuth Failed – Email failed composite authentication

Infrastructure & Network Tags

These tags provide context about the network infrastructure associated with observables.

  • Country – Geographic location of the IP address
  • Private – IP address is within private address space
  • VPN – IP address belongs to a VPN service
  • Proxy – IP address is a known proxy server
  • Hosting – IP is associated with a data center or cloud provider
  • Service Provider – IP belongs to a recognized service provider (Google, Amazon, etc.)

User Context Tags

These tags identify users who may require special attention due to their role or access privileges within your organisation.

  • VIP – User has been identified as a VIP (executive, board member, etc.)
  • High Privileged User – User has elevated system or application privileges

Investigation Context Tags

These tags provide additional context about the investigation process and findings.

  • Investigated – Observable was directly investigated and has corresponding investigation steps
  • Embedded – URL was embedded within email content (currently available for URLs)
  • Redirection – URL was discovered as part of a redirection chain
  • Attached – File was attached to an email
  • QR Code – Observable was extracted from a QR code
  • Typosquatting – Domain appears to be impersonating a legitimate domain
  • Suspected Typosquatting – Domain exhibits characteristics suggesting potential typosquatting
  • Mass Distribution – Email was sent to 500 or more recipients
  • Needs Corroboration – Finding requires human validation to reach a final determination
  • Missing Body – Email alert does not contain the message body
  • Trusted – Domain is on your organisation's or Qevlar's trusted list
  • Downloadable Content – URL is a download link
  • Signed – File has been verified as signed
  • Sender – Observable is associated with the email sender
  • Recipient – Email address is a recipient (currently available for email addresses)

How Tags Enhance Your Workflow

Rapid Triage

When managing multiple security alerts, insight tags allow you to instantly identify which investigations require immediate attention. Tags like 'Malicious URL Clicked' or 'VIP' immediately signal high-priority cases that need rapid response.

Example:

An investigation showing:

Insight Tags: Phishing | Malicious URL Clicked | VIP

...tells you immediately that a VIP user clicked on a malicious phishing link, requiring urgent investigation and potential containment actions.

Understanding Impact

Tags help you quickly assess how far a threat has progressed. User interaction tags like 'Downloaded', β€˜Clicked’, or 'Opened' indicate increasing levels of potential compromise, while containment tags like 'Blocked' or 'Quarantined' show that security controls successfully prevented the threat.

The presence of multiple user interaction tags escalates the severity:

ScenarioRisk LevelImplication
Just 'Clicked' on a URL⚠️ MediumUser accessed potentially malicious content
'Clicked' + 'Downloaded'πŸ”Ά HighMalicious file now on user's system
'Downloaded' + Multiple threat classificationsπŸ”΄ CriticalMultiple malware behaviours detected, high confidence threat

Focused Investigation

Observable tags in the investigation report help you quickly locate the most important findings. Instead of reviewing every detail, you can focus on observables with specific tags relevant to your investigation goals.

Supporting Automation and Notifications

Tags enable automated response workflows. Your security orchestration systems can take programmatic actions based on specific tag combinations:

  • Auto-quarantine files tagged as 'Malicious' and 'Downloaded'
  • Escalate investigations involving 'VIP' users
  • Block domains tagged as 'Typosquatting'
  • Generate alerts for 'Malicious URL Clicked' scenarios

Contextual Decision Making

Tags provide context that helps you make better decisions. Understanding that an IP address is from a 'VPN' or 'Hosting' provider, or that a domain is 'Trusted', helps you assess whether observed behaviour is suspicious or expected for your environment.

Best Practices for Using Tags

Start with Insight Tags

When reviewing a new investigation, begin by examining the insight tags in the report header. These provide the highest-level summary and help you quickly determine the investigation's priority and required actions.

Prioritise High-Severity Combinations

Pay special attention to investigations that combine threat classification tags with user interaction tags, particularly when VIP users are involved:

⚠️ High-Priority Combinations:

  • Malicious + Clicked/Downloaded/Executed = Active threat requiring immediate response
  • Phishing + VIP = High-priority due to potential business impact
  • Authentication Failed + Mass Distribution = Potential spoofing campaign

Leverage Advanced File Classifications

When investigating file-based threats, pay close attention to the specific malware behaviour tags:

  • Ransomware requires immediate isolation and backup verification
  • Banker malware necessitates credential monitoring and financial transaction review
  • Spreading behaviour indicates potential lateral movement risk
  • Evader + Exploiter combinations suggest sophisticated threat actors

Validate Containment Status

Always check for containment action tags (Blocked, Quarantined, Removed) to understand what security controls have already responded to the threat. This helps you avoid duplicate efforts and focus on any gaps in coverage.

Consider Context Tags

Don't overlook context tags like 'Trusted', 'Service Provider', or 'Mass Distribution'. These can help you differentiate between genuine threats and false positives, ensuring you focus your efforts where they matter most.

Follow Investigation Chains

Use tags like 'Redirection', 'Embedded', and 'Attached' to understand the full attack chain. These tags help you see how threats are delivered and identify all components that need investigation or remediation.

Conclusion

Tags are designed to accelerate your security operations by providing immediate, actionable intelligence about threats and observables in your environment. By understanding the different categories of tags and how to use them effectively, you can:

βœ… Triage alerts faster and more accurately

βœ… Focus investigations on the most critical findings

βœ… Make informed decisions about response actions

βœ… Automate workflows based on threat characteristics

βœ… Reduce mean time to respond (MTTR) to security incidents

Related articles