Detailed Explanation of Subflow 1 - Extract Observables
9.0
, you should refer to this pageIP addresses
, URLs
, usernames
, file hashes
, and hostnames
. These observables are critical for understanding the context and impact of an alert, enabling subsequent enrichment, triage, and response actions.
device.external_ip
) and its corresponding value indicating the observable type (e.g., “IP Address”).
device.hostname
, the template maps it as "Target Hostname"
, ensuring consistent extraction across alerts.
IPs
, user observables like usernames
)`. The system dynamically updates the list with valid entries, which is critical for downstream tasks.Click here to see the full payload
device.external_ip
: Identifies an external IP address potentially involved in an alert.device.local_ip
: Captures local IPs within the organization’s network for context.device.hostname
: Indicates the specific host impacted by the alert.user_name
: Extracts usernames related to suspicious activity.sha256
: Extracts file hashes to identify potentially malicious files.parent_details.sha256
: Retrieves parent process file hashes for advanced analysis.