Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Define an observable

Define an observable

Observables are retrieved from the vendor server as STIX data. However, you can create observables, as needed.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > IoC Repository > Observables.
  2. Click New.
    Add an observable
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Select classification tag If you set up and activated security tags to add metadata to the record, you can select one or more tags to specify the degree of sensitivity of the observable.

    If you did not set up or activate security tags, this choice list is not displayed.

    Value The value (for example, IP address or hash) associated with the observable.
    Note: If a IoC lookups on an IP address or hash, returned malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form.
    Observable Type Select the observable classification, such as an IP address or file hash. These observable types are defined in the Observable Types module.
    Incident count The number of times the observable value has been encountered.
    Is composition This field displays only after the observable record has been saved.

    If the Observable Type is set to anything other that Observable Composition, and the new observable is a composition, select this check box.

    If the Observable Type is already set to Observable Composition, the check box is selected and read-only.

    An observable composition is an observable that contains child observables.

    Finding Select one of the following options: None, Unknown or Malicious. Unknown is the default.
    Note: After an upgrade, existing observables are marked Malicious.
    Operator This field appears only when the Is composition check box is selected. Depending on your setting in this field, the observables and their children are considered when deciding whether an associated indicator is present.

    Set this field to AND if all the child observables must be present for an associated indicator to be considered present.

    Set it to OR if any of the child observables are present for an associated indicator to be considered present.

    Must not be present This field displays only after the observable record has been saved.

    If selected, this field signifies that the absence of the observable is the potential issue (for example, a missing registry key).

    Location Using the settings in two properties and a script include definition, you can load Load more IoC data in this field.
    Notes Enter any additional notes about the observable.
  4. Right-click in the form header and click Save. You can click any of the following related lists to view additional information.
    Related List Description
    Related Indicators List indicators that the threat source has identified.
    Associated Tasks List changes associated with the observable.
    Child Observables List related observables that the threat source has identified.
    Matching Resources for IP If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address.
    Observable Sources Lists the sources of the observable, along with the confidence level of the source.
    Security Annotations Lists security annotations added to the observable.