Observable rule example

This example guides you through the creation of an an observable rule that zeroes in on ipv4 IP address observables.
The rule returns IP address observables included in sightings.

The rule criteria are:

Entity types: sightings
Observable types: ipv4
Paths: related_extracts.value
Value matches: (.+.)*abc.com
Source: none.
In this example, the rule applies to all valid, configured data sources for the platform.

The path matching the specified pattern points to the ipv4 values in the second and third members of the following array:

{
   "data":{
      "related_extracts":[
         {
            "kind":"domain",
            "value":"robohelptesting.biz"
         },
         {
            "kind":"ipv4",
            "value":"195.22.28.199"
         },
         {
            "kind":"ipv4",
            "value":"188.200.164.50"
         }
      ]
   }
}

The array contains observables related to the sighting, which can have a similar JSON data structure to the one in the following example:

{
   "alternative_versions":[
 
   ],
   "attachments":[
 
   ],
   "created_at":"2016-06-03T10:20:21.515918+00:00",
   "created_by":null,
   "data":{
      "confidence":{
         "type":"confidence",
         "value":"High"
      },
      "description":"Sinowal trojan identified to inform robohelptesting.biz|195.22.28.199 from 188.200.164.50",
      "impact":"High",
      "raw_events":"{\"trojanfamily\": \"Sinowal\", \"_geo_env_server_addr\": {\"postal_code\": \"1300-125\", \"latitude\": 38.7167, \"region_code\": \"14\", \"longitude\": -9.1333, \"path\": \"env.server_addr\", \"asn_name\": \"ClaraNET LTD\", \"asn\": 8426, \"region\": \"Lisboa\", \"country_code\": \"PT\", \"netmask\": 24, \"city\": \"Lisbon\", \"country_name\": \"Portugal\", \"ip\": \"195.22.28.199\"}, \"_geo_env_remote_addr\": {\"postal_code\": \"3430\", \"latitude\": 52.0148, \"region_code\": \"09\", \"longitude\": 5.1004, \"path\": \"env.remote_addr\", \"asn_name\": \"KPN B.V.\", \"asn\": 1136, \"region\": \"Utrecht\", \"country_code\": \"NL\", \"netmask\": 24, \"city\": \"Nieuwegein\", \"country_name\": \"Netherlands\", \"ip\": \"188.200.164.50\"}, \"env\": {\"server_name\": \"robohelptesting.biz\", \"remote_port\": \"3805\", \"remote_addr\": \"188.200.164.50\", \"request_method\": \"POST\", \"server_addr\": \"195.22.28.199\", \"path_info\": \"/search2\", \"server_port\": \"80\"}, \"args\": \"fr=altavista&itag=ody&q=ca8584331d1264912bd2e298c38eb88b%2Cdcd5701fc75f672e%2C6AS2Me0aD0dEag3aS0hI7h42&kgs=1&kls=0\", \"_ts\": 1464949055, \"_origin\": \"banktrojan\", \"sd\": 1}",
      "related_extracts":[
         {
            "kind":"domain",
            "value":"robohelptesting.biz"
         },
         {
            "kind":"ipv4",
            "value":"195.22.28.199"
         },
         {
            "kind":"ipv4",
            "value":"188.200.164.50"
         }
      ],
      "title":"Sighting robohelptesting.biz",
      "type":"eclecticiq-sighting"
   },
   "destinations":[
 
   ],
   "exposure":{
      "affected":true,
      "affected_override":null,
      "community_feed":false,
      "detect_feed":false,
      "detect_ok":false,
      "detect_override":null,
      "exposed":true,
      "prevent_feed":false,
      "prevent_ok":false,
      "prevent_override":null,
      "sighted":true
   },
   "group_id":"1632265a-ac31-49a6-9dd2-3127dcc3a39e",
   "id":"00000b8e-8b59-49b3-b04e-d3ddf540a516",
   "incoming_stix_relations":[
 
   ],
   "intel_sets":[
 
   ],
   "last_updated_at":"2016-06-03T10:20:21.515918+00:00",
   "meta":{
      "blob":3586667,
      "estimated_observed_time":"2016-06-03T10:17:35",
      "estimated_threat_start_time":"2016-06-03T10:17:35",
      "incoming_feed":237,
      "ingest_time":"2016-06-03T10:20:21.590912+00:00",
      "source":"822a4302-0115-42bf-922d-e23ba01fb9c6",
      "source_name":"Anubis",
      "source_type":"incoming_feed",
      "title":"Sighting robohelptesting.biz"
   },
   "outgoing_stix_relations":[
      {
         "alternative_versions":[
 
         ],
         "attachments":[
 
         ],
         "created_at":"2016-06-03T10:20:21.768998+00:00",
         "created_by":null,
         "data":{
            "key":"indicators",
            "source":"00000b8e-8b59-49b3-b04e-d3ddf540a516",
            "source_type":"eclecticiq-sighting",
            "target":"952c4de5-9abe-4904-9211-9c694d775046",
            "target_type":"indicator",
            "type":"relation"
         },
         "destinations":[
 
         ],
         "exposure":{
            "affected":false,
            "affected_override":null,
            "community_feed":false,
            "detect_feed":false,
            "detect_ok":false,
            "detect_override":null,
            "exposed":true,
            "prevent_feed":false,
            "prevent_ok":false,
            "prevent_override":null,
            "sighted":false
         },
         "group_id":"1632265a-ac31-49a6-9dd2-3127dcc3a39e",
         "id":"a0040965-b3d7-4c91-b247-8d9a5d3d614b",
         "intel_sets":[
 
         ],
         "last_updated_at":"2016-06-03T10:20:21.768998+00:00",
         "meta":{
            "blob":3586667,
            "incoming_feed":237,
            "source":"822a4302-0115-42bf-922d-e23ba01fb9c6",
            "source_name":"Anubis",
            "source_type":"incoming_feed"
         },
         "relevancy":1,
         "source":"822a4302-0115-42bf-922d-e23ba01fb9c6",
         "workspaces":[
 
         ],
         "workspaces_public":[
 
         ]
      }
   ],
   "relevancy":1,
   "source":"822a4302-0115-42bf-922d-e23ba01fb9c6",
   "type":"entities",
   "workspaces":[
 
   ],
   "workspaces_public":[
 
   ]
}