Skip to main content
Version: Spectra Analyze 9.1.0

Tags

The Spectra Analyze appliance supports two types of tags: System Tags and User Tags. Both types of tags are visible for every sample in the Expanded Details and on the Sample Details ‣ Summary page.

Spectra Core automatically adds System Tags to new samples during analysis based on their metadata properties. It is not possible to change or add new System Tags to samples manually. Samples analyzed with Spectra Core version 3.7.1 will not have any System Tags. Users should submit such samples for reanalysis with Spectra Core to receive System Tags.

User Tags are completely custom; any Spectra Analyze user can add and remove User Tags on all local samples on the appliance. User Tags are shared between all users of a Spectra Analyze instance. In other words, every user can see the tags created by other users, assign those tags to samples, or remove them from samples.

User Tags are local-only and unique to each Spectra Analyze instance. They are not stored in the Spectra Intelligence cloud when a sample with User Tags is submitted for analysis.

Searching for Samples by Tags

There are several ways to find all samples tagged with a particular tag.

  1. Use the Sample Search bar on the uploads page. Type in the hash symbol (#) followed by the tag (for example, #desktop). The search feature supports partial matching, so searching for #desktop will also find tags that contain the word “desktop” (for example, #desktop_app, #malicious_desktop, #zdesktop)

  2. Or, click the tag in the list of User Tags on Expanded Details or on the Sample Details ‣ Summary page

    In both cases, the Tags page will be displayed and filtered by the selected tag. This applies to both System Tags and User Tags.

  3. If access to the Advanced Search feature is enabled on the appliance, use the tag keyword to find samples with System Tags, and the tag-user keyword to look for samples with User Tags. Both keywords are case-insensitive and support wildcard matching. All samples with the queried tags are listed on the search results page, and divided into Local and Cloud depending on their location.

Adding User Tags to Samples

All Spectra Analyze users can create their own User Tags or add already existing ones to samples on the appliance. Keep in mind the following rules and limitations when creating new User Tags:

  • User Tags are case-sensitive and distinguish spaces from underscores. In other words, Example and example are two separate tags; test_tag and test tag are separate tags, too.
  • A single tag must be between 2 and 40 characters long (including spaces), matching the supported pattern. Supported characters for tags are [a-z0-9][a-z0-9 /._-]. The following examples are valid tags: malware_1, ClassifiedByYARA, false-positive, Better.Test/Tag. The following examples illustrate invalid tags: Ž++, #hashtag, *.exe.
  • It is possible to create a User Tag with the same name as a System Tag. For example, there can be an indicators System Tag, and a user can create their own indicators tag. Removing a User Tag does not affect the System Tag in any way.
  • If the user attempts to add a tag that is identical to a System Tag already added to the sample, it will be ignored (not added to the sample). However, it is possible to add a User Tag identical to a System Tag if the sample does not have that System Tag. For example, antisandbox is a System Tag. If a sample has this System Tag, attempting to add a User Tag called antisandbox will fail. If the sample doesn’t have it, antisandbox will be added as a User Tag.

User Tags can be added to local samples (or removed from them) in several ways.

Adding User Tags to individual samples

  1. In the Expanded Details for a sample, click Edit Tags button in the list of User Tags, or click the icon to the right of the list. This can be done from any Spectra Analyze page that supports Expanded Details (Search results, Alerts, YARA, Tags, Sample Details > Extracted Files).

  2. Or, on the Sample Details ‣ Summary page, find the list of User Tags and click Edit Tags.

  3. Or, on the Search page, select a sample and click the triple bar button next to the Size column title. In the menu that opens, select the Apply tags option.

    In all three cases, the Edit tags dialog opens and displays the current list of User Tags if any are assigned to the sample.

    Start typing into the dialog and a pull-down menu with suggestions will appear if the letters match any of the existing tags. Select the desired tags from the pull-down, or type in the name of a new tag. To remove existing tags from the sample, if there are any, delete them from the input field in the dialog. Click Save to confirm the changes.

  4. Use the Modify tags API to list User Tags for a sample, add new ones, and remove existing ones.

Adding User Tags to samples in bulk

Select one or more samples on any of the pages that support bulk tagging (Submissions, YARA, Tags, Sample Details > Extracted Files).

While the samples are selected, choose the Apply tags option from the bulk actions menu next to the Size column title.

This opens the Edit tags dialog. Start typing into the dialog and a pull-down menu with suggestions will appear if the letters match any of the existing tags. Select the desired tags from the pull-down, or type in the name of a new tag. To add multiple tags at once, separate them with commas (e.g., tag1, tag2, tag3).

To remove existing tags from the sample, if there are any, delete them from the input field in the dialog.

Dialog for adding tags with autocomplete pull-down menu

Click Save to confirm the changes. The dialog will automatically close, and a notification will appear in the upper right corner, informing about changed tags.

To add User Tags to samples from Spectra Intelligence, the samples must first be downloaded to the appliance. When they are downloaded, User Tags can be added in any of the ways described on this page.