Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Create a security incident observable

Log in to subscribe to topics and get notified when content changes.

Create a security incident observable

You can create and view an observable within a security incident and take appropriate action. Having observables available in the security incident is scalable and reduces response time.

Before you begin

Role required:

sn_ti_observable.write (write) (read)

sn_ti_observable.admin (delete)


  1. Navigate to Security Incident.
  2. Choose an incident.
  3. Click Security Incident Observables related list tab.
  4. Click New.
  5. Fill in the fields on the form, as appropriate.
    Field Description
    Select classification tag If you set up and activated security tags to add metadata to the record, you can select one or more tags to specify the degree of sensitivity of the observable.

    If you did not set up or activate security tags, this drop-down list is not displayed.

    Value The value (for example, IP address or hash) associated with the observable.
    Note: If a IoC lookups on an IP address or hash, returned malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form.
    Observable type Select the observable classification, such as an IP address or file hash. These observable types are defined in the Observable Types module.
    Incident count The number of times the observable value has been encountered.
    Is composition This field displays only after the observable record has been saved.

    If the Observable Type is set to anything other that Observable Composition, and this new observable is a composition, select this check box.

    If the Observable Type is already set to Observable Composition, the check box is selected and read-only.

    An observable composition is an observable that contains child observables.

    Finding Select one of the following: None, Unknown or Malicious. Unknown is the default.
    Note: After an upgrade, existing observables are marked Malicious.
    Operator This field appears only when the Is composition check box is selected. Depending on your setting in this field, the observables and their children are considered when deciding whether an associated indicator is present.

    Set this field to AND if all the child observables must be present for an associated indicator to be considered present.

    Set it to OR if any of the child observables are present for an associated indicator to be considered present.

    Must not be present This field displays only after the observable record has been saved.

    If selected, this field signifies that the absence of the observable is the potential issue (for example, a missing registry key).

    Location Using the settings in two properties and a script include definition, you can load Load more IoC data in this field.
    Notes Enter any additional notes about the observable.
  6. Right-click in the form header and click Save. You can now click any of the following related lists to view additional information.
    Related List Description
    Related Indicators Lists indicators that have been identified by the threat source.
    Associated Tasks Lists changes associated with the observable.
    Child Observables Lists related observables that have been identified by the threat source.
    Matching Resources for IP If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address.
    Observable Sources Lists the sources of this observable, along with the confidence level of the source.
    Security Annotations Lists security annotations added to this observable.
  7. Returning to the security incident the following information is available.
    Note: When you add an observable to the security incident, the system checks for any other configuration items or users associated with it. The Related Configuration Items and Related Users related list tabs are updated accordingly.
    Security incident observables example
    Column Definition
    Observable The value (for example, IP address or hash) associated with the observable.
    Observable Type The specific type of observable.
    Context Selected by the user. Choices are:
    • IP - Source or Destination
      Note: If Threat Intelligence and Palo Alto Networks - Firewall are activated, changing or adding a value to this field causes the Get Log Data workflowSecurity Operations Palo Alto Networks - Get Log Data workflow to execute. The workflow retrieves enriched threat log data from the firewall and attaches it to the security incident. The information is also parsed and displayed in the Firewall Logs section under the Enrichment Data tab.
    • URL - Referrer
      Note: When the user clicks a link in a phishing email, a referrer is the URL of the final jump before the malware URL is accessed.
    Incident Count The number of incidents that this observable appears in. This value is automatically updated when the observable is added to another incident manually or through a workflow.
    Updated Data and time the list was last updated.
    Note: If the Threat Intelligence plugin is installed, you can also view the observable in the Observables list in the IoC Repository.