Security incident analysts use information from observable enrichment with the WHOISIQ API to learn more about the
email addresses, names, and phone numbers of organizations.
Before you begin
Role required: sn_si.analyst
Procedure
-
Navigate to .
Under the navigation panel, the Observables module is displayed.
-
Select the Observables module to display the Observables list.
-
Select New to create an observable.
-
On Observable form, fill in the fields.
| Field | Description |
|---|
| Value |
Email address, organization name, phone number, or mailing address.
For example, test1gmail.com
|
| Observable type |
The field is automatically cleared. |
| Finding |
The field is automatically set to
Unknown. |
-
Select Submit.
you're returned to the Observables list. In the
Value column, your new observable is displayed.
Note: If you can't locate your observable on the part of the list that is displayed, use the
search functionality to find it.
-
Edit the Observable type field to change the type from
Unknown to Email address to
match your observable.
-
In the Observable type column, single-click to
the right of the Unknown text to select it.
The selected field is outlined in blue.
-
With the field outlined in blue, double-click anywhere inside the
highlighted field to open the editor.
-
In the field that is displayed, enter the observable type (Email address) and select the green check mark to save the value.
In the Observable type column on the list, Email Address is displayed for your new observable.
What to do next
If you have created and edited an observable for lookup,
run the observable enrichment lookup from the Observable record with the WHOISIQ API.