Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.

Define an observable

Log in to subscribe to topics and get notified when content changes.

Define an observable

Observables are retrieved from the vendor server as STIX data. However, you can create observables, as needed.

Before you begin

Role required: sn_ti.admin


  1. Navigate to Threat Intelligence > IoC Repository > Observables.
  2. Click New.
    Add an observable
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Select classification tag If you set up and activated security tags to add metadata to the record, you can select one or more tags to specify the degree of sensitivity of the observable.

    If you did not set up or activate security tags, this drop-down list is not displayed.

    Value The value (for example, IP address or hash) associated with the observable.
    Note: If a IoC lookups on an IP address or hash, returned malware or some other failure, the IP address or hash value is automatically added to the Observable [sn_ti_observable] table. As such, it can be searched for from the Observables form.
    Observable type Select the observable classification, such as an IP address or file hash. These observable types are defined in the Observable Types module.
    Incident count The number of times the observable value has been encountered.
    Is composition This field displays only after the observable record has been saved.

    If the Observable Type is set to anything other that Observable Composition, and this new observable is a composition, select this check box.

    If the Observable Type is already set to Observable Composition, the check box is selected and read-only.

    An observable composition is an observable that contains child observables.

    Finding Select one of the following: None, Unknown or Malicious. Unknown is the default.
    Note: After an upgrade, existing observables are marked Malicious.
    Operator This field appears only when the Is composition check box is selected. Depending on your setting in this field, the observables and their children are considered when deciding whether an associated indicator is present.

    Set this field to AND if all the child observables must be present for an associated indicator to be considered present.

    Set it to OR if any of the child observables are present for an associated indicator to be considered present.

    Must not be present This field displays only after the observable record has been saved.

    If selected, this field signifies that the absence of the observable is the potential issue (for example, a missing registry key).

    Location Using the settings in two properties and a script include definition, you can load Load more IoC data in this field.
    Notes Enter any additional notes about the observable.
  4. Right-click in the form header and click Save. You can now click any of the following related lists to view additional information.
    Related List Description
    Related Indicators Lists indicators that have been identified by the threat source.
    Associated Tasks Lists changes associated with the observable.
    Child Observables Lists related observables that have been identified by the threat source.
    Matching Resources for IP If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address.
    Observable Sources Lists the sources of this observable, along with the confidence level of the source.
    Security Annotations Lists security annotations added to this observable.