About Observables
Observables refer to data that indicates a system may have been infiltrated by a cyber threat. They provide cybersecurity teams with crucial knowledge after a data breach or another breach in security. In this section, you can create and manage Observables for your Cases.
Types of Observables
Creating a New Observable
Note:
- You can assign multiple observables to a single case or a single observable to many cases.
- You can also create observables directly from the main Observable table . Simply navigate to the Observable table and click on the ‘New Observable’ button located in the top-right corner and fill out the required parameters.
Navigate to the 'Observables' tab
To attach an Observable to a Case, first double-click on the desired Case. In the overview section of the selected Case, go to the ‘Observables’ tab. Then, click the “New Record” button in the top-right corner.
Open the New Record Form
Fill in all the necessary fields
| Fields | Description |
|---|---|
| Name | The name of the Observable. |
| Observable Type | The type of the Observable. |
| Content Type | The content value of the Observable |
| Description (Optional) | A written description for the Observable |
| Reputation | An observable’s reputation is a rating that shows how safe or risky it is based on its actions or traits. This helps users decide if they can trust the observable or if they should be cautious. The reputation options range from Unknown (no information) to Malicious (potentially harmful), with levels like Very Safe, Safe, Exercise Caution, and Suspicious/Risky to indicate varying degrees of trustworthiness. |
| Enrichment Data | The enrichment data that provides additional information and context on the Observable |
| Linked Cases | The Name and ID of the Case(s) you want to link to this current Observable. |
| Linked Attachments | The Name and ID of the Attachment(s) you want to link to this current Observable. |
| Linked Tasks | The Name and ID of the Task(s) you want to link to this current Observable. |
| Linked Alerts | The Name and ID of the Alerts(s) you want to link to this current Observable. |
| Linked Observables | The Name and ID of the Observable(s) you want to link to this current Observable. |
Save and add the Observable
Once completed, select the Add Observables button in the bottom-right corner.
Editing Observables
NOTE Please note that you can also Edit Observable(s) directly within the table tab of a case overview. Simply double-click on the table row to make any necessary changes. Once you have completed your edits, click anywhere on the screen to save the changes.
Select an Observable to Edit
Select the Observables you would like to edit and click on it.
Make Changes and Save
The’Edit Record’ Form will appear. Make any necessary changes to the fields, then click ‘Save’ in the bottom-right corner. The changes you made will be reflected in the selected observables.
Deleting an Observable
Select an Observable to Delete
Navigate to the observable you want to delete and select icon.
Delete the Observable
The delete option will appear. Click ‘Delete’, and the selected observable will be removed from your existing observables.