Create an indicator from an observable
During an analysis, you may find out that an observable gains weight in the form of relevant contextual information that expands its intelligence value beyond the record of a discrete piece of information such as an IP address, a hash value, or a threat actor’s name.
Therefore, you may want to consolidate, organize, and integrate this information in a consistent way. For example, by creating an indicator.
You can create an indicator from an observable in one of the following ways:
In the Observables view
In the left navigation bar, go to Search > GO TO SEARCH AND BROWSE > Observables.
Click the menu icon in the row corresponding to the observable you want to convert to an indicator.
From the drop-down menu select Create indicator.
The entity editor opens on Create indicator, and you can start populating the input fields with details about the indicator you are creating:
In the Observables detail pane
In the left navigation bar, go to Search > GO TO SEARCH AND BROWSE > Observables.
Click anywhere in the row corresponding to the observable you want to convert to an indicator.
In the observable detail pane, click the menu icon .
From the drop-down menu select Create indicator
The entity editor opens on Create indicator, and you can start populating the input fields with details about the indicator you are creating:
In the Observables tab on the entity detail pane
Open the entity detail pane of the entity related to the observable you want to convert to an indicator.
In the entity detail pane, click the Observables tab.
In the Observables tab, click the menu icon .
From the drop-down menu select Create indicator
The entity editor opens on Create indicator, and you can start populating the input fields with details about the indicator you are creating:
Bulk action on multiple observables
You can also select multiple observables, and then you can convert them to indicators at once:
Browse to the Observables view or open the Observables tab in the entity detail pane of the entity whose observables you want to convert to indicators.
Select the checkboxes corresponding to the observables you want to convert to indicators.
Click the menu icon above the table header, and from the drop-down menu select Create indicator.
The entity editor opens on Create indicator, and you can start populating the input fields with details about the indicator you are creating: