You can manually attach observables to a security incident. You manually attach observables when you want to perform threat lookups on observables that are not attached to a security incident on the initial event trigger. Also, you might perform this task when you want more information about a related observable.

Before you begin

Role required: sn_si.analyst

Procedure

  1. Navigate to All > Security Incident > Incidents > Show All Incidents and open a security incident to which you want to attach the observable.
  2. At the bottom of the record, click the Show IoClink in Related Links.
    Observables tab.
  3. On the Observables tab, click New.
    The Observable form is displayed.
  4. In the Value field, enter an observable (IP address or URL).
  5. Click the search icon and from the Observable Type Categories dialog box, click the desired observable type in the list to populate the field.
    Observables Type Categories list.
  6. Click Submit.
    The workflow launches and checks for the new observable. The execution and completion status is displayed in the work notes section on the security incident record.
  7. Navigate to your security incident and review the work notes.
    Look up status in work notes.
  8. At the bottom of the record, click the Show All Related Lists related link.
  9. Click the Observable Enrichment Results or Network Banners tabs for results, and click the blue information icon next to an observable for more information on a specific item.
    Look up results on security form.
  10. In the dialog that is displayed, click Open Record to view raw data and more details.
  11. (Optional) Click the blue settings icon near the search icon to personalize column output and order.
  12. In the Personalize List Columns, select available settings, move them to the Selected column, and click OK.
Review the Work notes for more information and how to proceed if you cannot verify that the lookup ran successfully.