Define an observable

Observables are retrieved from the vendor server as STIX data. However, you can create observables, as needed.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > IoC Repository > Observables.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Observable Type Select the observable classification, such as an IP address or file hash. These observable types are defined in the Observable Types module.
    Sighting count The number of times the observable value has been encountered.
    Is composition If the Observable Type is set to anything other that Observable Composition, and this new observable is a composition, select this check box.

    If the Observable Type is already set to Observable Composition, the check box is selected and read-only.

    An observable composition is an observable that contains child observables.

    Operator This field appears only when the Is composition check box is selected. Depending on your setting in this field, the observables and their children are considered when deciding whether an associated indicator is present.

    Set this field to AND if all the child observables must be present for an associated indicator to be considered present.

    Set it to OR if any of the child observables are present for an associated indicator to be considered present.

    Must not be present If selected, this field signifies that the absence of the observable is the potential issue (for example, a missing registry key).
    Location Using the settings in two properties and a script include definition, you can load geolocation information for IP addresses and websites in this field.
    Value The value (for example, IP address or hash) associated with the observable.
    Note: If a lookup on an IP address or hash, returned malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form.
    Notes Enter any additional notes about the observable.
  4. Right-click in the form header and click Save. You can now click any of the following related lists to view additional information.
    Related List Description
    Related Indicators Lists indicators that have been identified by the threat source.
    Associated Tasks Lists changes associated with the observable.
    Child Observables Lists related observables that have been identified by the threat source.
    Matching Resources for IP If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address.
    Observable Sources Lists the sources of this observable, along with the confidence level of the source.