About observables#

Observables are discrete pieces of information that represent properties, attributes, actions, and events.

Observables:

  • record a distinct piece of information. E.g.: an IP address, a hash, name of a country. See Observable types.

  • are basic, factual units.

Entities provide context for observables#

Observables contain only a limited amount of information.

It inherits context from the entities that they are linked/related to.

In addition, they inherit the following properties from entities they are linked/related to:

  • Source

  • Permissions for access (You control this with Allowed sources in groups)

When you manually create observables, they are not associated with a visible entity, and can only be accessed through Search Search icon > Go to search and browse > Observables.

If observables are detected in a specific context, you may want to create entities from observables.

Observable types#

Available observable types

List observable types
    "actor-id",
    "address",
    "asn",
    "bank-account",
    "card",
    "card-owner",
    "cce",
    "city",
    "company",
    "country",
    "country-code",
    "cve",
    "cwe",
    "domain",
    "email",
    "email-subject",
    "eui-64",
    "file",
    "forum-name",
    "forum-room",
    "forum-thread",
    "fox-it-portal-uri",
    "geo",
    "geo-lat",
    "geo-long",
    "handle",
    "hash-authentihash",
    "hash-imphash",
    "hash-md5",
    "hash-rich-pe-header",
    "hash-sha1",
    "hash-sha256",
    "hash-sha512",
    "hash-ssdeep",
    "hash-vhash",
    "host",
    "industry",
    "inetnum",
    "ipv4",
    "ipv4-cidr",
    "ipv6",
    "ipv6-cidr",
    "ja3-full",
    "ja3-hash",
    "ja3s-full",
    "ja3s-hash",
    "mac-48",
    "malware",
    "mutex",
    "name",
    "nationality",
    "netname",
    "organization",
    "person",
    "port",
    "postcode",
    "process",
    "product",
    "registrar",
    "rule",
    "snort",
    "street",
    "telephone",
    "uri",
    "uri-hash-sha256",
    "winregistry",
    "yara",

Observable types only from ingestion

These observable types can only be set for observables ingested through incoming feeds or manually uploaded files.

List of ingestion-only observable types
    "cce",
    "cve",
    "cwe",
    "rule",
    "snort",
    "yara",

Observables extracted from unstructured text#

By default, entities ingested through Incoming feeds or from manually uploading files are automatically processed to create observables from unstructured intelligence in these entities.

Observables created this way do not have link names. See Link names for observables extracted from unstructured text.

To prevent this, select Skip extraction of observables from unstructured text when setting up incoming feeds or when manually uploading files for ingestion.

Note

Entities ingested from feeds or manually uploaded files that use the EclecticIQ JSON content type always automatically skips extraction of observables from unstructured text.

Tip

Setting up observable rules allow you to restrict the observables that you ingest this way.

EclecticIQ Intelligence Center has default observable rules that you can enable.

Difference between observables from structured data, and observables extracted from unstructured data.

Difference between observables from structured data, and observables extracted from unstructured data.#

Note

CybOX content is processed as both structured and unstructured data. When Skip extraction of observables from unstructured text is not selected, EclecticIQ Intelligence Center also extracts observables from the text of CybOX XML. This can produce more than one observable with the same value and path.