Skip to main content

Observables

Observables refer to data that indicates a system may have been infiltrated by a cyber threat. They provide cybersecurity teams with crucial knowledge after a data breach or another breach in security. In this section, you can create and manage Observables for your Cases.

note

Please note that you can assign multiple Observables to a single Case or a single Observable to many Cases.

Types of Observables

  1. Unknown
  2. Hostname
  3. IP Address
  4. MAC Address
  5. URL String
  6. Username
  7. Email Address
  8. URL String
  9. File Name
  10. Hash
  11. Process Name
  12. Resource UID
  13. Port
  14. Subnet
  15. Command Line
  16. Country
  17. Process ID
  18. HTTP User Agent
  19. CWE Object : uid
  20. CVE Object: uid
  21. User Credential ID
  22. Endpoint
  23. User
  24. Email
  25. Uniform Resource Locator
  26. File
  27. Process
  28. Geo Location
  29. Container
  30. Registry Key
  31. Registry Value
  32. Fingerprint
  33. Other
info

If you wish to edit the Observable type, simply go to the Observable table, locate the Thumbnail icon next to the Observable Type table heading, and proceed to remove the desired Observable types by clicking the X button, followed by the Save button.

Creating a New Observable

note

Please note, you can also create Observables directly from the main Observable table . Simply navigate to the Observable table and click on the "New Observable" button located in the top-right corner and fill out the required parameters.

  1. Double click on the Case you want to attach the Observable(s) to, navigate to the Table Tab in the Overview Section of the selected Case, and in the top-right conner select the New Record button.
Thumbnail
  1. A dialog box for creating a new record will appear.
Thumbnail
  1. Fill in all the necessary fields.
FieldsDescription
NameThe name of the Observable.
Observable TypeThe type of the Observable.
Content TypeThe content value of the Observable
Description (Optional)A written description for the Observable
Verdict TypeUnknown, Benign,Suspicious, Malicious
Enrichment DataThe enrichment data that provides additional information and context on the Observable
Linked CasesThe Name and ID of the Case(s) you want to link to this current Observable.
Linked AttachmentsThe Name and ID of the Attachment(s) you want to link to this current Observable.
Linked TasksThe Name and ID of the Task(s) you want to link to this current Observable.
Linked AlertsThe Name and ID of the Alerts(s) you want to link to this current Observable.
Linked ObservablesThe Name and ID of the Observable(s) you want to link to this current Observable.
  1. Once completed, select the Add Observables button in the bottom-right corner.
Thumbnail