Edit observables

Editing observables does not affect the information they hold, but rather the relationships they have with the entities they refer to, which can be direct or indirect.

Observables are atomic bits of information: they hold one piece of information.
For example, an IP address, a domain name, an email address, a threat actor name, and so on.

Rather than the value an observable holds, it is the way in which that information unit relates to other data objects, namely entities, that can change over time: direct vs indirect relationship, and non-malicious vs malicious.
These attributes help assess threat severity and triage follow-up actions.

You can change the level of importance of the relationships observables have with entities; you can flag observables to be ignored or removed from the existing relationships entities have with other objects in the Intelligence Center, as well as increase the level of confidence in the potential maliciousness observables may have.

Last but not least, you can load observables on the graph for analysis, and you can manually enrich them.

Edit observables in a graph

You can only edit draft observables in a graph. See Edit observables in a graph for more information.

Manually enrich observables

To manually trigger an enrichment task for an observable or an entity:

  • In the entity or the observable detail pane, click the menu icon , and from the drop-down menu select Enrich > Enrich with all.
    All applicable enrichers and the corresponding data sources are triggered to run and to enrich the intelligence object with data from all available enrichment data sources.

  • In the entity or the observable view, click the menu icon , and from the drop-down menu select Enrich > ${enricher_name}.
    Only the specified enricher is triggered to run and to enrich the intelligence object with data from data from the corresponding enrichment data source.

  • In the entity or the observable view, select multiple entities or observables by clicking the corresponding checkboxes, and from the bulk action drop-down menus above the table in the view click Enrich > Enrich with all.
    All applicable enrichers and the corresponding data sources are triggered to run and to enrich the selected intelligence object with data from all available enrichment data sources.