Manage existing observables and entities

Existing observables

Observables that already exist in the platform are marked with a red copy images/download/attachments/82475554/observables-existing-icon-2.png symbol on the right of the item. This means that the observable:

  • Already exists on the platform.

  • May have existing relationships with other entities there.

The number displayed at the bottom-right corner of the icon tells you how many observables of the same name already exist on the platform. For example, when a copy icon with a "2" images/download/attachments/82475554/observables-existing-icon-2.png is displayed for an observable, two observables with the same name already exist on the platform.

images/download/attachments/82475554/observables-existing-ip.png

You should:

  • Check the relationships that exist for this observable in your platform instance.

  • Check the platform to see if the entity you want to create does not already exist. For more information, see Existing entities.

If an observable already exists on the platform, ingesting that observable:

  • Does not create a new observable.

  • Adds a relationship between the existing observable and the new entity you've created.

  • Does not overwrite existing relationships with other entities on the platform.

However, if (a) the observable already exists on the platform, but (b) the observable you want to ingest is set to a different type than the observable that already exists on the platform, then a new observable is created.

That observable:

  • Shares the same name as the existing observable on the platform.

  • Inherits the new type.

  • Maintains its own relationships. It does not share the same relationships as the existing observable on the platform.

For example, we may ingest the observable 61.204.119.188 as a URI, but find that we have an IPv4 observable also named 61.204.119.188 that already exists on the platform. After ingesting the new observable, we have two observables on the platform that share the same name, but are assigned different types and have different sets of relationships.

images/download/attachments/82475554/observables-existing-different-type-ip.png

Existing entities

The browser extension:

  • Does not check if an entity already exists.

  • Does not overwrite entities that already exists on the platform.

When adding creating an entity using the browser extension, you should:

  • Search the platform for similar entities.

  • If the entity you want to create already exists, find a different and meaningful way to describe the group of observables you want to add with the browser extension.

All entities on the platform are assigned a UUID (Universally Unique Identifier). So, entities added through the browser extension are treated as new and unique, even if they are otherwise identical to an existing entity on the platform.

In the image below, we have two identical entities that the platform treats as distinct:

images/download/attachments/82475554/entities-duplicate-ip.png