You can manually attach observables to a security incident. You manually attach
observables when you want to perform threat lookups on observables that are not attached to
a security incident on the initial event trigger. Also, you might perform this task when you
want more information about a related observable.
Before you begin
Role required: sn_si.analyst
Procedure
-
Navigate to your open security incident.
-
On the open security incident record, select the Show IoClink in Related Links to display the Observables tab.
-
Select New.
The Observable form is displayed.
-
In the Value field, enter a URL.
-
Select the search icon and from the Observable Type Categories dialog box, Select URL in the list to populate the field.
-
Select Submit.
The flow launches and checks for the new observable. The execution and completion status is displayed in the work notes section on the Security Incident record.
-
Navigate to your security incident and review the work notes.
-
Select the Show All Related Lists related link at the bottom of the security incident.
-
Select the Threat Lookup Results tab to view the results.
-
In the Observable column, select the blue information icon next to a given observable for more information and raw data.
-
In the dialog box that is displayed, select Open Record.
Review the work notes for more information and how to proceed if you can't verify that the lookup ran successfully.