Set observable filters for outgoing feeds

Filter observables for inclusion in the published feed content by type, maliciousness confidence level, relationship, and specific enrichment sources.

Observable filters work independently of each other: there are no explicit or implicit Boolean AND or OR to join multiple filters into a serial pipeline.

To include in the outgoing feed content observables matching specific maliciousness confidence levels:

  • From the Allowed observable states drop-down menu, select one or more observable states to include in the outgoing feed content only entities whose observable states match at least one of the selections defined here.

To include in the outgoing feed content observables matching specific link names defining the type of relationship between observables and entities:

  • From the Include only observables with link names drop-down menu, select one or more link name options to include in the outgoing feed content only observables with the specified link name value(s) describing specific types of relationship between observables and their parent entities.

    Named relationships add intelligence value by describing how entities and observables are related. This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.

    For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent exploit target entity.

    Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.

    This filter option does not apply to enrichment observables.

  • To include in the outgoing feed content also observables without a link name, select the Include observables without a link name checkbox.

    These observables may or may not have relationships with other entities or other observables; in the former case, the relationships are undefined; therefore, they have lower intelligence value than link-named ones.

    This filtering applies to bundled observables, that is, to observables that are included inside entities. It does not apply to enrichment observables.

To include in the outgoing feed content observables matching specific types:

  • From the Observable types drop-down menu, select one or more observable types to include in the outgoing feed content only entities with observables whose types match at least one of the selections defined here.

To include in the outgoing feed content enrichment observables matching specific types:

  • From the Enrichment observable types drop-down menu, select one or more enrichment observable types to include in the outgoing feed content only entities with enrichment observables whose types match at least one of the selections defined here.

To exclude from the outgoing feed content enrichment observables ingested from specific enrichment data sources:

  • From the Exclude enrichments from the following sources drop-down menu, select one or more enrichment sources whose enrichment data you do not want to include in the outgoing feed content.

    Based on your selection, the outgoing feed excludes from publication any data related to the specified enrichment sources.

    This option enables selective publishing, so that you can share meaningful information while withholding any sensitive enrichment data not meant for redistribution, or to adjust the publishing options of the outgoing feed based on subscription and licensing terms for specific enrichers.

To exclude from the outgoing feed content any entities with invalid or malformed STIX:

  • Select the Exclude invalid STIX checkbox to apply stricter STIX validation checks to the feed content, before packaging it for dissemination.

    Entities with invalid or malformed STIX are not packaged. The outgoing feed publishes packages containing only valid STIX entities.

    If you enable this option, rejected entities are logged with the message: dropped invalid entity.

To save changes to the outgoing feed configuration:

  • To store your changes, click Save; to discard them, click Cancel.