To learn more about Observables and their role in Alerts and Case Management, please refer to our detailed guide available here.
Types of Observables
Types of Observables
Types of Observables
- Unknown
- Hostname
- IP Address
- MAC Address
- URL String
- Username
- Email Address
- URL String
- File Name
- Hash
- Process Name
- Resource UID
- Port
- Subnet
- Command Line
- Country
- Process ID
- HTTP User Agent
- CWE Object : uid
- CVE Object: uid
- User Credential ID
- Endpoint
- User
- Uniform Resource Locator
- File
- Process
- Geo Location
- Container
- Registry Key
- Registry Value
- Fingerprint
- Other
Creating a New Observable
Note:
- You can assign multiple observables to a single case or a single observable to many cases.
- You can also create observables directly from the main Observable table . Simply navigate to the Observable table and click on the ‘New Observable’ button located in the top-right corner and fill out the required parameters.
1
Navigate to the 'Observables' tab
To attach an Observable to a Case, first double-click on the desired Case. In the overview section of the selected Case, go to the ‘Observables’ tab. Then, click the “New Record” button in the top-right corner.
2
Open the New Record Form
3
Fill in all the necessary fields
| Fields | Description |
|---|---|
| Name | The name of the Observable. |
| Observable Type | The type of the Observable. |
| Content Type | The content value of the Observable |
| Description (Optional) | A written description for the Observable |
| Reputation | An observable’s reputation is a rating that shows how safe or risky it is based on its actions or traits. This helps users decide if they can trust the observable or if they should be cautious. The reputation options range from Unknown (no information) to Malicious (potentially harmful), with levels like Very Safe, Safe, Exercise Caution, and Suspicious/Risky to indicate varying degrees of trustworthiness. |
| Enrichment Data | The enrichment data that provides additional information and context on the Observable |
| Linked Cases | The Name and ID of the Case(s) you want to link to this current Observable. |
| Linked Attachments | The Name and ID of the Attachment(s) you want to link to this current Observable. |
| Linked Tasks | The Name and ID of the Task(s) you want to link to this current Observable. |
| Linked Alerts | The Name and ID of the Alerts(s) you want to link to this current Observable. Hover over the ‘Linked Alerts’ column in the observables table to see the relations associated with each observable. |
| Linked Observables | The Name and ID of the Observable(s) you want to link to this current Observable. |
4
Save and add the Observable
Once completed, select the Add Observables button in the bottom-right corner.
Observable Relations
Hover over the ‘Linked Alerts’ column in the observables table to see the relations associated with each observable.Please note, you cannot make any changes directly to the relations, via the ‘Linked Alerts’ column in the observable table. To make any changes, you can do so via the Add or Update Observable Relation action.
Editing Observables
NOTE
Please note that you can also Edit Observable(s) directly within the table tab of a case overview. Simply double-click on the table row to make any necessary changes. Once you have completed your edits, click anywhere on the screen to save the changes.
1
Select an Observable to Edit
Select the Observables you would like to edit and click on it.
2
Make Changes and Save
The’Edit Record’ Form will appear. Make any necessary changes to the fields, then click ‘Save’ in the bottom-right corner. The changes you made will be reflected in the selected observables.
Deleting an Observable
1
Select an Observable to Delete
Navigate to the observable you want to delete and select icon.
2
Delete the Observable
The delete option will appear. Click ‘Delete’, and the selected observable will be removed from your existing observables.
