π‘ A Guide to Using Tags for Enhanced Security Investigations
Overview
Tags are a powerful feature in Qevlar AI that provide quick, accurate, and actionable intelligence about investigations and observables. They help you rapidly understand threats, prioritise your response efforts, and make informed decisions about security incidents.
Qevlar AI uses two types of tags to organise and present investigation findings:
Types of Tags
Observable Tags
Observable tags appear in the Observables table within investigation reports. They are attached to specific observables (such as IP addresses, domains, URLs, files, email addresses, and users) to provide context and indicate what the investigation has discovered about them.
Observable tags help you quickly identify:
- Risk indicators associated with specific observables
- Actions that have been taken (blocked, quarantined, removed)
- User interactions with threats (clicked, downloaded, executed)
- Context about the observable's characteristics (country, private, trusted)
Insight Tags
Insight tags appear in the header of investigation reports and provide a high-level summary of the most important findings. They aggregate information from multiple observable tags to give you an immediate understanding of the threat landscape for that investigation.
Up to 4 insight tags are displayed, prioritised by their significance to your security posture. These tags help you:
- Quickly assess the severity and type of threat
- Understand the scope of impact (how many users, which VIPs)
- Identify critical actions that occurred (malicious URL clicked, file executed)
Tag Categories
Tags are organised into several categories based on the type of information they convey. Understanding these categories helps you quickly interpret what each tag means for your investigation.
Threat Classification Tags
These tags identify the nature and severity of threats detected in your environment.
- Malicious β The observable has been confirmed as malicious through threat intelligence or analysis
- Suspicious β The observable exhibits suspicious characteristics that warrant investigation
- Phishing β Email or URL identified as part of a phishing campaign
- Reconnaissance β Email classified as reconnaissance activity by Qevlar Eye
- Scam β Content identified as fraudulent or deceptive
- Spam β Unsolicited bulk email detected
- Marketing β Email identified as marketing/promotional content
- Grayware β Software that exhibits unwanted behaviour but may not be outright malicious
- Hacktool β Legitimate security tools that could be used maliciously
- Malware β Malware has been detected
- PUA β Potentially Unwanted Application
Advanced File Threat Classifications
These specialised tags identify specific malware behaviours and characteristics detected through sandbox analysis.
- Ransomware β File can potentially encrypt files or restrict access until a ransom is paid
- Trojan or Bot β File capable of covertly executing commands or being controlled remotely
- Spyware β File may steal sensitive information and track user activity
- Banker β Malware that monitors or modifies e-banking transactions
- Evader β File can potentially bypass OS protections and obfuscate its behaviour
- Exploiter β File can cause the system to execute code unintentionally by exploiting vulnerabilities
- Spreading β File exhibits behaviour that could infect other devices or network systems
- Miner β File can use the host device to mine cryptocurrencies
- Adware β File potentially injects advertisements into browser results
User Interaction Tags
These tags indicate how users have interacted with potentially malicious content, helping you assess the level of exposure and potential compromise.
- Clicked β A user clicked on a URL
- Visited β A URL was visited by a user
- Downloaded β A file was downloaded by a user
- Executed β A file or process was executed (Coming soon!)
- Opened β A file was opened by a user (Coming soon!)
- Replied β A recipient replied to a suspicious email
- Forwarded β A recipient forwarded a suspicious email to others
Containment Action Tags
These tags show what security controls have automatically or manually acted upon threats, helping you understand the current containment status.
- Blocked β Observable was blocked by a preventative security system (currently available for Email and File observables)
- Quarantined β File has been quarantined
- Removed β Email or file was removed by security systems
- Junked β Email was delivered to the junk folder
Email Authentication Tags
These tags indicate the results of email authentication checks, which are critical for identifying spoofed or forged emails.
- Email Authentication Failed - When any of the below is observed
- DMARC Failed β Email failed DMARC authentication
- SPF Failed β Email failed SPF authentication
- DKIM Failed β Email failed DKIM authentication
- CompAuth Failed β Email failed composite authentication
Infrastructure & Network Tags
These tags provide context about the network infrastructure associated with observables.
- Country β Geographic location of the IP address
- Private β IP address is within private address space
- VPN β IP address belongs to a VPN service
- Proxy β IP address is a known proxy server
- Hosting β IP is associated with a data center or cloud provider
- Service Provider β IP belongs to a recognized service provider (Google, Amazon, etc.)
User Context Tags
These tags identify users who may require special attention due to their role or access privileges within your organisation.
- VIP β User has been identified as a VIP (executive, board member, etc.)
- High Privileged User β User has elevated system or application privileges
Investigation Context Tags
These tags provide additional context about the investigation process and findings.
- Investigated β Observable was directly investigated and has corresponding investigation steps
- Embedded β URL was embedded within email content (currently available for URLs)
- Redirection β URL was discovered as part of a redirection chain
- Attached β File was attached to an email
- QR Code β Observable was extracted from a QR code
- Typosquatting β Domain appears to be impersonating a legitimate domain
- Suspected Typosquatting β Domain exhibits characteristics suggesting potential typosquatting
- Mass Distribution β Email was sent to 500 or more recipients
- Needs Corroboration β Finding requires human validation to reach a final determination
- Missing Body β Email alert does not contain the message body
- Trusted β Domain is on your organisation's or Qevlar's trusted list
- Downloadable Content β URL is a download link
- Signed β File has been verified as signed
- Sender β Observable is associated with the email sender
- Recipient β Email address is a recipient (currently available for email addresses)
How Tags Enhance Your Workflow
Rapid Triage
When managing multiple security alerts, insight tags allow you to instantly identify which investigations require immediate attention. Tags like 'Malicious URL Clicked' or 'VIP' immediately signal high-priority cases that need rapid response.
Example:
An investigation showing:
Insight Tags: Phishing | Malicious URL Clicked | VIP
...tells you immediately that a VIP user clicked on a malicious phishing link, requiring urgent investigation and potential containment actions.
Understanding Impact
Tags help you quickly assess how far a threat has progressed. User interaction tags like 'Downloaded', βClickedβ, or 'Opened' indicate increasing levels of potential compromise, while containment tags like 'Blocked' or 'Quarantined' show that security controls successfully prevented the threat.
The presence of multiple user interaction tags escalates the severity:
| Scenario | Risk Level | Implication |
|---|---|---|
| Just 'Clicked' on a URL | β οΈ Medium | User accessed potentially malicious content |
| 'Clicked' + 'Downloaded' | πΆ High | Malicious file now on user's system |
| 'Downloaded' + Multiple threat classifications | π΄ Critical | Multiple malware behaviours detected, high confidence threat |
Focused Investigation
Observable tags in the investigation report help you quickly locate the most important findings. Instead of reviewing every detail, you can focus on observables with specific tags relevant to your investigation goals.
Supporting Automation and Notifications
Tags enable automated response workflows. Your security orchestration systems can take programmatic actions based on specific tag combinations:
- Auto-quarantine files tagged as 'Malicious' and 'Downloaded'
- Escalate investigations involving 'VIP' users
- Block domains tagged as 'Typosquatting'
- Generate alerts for 'Malicious URL Clicked' scenarios
Contextual Decision Making
Tags provide context that helps you make better decisions. Understanding that an IP address is from a 'VPN' or 'Hosting' provider, or that a domain is 'Trusted', helps you assess whether observed behaviour is suspicious or expected for your environment.
Best Practices for Using Tags
Start with Insight Tags
When reviewing a new investigation, begin by examining the insight tags in the report header. These provide the highest-level summary and help you quickly determine the investigation's priority and required actions.
Prioritise High-Severity Combinations
Pay special attention to investigations that combine threat classification tags with user interaction tags, particularly when VIP users are involved:
β οΈ High-Priority Combinations:
- Malicious + Clicked/Downloaded/Executed = Active threat requiring immediate response
- Phishing + VIP = High-priority due to potential business impact
- Authentication Failed + Mass Distribution = Potential spoofing campaign
Leverage Advanced File Classifications
When investigating file-based threats, pay close attention to the specific malware behaviour tags:
- Ransomware requires immediate isolation and backup verification
- Banker malware necessitates credential monitoring and financial transaction review
- Spreading behaviour indicates potential lateral movement risk
- Evader + Exploiter combinations suggest sophisticated threat actors
Validate Containment Status
Always check for containment action tags (Blocked, Quarantined, Removed) to understand what security controls have already responded to the threat. This helps you avoid duplicate efforts and focus on any gaps in coverage.
Consider Context Tags
Don't overlook context tags like 'Trusted', 'Service Provider', or 'Mass Distribution'. These can help you differentiate between genuine threats and false positives, ensuring you focus your efforts where they matter most.
Follow Investigation Chains
Use tags like 'Redirection', 'Embedded', and 'Attached' to understand the full attack chain. These tags help you see how threats are delivered and identify all components that need investigation or remediation.
Conclusion
Tags are designed to accelerate your security operations by providing immediate, actionable intelligence about threats and observables in your environment. By understanding the different categories of tags and how to use them effectively, you can:
β Triage alerts faster and more accurately
β Focus investigations on the most critical findings
β Make informed decisions about response actions
β Automate workflows based on threat characteristics
β Reduce mean time to respond (MTTR) to security incidents