Add observables to reports

To add observables to reports, do the following:

  1. In the Observables section, click Observable.
    The Add observable pane opens.

  2. From the Type drop-down menu, select an observable type that describes the type of information you are storing in the observable.
    For example, a bank account number, a payment card number, an IP address, a domain name, a country or city name, and so on.

  3. From the Link name drop-down menu, select an option to define the type of relationship existing between the observable and the parent entity.

    Setting link names to define relationships adds intelligence value by describing how entities and observables are related.
    This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
    For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent entity.

    Therefore, observables with a Link name value are in general more relevant and more valuable than observables without a Link name value.

    Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.
    The supported entity-observable relationship link name for the report entity is the Observable related to the report.
    You can modify and update the link name value at any time to reflect changes in the entity-observable relationship:

    1. In the top navigation bar, click Intelligence > All intelligence, and click Browse.

    2. Click the Observables tab.

    3. If the section is populated with observables, each of them has a Link name column.

    4. Click the Link name drop-down menu for the observable whose relationship link name you want to update, and then select one of the available options.
      If the Link name drop-down menu has no options, the selected the entity-observable relationship is undefined.

  4. In the Value(s) field, enter the value of the observable.
    The value and its format should match the specified observable type (kind).
    If you specify multiple values, enter one value per line.
    If you enter multiple values on one line, use a comma (,) as a separator.
    Example:,, Kansas City, [email protected], Alvin Slocombe.

  5. From the Maliciousness drop-down menu, select a maliciousness confidence level to assess the likelihood the potential threat may or may not damage the organization.
    This option corresponds to the value that is set under Confidence in observable rules.

  6. To store your changes, click Save; to discard them, click Cancel.

When you flag an observable with a maliciousness confidence level, it cannot transition back to being safe or irrelevant. It can only transition to a higher maliciousness confidence level.

You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.

For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the email domain.