Ignore observables#

You can ignore observables on EclecticIQ Intelligence Center to prevent observables with a given type and value from being ingested.

Do this to reduce false-positives and noise in your datasets.

Ignore with observable rule#

See Create observable rules.

Delete and ignore#

Delete and ignore an observable to:

  • remove that observable from EclecticIQ Intelligence Center, and

  • prevent EclecticIQ Intelligence Center from subsequently ingesting or extracting new observables with the same type and value.

Tip

Delete and ignore performs a “soft delete” on an observable. This:

  • Prevents from being displayed on IC,

  • but leaves records in PostgreSQL and Elasticsearch.

You can filter records to look for ones with the field meta.blacklisted. See About search for more information.

To do this:

From Browse

  1. From the left navigation, select Search Search icon > Go to search and browse and then select the Observables tab.

  2. Locate the observable you want to remove.

  3. On the right of that observable, select More More > Delete and ignore.

    Delete and ignore from Browse.

    Select Delete and ignore from the menu.#

From entity builder

  1. Select an observable from anywhere to open it.

  2. Select More More > Delete and ignore.

    Delete and ignore from entity builder.

    Select Delete and ignore from the menu.#