Manually add observables
Observables are discrete pieces of information that represent properties, attributes, actions, and events.
They record a distinct piece of information, such as: an IP address, a hash, name of a country, name of a city, name of an organization, or the name of an individual; or an event such as the creation of a registry value, or a file deletion or modification.
They are atomic: the information they hold is complete and meaningful, but it cannot be split into smaller components without losing meaning and intelligence value.
They are factual: they record facts with no additional context or background.
You can relate observables with entities to provide context.
If observables are detected in a specific context, or if they are sighted within the organization, they become indicators and sightings, respectively.
In the Create threat actor view, go to the Observables section, and click Observable.
The Add observable pane opens.From the Type drop-down menu, select an observable type that describes the type of information you are storing in the observable.
For example, a bank account number, a payment card number, an IP address, a domain name, a country or city name, and so on.From the Link name drop-down menu, select an option to define the type of relationship existing between the observable and the parent entity.
Setting link names to define relationships adds intelligence value by describing how entities and observables are related.
This information provides additional context, and it helps understand how a specific resource is used, or the purpose it serves for a potential attacker.
For example, it can clarify that an observable describes a vulnerability or a weakness related to its parent entity.Therefore, observables with a Link name value are in general more relevant and more valuable than observables without a Link name value.
Link name options vary, based on the relationship the observable has with the specific entity type it belongs to.
The supported entity-observable relationship link name for the threat actor entity is Identity. This provides information that helps detect and identify the threat actor.
You can modify and update the link name value at any time to reflect changes in the entity-observable relationship:In the top navigation bar, click Intelligence > All intelligence, and click Browse.
Click the Observables tab.
If the section is populated with observables, each of them has a Link name column.
Click the Link name drop-down menu for the observable whose relationship link name you want to update, and then select one of the available options.
If the Link name drop-down menu has no options, the selected the entity-observable relationship is undefined.
In the Value(s) field, enter the value of the observable.
The value and its format should match the specified observable type (kind).
If you specify multiple values, enter one value per line.
If you enter multiple values on one line, use a comma (,) as a separator.
Example: 75.23.125.231, ipwnu.biz, Kansas City, [email protected], Alvin Slocombe.From the Maliciousness drop-down menu, select a maliciousness confidence level to assess the likelihood the potential threat may or may not damage the organization.
This option corresponds to the value that is set under Confidence in observable rules.To store your changes, click Save; to discard them, click Cancel.
When you flag an observable with a maliciousness confidence level, it cannot transition back to being safe or irrelevant. It can only transition to a higher maliciousness confidence level.
You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.
For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.
Link name labels vary based on the relationship the observable has with the specific entity type it belongs to.
Course of action link names
If the entity type is course of action:
Parameter: it is the only link name option available for entities.
It enables defining specific technical parameters, settings, and configurations related to the using the CybOX Language.You can set parameters for a course of action to define automated courses of action designed to to carry out follow-up actions. It can be a detection follow-up; for example, it can trigger adjusting the settings of a malware detection application accordingly. It can be a prevention follow-up; for example, it can instrument a third-party system to block a range of malicious IP addresses or domain names. Or it can produce a community follow-up; for example, creating and publishing a report to notify other parties about the possible threat the entity represents.
Exploit target link names
If the entity type is exploit target:
Affected: describes an affected, impacted resource.
Configuration: enter the Common Configuration Enumeration (CCE) code defining a specific security system configuration issue, as well as the related configuration guidance statement containing preferred or required settings or policies for the system configuration it refers to.
Example: CCE-5770-3Vulnerability: enter the Common Vulnerabilities and exposures (CVE) identifier to reference the security threat.
Example: CVE-2017-6394 on CVE or CVE-2017-6394 on NVD.Weakness: enter the Common Weakness Enumeration (CWE) identifier to reference the software security weakness.
Example: CWE-319, CWE-642.
Incident link names
If the entity type is incident:
Affected asset: defines an affected, impacted resource or asset type.
Related: holds one or more observables that are related to this one.
Indicator link names
If the entity type is indicator:
Observable: the observable related to the entity is an embedded CybOX observable object.
It has been detected outside the organization.Sighted: the observable related to the entity is an embedded CybOX observable object.
At least one specific occurrence of the observable related to the entity has been detected, that is, sighted, inside the organization.Test mechanism: a test mechanism enables the Intelligence Center to share entity information with external tools and systems.
In particular, it is useful to send information to an IDS/HIDS/NIDS to test it against a tool-specific rule.
For example, an observable with a Test mechanism link name can trigger follow-up actions in external systems:Rule: generic test mechanism to interact with a generic system supporting plain text format as an input.
Snort: Snort test mechanism.
You can include the observable in an outgoing feed to a Snort instance
The Snort rules in the indicator are used to look for matching patterns in the Snort logs.
You can configure Snort so that matching hits trigger a follow-up action.
For example, creating a sighting or adding a malicious entry to a blocklist.YARA: YARA test mechanism.
You can include the observable in an outgoing feed to a YARA instance.
YARA uses the rules in the indicator to look for matching patterns in the target files or locations you specify in YARA.
You can feed indicators from the Intelligence Center to YARA to look for, identify, and classify malware samples.
TTP link names
If the entity type is TTP:
Malicious infrastructure: describes a component of the infrastructure — gear, equipment, tools, software and hardware, services — used to carry out the malicious activities described in the TTP.
Targeted victim: describes a component of the targeted victim’s assets and resources.
Report link names
If the entity type is report:
Observable: the observable related to the entity was detected outside the organization.
It represents a potential threat that may or may not impact your organization.
Threat actor link names
If the entity type is threat actor:
Identity: holds information that enables identifying the threat actor entity it is related to.
For example, an individual’s first and/or last name, or the denomination of an organization.
Campaign link names
If the entity type is campaign:
N/A. Campaign-related observables do not have link names.
To store your changes, click Save; to discard them, click Cancel.
You can use the specified observable values to set up automation processes, so that the potential threat that the entity represents can trigger an action in a security system or another device in the toolchain.
For example, if the observable Type is Email, the Link name is Parameter, and the Value(s) are [email protected], [email protected], and [email protected], you can create a rule in the email server to block all incoming messages from the honestpaul-superdeals.com email domain.