Manage file observables provides stringent security measures to store the suspicious files and enables the files type observables for sandbox integration.

Before you begin

Role required: sn_ti_malicious_attachment_access (upload)

Upload the file type observables:

  • Automatically: When the security incidents are created for the phishing emails, the attachments in the phishing email are created as file type observables.

  • Manually: A security analyst can also upload the suspicious files to create file type observables.

About this task

You can create and view file type observables for a security incident. The suspicious files which are part of the observables are stored in a specific location, which can be accessed by the security analyst to download the file only with a specific role.

Procedure

  1. Navigate to a security incident.
  2. Select Observables from the Show All Related Lists tab.

    If there are any attachments in the phishing email, then by default those attachments are created as file type observables in the corresponding security incident. Each attachment is created as two observables such as file type and file hash observable.

  3. To upload the secure attachments manually:
    • Click Upload Secure Attachment.
    • On the Upload Secure Attachments, Click Choose file to upload one or more files. Each file is considered as a single observable record.
    • Click Create File Observables to create the file type observables such as one is the file type and other one is the file hash which is a unique identifier.
    Figure 1. File type observables

    This image describes the file contents of the observables.
    Select the file type observable to process for further integrations such as sandbox, threat lookup. In addition, you can also download the attachments from the file type observable.
    Note:
    The threat lookup (VirusTotal) retrieves the file from the secured attachments for the new file type observables and the below system properties are not applicable for the new file type observables.
    • sn_ti.scan.delete_attachment_after_hash
    • sn_ti.scan.use_file_hash

    For a quick reference, the file type observable is mapped as a child to the hash observable and hash observable is mapped as a child to file observable.

    If the phishing email attachments are exceeding more than the defined size then the observables are not created. You must modify the system properties to support the larger size files.
    Table 1. File size system properties
    System property Description
    glide.email.inbound.max_total_attachment_size_bytes If you are forwarding the phishing email directly, use this system properties value to increase the file size from 18MB to a desired file size.
    com.glide.attachment.max_get_size If you are forwarding the phishing email as an attachment, use this system property value to create the below system properties under global scope to increase the file size from 5MB to the desired size.
    You can also create a new file type observable as follows:
    1. Click New.
    2. Select the Observable type Category: File
    3. Click Upload to attach a file.