You can manually attach observables to a security incident. You manually attach
observables when you want to perform threat lookups on observables that are not attached to
a security incident on the initial event trigger. Also, you might perform this task when you
want more information about a related observable.
Before you begin
Role required: sn_si.analyst
Procedure
-
Navigate to and open a security incident to which you want to attach the
observable.
-
At the bottom of the record, select Show IoClink in Related Links.
-
On the Observables tab, select New.
The Observable form is displayed.
-
In the Value field, enter an observable (IP address or URL).
-
Select the search icon and from the Observable Type Categories dialog box, select the desired observable type in the list to populate the field.
-
Select Submit.
The workflow launches and checks for the new observable. The execution and completion status is displayed in the work notes section on the security incident record.
-
Navigate to your security incident and review the work notes.
-
At the bottom of the record, select the Show All Related Lists related link.
-
Select the Observable Enrichment Results or Network Banners tabs for results, and select the blue information icon next to an observable for more information on a specific
item.
-
In the dialog that is displayed, select Open Record to view raw data and more details.
- Optional:
Select the blue settings icon near the search icon to personalize column output and order.
-
In the Personalize List Columns, select available settings, move them to the Selected column, and select OK.
Review the Work notes for more information and how to proceed if you can't verify that the lookup ran successfully.