Define an Observable

  • Release version: Yokohama
  • Updated January 30, 2025
  • 7 minutes to read

    • Observables can be retrieved from scheduled feed ingestion or from the import assistant. However, you can create observables, as needed.

    Before you begin

    Role required: sn_sec_tisc.analyst

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center > Threat Intel Library > Observables > All Observables.
    2. Click New.
    3. Select the Observable Type.
      Create New Observable record form is displayed.
      Note:
      Whenever you create new object records for observables, indicators, entities or objects a source record is created and a prompt message is displayed that the new object record is created and then the user is redirected to the aggregated record.
    4. On the form, fill in the fields.
      Note:
      Whenever you either create a new observable or view the existing observables, the Attachments pane is by default displayed on the form view. You can either click the Attachments icon on the right-contextual menu or go to Preferences > Workspaces and disable the Show the sidebar. For more information, see Configure Next Experience Workspace preferences.
      Table 1. Details section
      Field Description
      Value The value (for example, IP address or hash) associated with the observable.
      Description Description of the observable record.
      Author Enter the name.
      Type The observable classification type such as an IP address, domain name, artifact, directory, file, or hash.

      By default, this is displayed when you selected the new record.
      Status The active or inactive status of the observable.
      Attack Phases Represents attack phase in a kill chain such as LM, MITRE ATT&CK.
      TLP Unique value that indicates the Data sensitivity setting per TLP.
      Reputation Specifies the malicious reputation of the observable.
      Status Enter the status of the observable if active or inactive.
      Threat Score Indicates the threat score for that observable.
      Expiration Time Specifies the expiration time of the observable record.
      Source Specifies the threat source from which this record is created.
      Confidence Enter the confidence for this observable record.

      The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100.
      Prevent System Updates Setting this flag to true will prevent system from overriding values of fields on record.
      Is False Positive A boolean flag that indicates if observable is identified as false positive.
      Table 2. Attributes
      Field Description
      Resolves To Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.
      Is FQDN A fully qualified domain name(FQDN) is the complete address of an internet host or computer. It provides its exact location within the domain name system (DNS) by specifying the hostname, domain name and top-level domain (TLD).
      Table 3. Additional Information
      Field Description
      Threat Level Indicates the threat level of the observable record.
      First Seen The time that this observable record was first seen performing malicious activities.
      Threat Severity Indicates the threat severity of the observable record.
      Last Seen The time that this observable record was last seen performing malicious activities.
      Usage Categories Categories that the observable falls under, such as botnet or phishing.
      Attack Phases Represents attack phase in a kill chain such as LM, MITRE ATT&CK.
      Additional Context Add any additional context.
      Sources Specifies the threat source from which this record is created.
      Important:
      Source Reported Score: This field contains the aggregated value of threat scores reported by the sources from which the observable is ingested. To see this field on the observable record form, you must add it manually, as it is not available by default.
      Table 4. Attributes
      Field Description
      Resolves To Specifies a list of references to one or more IP addresses or domain names that the domain name resolves to.
      Is FQDN A fully qualified domain name(FQDN) is the complete address of an internet host or computer. It provides its exact location within the domain name system (DNS) by specifying the hostname, domain name and top-level domain (TLD).
      Note:
      Resolves To and Is FQDN attributes are only applicable to the Domain Name type of observables.
      Table 5. Observable Type Attributes
      Attribute Name Attribute Types
      Artifact
      • Decryption Key
      • Encryption Algorithm
      • MD5 Hash
      • MIME Type
      • SHA1 Hash
      • SHA256 Hash
      • SHA512 Hash
      • URL
      AS Number
      • Name
      • RIR
      Directory
      • Directory Creation Time
      • Directory Last Accessed Time
      • Directory Last Modified Time
      • Encoded Path
      Domain Name
      • Is FQDN
      • Resolves To
      Email Address
      • Display name
      • Email Body
      • Email Recipients Bcc
      • Email Recipients Cc
      • Email Recipients To
      • Email Sender
      • Email Subject
      • Sent Date
      File
      • Additional Information
      • Encoded File Name
      • File Created Time
      • File Last Accessed Time
      • File Last Modified Time
      • File Name Magic Number
      • MD5 Hash
      • MIME Type
      • SHA1 Hash
      • SHA256 Hash
      • SHA512 Hash
      IPv4 Address
      • AS Number
      • MAC Address
      IPv4 CIDR
      • AS Number
      • MAC Address
      IPv6 Address
      • AS Number
      • MAC Address
      IPv6 CIDR
      • AS Number
      • MAC Address
      Network
      • Destination Bytes
      • Count Destination Packets Count
      • Destination Port
      • End Time
      • HTTP Message Body Length
      • HTTP Request Header
      • HTTP Request Method
      • HTTP Request Value
      • HTTP Request Version
      • ICMP Code Byte
      • ICMP Type Byte
      • Is Network Active
      • Is Socket Blocking
      • Is Socket Listening
      • Network Protocols
      • Socket Address Family
      • Socket Descriptor
      • Socket Handle
      • Socket Options
      • Socket Type Source Bytes Count
      • Source Packets Count
      • Source Port
      • Start Time
      • TCP Destination Flags
      • TCP Source Flags
      Process
      • ASLR Enabled
      • Command Line
      • Current Working Directory (CWD)
      • DEP Enabled
      • Environment Variables
      • Is Hidden
      • Owner SID
      • Process ID
      • Priority
      • Process Created Time
      • Service Descriptions
      • Service Display Name
      • Service Group Name
      • Service Name
      • Service Start Type
      • Service Status Service Type
      • Startup Info
      • Windows Integrity Level
      • Window Title
      Software
      • Common Platform Enumeration (CPE)
      • Supported Languages
      • Software Identification (SWID)
      • Vendor Version
      User Account
      • Account Created Time
      • Account Expiry Time
      • Account Login
      • Account Type
      • Additional Information
      • Can Escalate Privileges
      • Credentials Last Changed Time
      • Display Name
      • First Login Time
      • Is Account Disabled
      • Is Privileged
      • Is Service Account
      • Last Login Time
      • User ID
      Windows Registry Key
      • Key Modified
      • Time Registry Value
      • Subkeys Count
      X.509 Certificate
      • Additional Information
      • Authority Key Identifier
      • Basic Constraints
      • Certificate Policies
      • CRL Distribution Points
      • Extended Key Usage
      • Inhibit Any Policy
      • Issuer
      • Issuer Alternative Name
      • Is Self Signed
      • Key Usage
      • Name Constraints
      • Policy Constraints
      • Policy Mappings
      • Private Key Usage Valid From
      • Private Key Usage Valid until
      • Signature Algorithm
      • Subject
      • Subject Alternative Name
      • Subject Directory Attributes
      • Subject Key Identifier
      • Subject Public Key Algorithm
      • Subject Public Key Exponent
      • Subject Public Key Modulus
      • Valid From
      • Valid Until
      • Version
      Table 6. Insights
      Field Description
      Notes Add any additional notes for an observable record.
    5. Click Save.
      After you save, a prompt message is displayed indicating that A new observable record is created. Click Continue to edit the record and create new relationships.
    6. Click Continue.
      Important:
      After you create a new observable record, Prevent System Updates check box is displayed.

      Select this check box to prevent any updates from the system after the observable or indicator or STIX objects records are created.

      Table 7. Tags&Taxonomies
      Field Description
      Tags
      Select Tags Select the tags that are associated with an observable.
      Add Tags Add new tags.
      Taxonomies
      Select Taxonomy Select the Taxonomy that is associated with an observable.
      Add Taxonomy Values Add the Taxonomy values that are associated with an observable.
      Table 8. Source Records
      Field Description
      The source records details for an observable are displayed, if any.

    What to do next

    Following table lists the related records related to the Observables:
    Table 9. Related Records
    Related List Description
    Observable List of observables related to this observable.
    Note:
    This section also contains the potential relationships between two observables. For more information, see Confirm observable-observable potential relationshipand see Define observable-observable relationships for the confirmed relationships between the two observables.
    Indicators List of indicators related to this observable.
    Attack Patterns List of attack patterns that are related to this observable.
    Campaigns List the campaigns that are related to this observable.
    Infrastructure List the Infrastructure such as systems, software services, and any associated physical or virtual resources that are related to this observable.
    Intrusion Sets List the intrusion sets such as a set of adversarial behaviors and resources with common properties that are related to this observable.
    Malware List the malware source records that are related to this observable.
    Threat Actors List the threat actors that are related to this observable.
    Threat Events List the threat events that are related to this observable.
    Vulnerabilities If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address that are related to this observable.
    Note:
    1. You can link and unlink the related records associated with this object. For more information, see Link Threat Intel Related Records.
    2. Also, from the Related Records section, you can confirm the relationships between two Observables using the Potential Relationships section available on the Observables form view. For more information on see, Confirm Potential Relationships from Related Records.
    3. You can add observables to cases. For more information, see Add to Case.
    4. You can also run enrichment actions to observables. For more information, see Run Enrichment Actions within a case.