Live Content Search Tags

This topic describes the Advanced Security Operations Center (ASOC) tags. These tags are used to organize Live content and to deliver an accurate path to information security incident response. The tags are found in the Live Search view, as:

  • Tags in Security Analytics 10.x
  • Categories in NetWitness 11.x


The objective of a tag is to catalog existing content for deployment according to an incident response approach. Currently, the model contains the following tags:

  • accounting
  • action on objectives
  • application analysis
  • assurance
  • attack phase
  • audit
  • authentication
  • authorization
  • command and control
  • compliance
  • corporate
  • crimeware
  • data exfiltration
  • data sabotage
  • delivery
  • denial of service
  • event analysis
  • exploit
  • featured
  • file analysis
  • filters
  • flow analysis
  • identity
  • installation
  • key loggers
  • lateral movement
  • log analysis
  • malware
  • malware analysis
  • operations
  • organizational hazard
  • protocol analysis
  • reconnaissance
  • remote access trojans
  • risk
  • situation awareness
  • spectrum
  • threat
  • vulnerability management
  • web shells

These tags are a part of the investigation model described in the NetWitness Investigation Model.

Note: When you search in Live, note that categories or tags you enter are ORed. That is, if you search for threat and assurance, all content that is tagged as either threat or assurance is returned.

Example: Live Search in NetWitness 11.x 11.x, or Live Search in Security Analytics 10.x.