View matching observables

Observables that match a rule criteria are displayed as observable relationships.

If an observable rule returns matches, they are displayed in the Matches tab of the observable rule detail pane.
The displayed matches are observable relationships linking observables.

If the designated Action an observable rule applies is Ignore, the Intelligence Center does not execute any actions on the matching observables.

For example, if you want to delete an observable that is flagged to be ignored, you must initiate the deletion action manually.
It is advisable to review the specified observables before deleting them.
You can do so in the Matches tab of the observable rule detail pane.

To view observable matches for a rule:

  1. In the left navigation bar, go to Data configuration images/download/attachments/86440871/robot.svg-x24.png > Rules > Observable.

  2. In the Observable view, click anywhere in the row corresponding to the rule whose matches you want to view.

  3. In the to rule detail pane, click the Matches tab.

The Matches tab shows observables that match the rule criteria:

  • Kind: the matching observable data type.
    For example: domain.

  • Value: the corresponding observable data value.
    For example: www.iphishyourdata.biz.

In this tab you can carry out actions.
For example:

  • To view a list of all the entities that share an observable, click the desired observable name in the detail pane.

  • To refresh the view, click the refresh icon in the upper-right portion of the pane.

  • To edit, disable or delete the rule, or to delete all matching observables when the designated Action an observable rule applies is Ignore, click the menu icon , and from the drop-down menu select the corresponding option.