Observables are discrete pieces of information that represent properties, attributes, actions, and events.
They record a distinct piece of information, such as: an IP address, a hash, name of a country, name of a city, name of an organization, or the name of an individual; or an event such as the creation of a registry value, or a file deletion or modification.
They are atomic: the information they hold is complete and meaningful, but it cannot be split into smaller components without losing meaning and intelligence value.
They are factual: they record facts with no additional context or background.
You can relate observables with entities to provide context.
If observables are detected in a specific context, or if they are sighted within the organization, they become indicators and sightings, respectively.
In the Create threat actor view, go to the Observables section, and click Observable.
The Add observable pane opens.
From the Type drop-down menu, select an observable type that describes the type of information you are storing in the observable.
For example, a bank account number, a payment card number, an IP address, a domain name, a country or city name, and so on.
From the Link name drop-down menu, select an option to define the type of relationship existing between the observable and the parent entity.
Setting link names to define relationships adds intelligence value by describing how entities and observables are related.
This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent entity.
Therefore, observables with a Link name value are in general more relevant and more valuable than observables without a Link name value.
Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.
The supported entity-observable relationship link name for the threat actor entity is Identity. This provides information that helps detect and identify the threat actor.
You can modify and update the link name value at any time to reflect changes in the entity-observable relationship:
In the top navigation bar, click Intelligence > All intelligence, and click Browse.
Click the Observables tab.
If the section is populated with observables, each of them has a Link name column.
Click the Link name drop-down menu for the observable whose relationship link name you want to update, and then select one of the available options.
If the Link name drop-down menu has no options, the selected the entity-observable relationship is undefined.
In the Value(s) field, enter the value of the observable.
The value and its format should match the specified observable type (kind).
If you specify multiple values, enter one value per line.
If you enter multiple values on one line, use a comma (,) as a separator.
Example: 126.96.36.199, ipwnu.biz, Kansas City, [email protected], Alvin Slocombe.
From the Maliciousness drop-down menu, select a maliciousness confidence level to assess the likelihood the potential threat may or may not damage the organization.
This option corresponds to the value that is set under Confidence in observable rules.
To store your changes, click Save; to discard them, click Cancel.
When you flag an observable with a maliciousness confidence level, it cannot transition back to being safe or irrelevant. It can only transition to a higher maliciousness confidence level.
You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.
For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.
Link name labels vary based on the relationship the observable has with the specific entity type it belongs to.