Add observables

The Intelligence Center uses enrichers to automatically retrieve data that augments an entity intelligence value by adding more context. These details are stored as discrete pieces of information called observables.
Besides enrichment, you can also manually add observables to entities to augment their intelligence value with additional context.

Manually add observables

To manually add an observable, do one of the following:

  • In the entity detail pane, click the menu icon , and from the drop-down menu select Edit.
    In the entity editor, under Observables, click Observables.

  • In the side navigation bar click the create icon > Observable.

  • Searchimages/download/attachments/82475116/search.svg-x24.png > GO TO SEARCH AND BROWSE > Observables > Create observable +.

When you are in the Add observables view:

  1. From the Type drop-down menu, select the type of observable you are creating.

  2. From the drop-down menu, select the appropriate value to correctly describe the type of relationship between the parent entity and the embedded observable.

  3. In the Value(s) field, enter the values of the observable.
    If you enter multiple values, separate them with a comma (,).

  4. From the Maliciousness drop-down menu, select the maliciousness level.

  5. From the Source drop-down menu, select the data source associated with the observable.

  6. To store your changes, click Save; to discard them, click Cancel.


It is not possible to manually create the following observable types:

  • cce (Common Configuration Enumeration)

  • cve (Common Vulnerability Enumeration)

  • cwe (Common Weakness Enumeration)

  • rule (generic rule type)

  • snort

  • yara

You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.

For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.

You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.

For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.


Entity type

Allowed relationship link names

Course of action

If the entity type is course of action:

  • Parameter: it is the only link name option available for entities.
    It enables defining specific technical parameters, settings, and configurations related to the using the CybOX Language.

    You can set parameters for a course of action to define automated courses of action designed to to carry out follow-up actions. It can be a detection follow-up; for example, it can trigger adjusting the settings of a malware detection application accordingly. It can be a prevention follow-up; for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names. Or it can produce a community follow-up; for example, creating and publishing a report to notify other parties about the possible threat the entity represents.

Exploit target

If the entity type is exploit target:

Incident

If the entity type is incident:

  • Affected asset: defines an affected, impacted resource or asset type.

  • Related: holds one or more observables that are related to this one.

Indicator

If the entity type is indicator:

  • Observable: the observable related to the entity is an embedded CybOX observable object.
    It has been detected outside the organization.

  • Sighted: the observable related to the entity is an embedded CybOX observable object.
    At least one specific occurrence of the observable related to the entity has been detected, that is, sighted, inside the organization.

  • Test mechanism: a test mechanism enables the Intelligence Center to share entity information with external tools and systems.
    In particular, it is useful to send information to an IDS/HIDS/NIDS to test it against a tool-specific rule.

    For example, an observable with a Test mechanism link name can trigger follow-up actions in external systems:

    • Rule: generic test mechanism to interact with a generic system supporting plain text format as an input.

    • Snort: Snort test mechanism.
      You can include the observable in an outgoing feed to a Snort instance
      The Snort rules in the indicator are used to look for matching patterns in the Snort logs.
      You can configure Snort so that matching hits trigger a follow-up action.
      For example, creating a sighting or adding a malicious entry to a blocklist.

    • YARA: YARA test mechanism.
      You can include the observable in an outgoing feed to a YARA instance.
      YARA uses the rules in the indicator to look for matching patterns in the target files or locations you specify in YARA.
      You can feed indicators from the Intelligence Center to YARA to look for, identify, and classify malware samples.

TTP

If the entity type is TTP:

  • Malicious infrastructure: describes a component of the infrastructure — gear, equipment, tools, software and hardware, services — used to carry out the malicious activities described in the TTP.

  • Targeted victim: describes a component of the targeted victim’s assets and resources.

Report

If the entity type is report:

  • Observable: the observable related to the entity was detected outside the organization.
    It represents a potential threat that may or may not impact your organization.

Threat actor

If the entity type is threat actor:

  • Identity: holds information that enables identifying the threat actor entity it is related to.
    For example, an individual’s first and/or last name, or the denomination of an organization.

Campaign

If the entity type is campaign:

  • N/A. Campaign-related observables do not have link names.

Search by link name

You can use link names to search for specific observables, based on the type of relationship they have with their parent entity.
The type of relationship between an observable and and entity adds context, and it can help understand the function of the observable within the broader threat landscape it belongs to.
For example, a relationship can help identify an observable as a victim, and affected asset, a vulnerability, or as a component of the threat actor's malicious infrastructure.

Let's assume that an analyst is investigating a threat scenario where a threat actor exploits the CVE-2017-8793 vulnerability to gain access to the targeted victim’s assets.
The analyst may want to search the Intelligence Center for any exploit target entities containing observables that are related to the parent exploit target because they represent a vulnerability.

To search for an observable representing a vulnerability:

  1. In the side navigation bar click the search icon .

  2. In the search input field enter your search query:

    data.type:exploit-target AND \
    extracts.kind:domain AND \
    meta.bundled_extracts.link_types:vulnerability OR \
    extracts.instance_meta.link_types:vulnerability OR \
    extracts_nested.instance_meta.link_types:vulnerability
  3. Press ENTER to start the search.

In the search query example:

  • meta.bundled_extracts.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and the corresponding bundled observables.

  • extracts.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and non-embedded observables.

  • extracts_nested.instance_meta.link_types is the JSON path pointing to the JSON field in the entity data structure that holds the link name value defining the relationship between entities and the corresponding embedded observables.

  • vulnerability is the link name value defining the the type of entity-observable relationship you are looking for.

If the link name value search string contains multiple words separated by spaces, wrap the search string in double quotes (example: "my multiple word search string").
The Intelligence Center search functionality uses the Elasticsearch query syntax.

The following table maps the link name values you can enter in a search query to the corresponding options displayed in the GUI (campaign entities have no link names to define relationships with observables):


Search input value

GUI option

Entity

parameter

Parameter

Course of action

affected

Affected

Exploit target

configuration

Configuration

Exploit target

vulnerability

Vulnerability

Exploit target

weakness

Weakness

Exploit target

affected-asset

Affected asset

Incident

related

Related

Incident

observed

Observable

Indicator

sighted

Sighted

Indicator

test-mechanism

Test mechanism

Indicator

malicious-infrastructure

Malicious infrastructure

TTP

targeted-victim

Targeted victim

TTP

observable

Observable

Report

identity

Identity

Threat actor