Event Tagging allows administrators to manually tag events with predefined labels ("attack", "suspicious", "patch", "acceptable change", "false positive", "high priority", etc.) and the ability to define custom labels ("Assigned to Tom for review", etc.).
In addition to the manual tagging of events, automated event tagging can be accomplished via the use of a "Trusted Computer" which is particularly useful for managing Integrity Monitoring events. For example, a planned rollout of a patch can be applied to the trusted computer, the events associated with the application of the patch can be tagged as "Patch X", similar events raised on other systems can automatically be tagged as "acceptable changes" thereby reducing the number of events that need to be analyzed by an administrator.
Event tagging enables specialized views of events, dashboards, and reports and can be applied to a single event, similar events, or even to all future similar events.
All currently defined tags are displayed in the Policies > Common Objects > Other > Tags page. This includes predefined as well as custom tags. (Only tags that are currently in use are displayed.)
Delete Tags: Deleting a tag removes the tag from all events to which it is attached.
Auto-Tag Rules are created by selecting events and choosing to tag similar items.
For information on Event Tagging procedures, see Event Tagging.