Security incident observables

Observables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files or URLs, or domain names. Threat Intelligence observable table data is available from within a security incident.

Observables information includes value, type, context, and timestamp.

You can create or delete observables manually or automatically through lookup requests.

A new Finding column has been added to the Observables table. Possible values are: Malicious and Unknown.

  • If an IoC lookup request does not find a security incident observable, it is labeled Unknown.
  • If an IoC lookup request does find a security incident observable, it is labeled Malicious.

During an upgrade, existing items in the Observables table have the Finding column set to Malicious.

Note: While Threat Intelligence observables table data is part of a security incident, no other interaction with the Threat Intelligence module is included. For full threat functionality, the Threat Intelligence plugin is available by subscription.