About observables#
Observables are discrete pieces of information that represent properties, attributes, actions, and events.
Observables:
record a distinct piece of information. E.g.: an IP address, a hash, name of a country. See Observable types.
are basic, factual units.
Entities provide context for observables#
Observables contain only a limited amount of information.
It inherits context from the entities that they are linked/related to.
In addition, they inherit the following properties from entities they are linked/related to:
Source
Permissions for access (You control this with Allowed sources in groups)
When you manually create observables, they are not associated with a visible entity, and can only be accessed through Search > Go to search and browse > Observables.
If observables are detected in a specific context, you may want to create entities from observables.
Observable types#
Available observable types
List observable types
"actor-id",
"address",
"asn",
"bank-account",
"card",
"card-owner",
"cce",
"city",
"company",
"country",
"country-code",
"cve",
"cwe",
"domain",
"email",
"email-subject",
"eui-64",
"file",
"forum-name",
"forum-room",
"forum-thread",
"fox-it-portal-uri",
"geo",
"geo-lat",
"geo-long",
"handle",
"hash-authentihash",
"hash-imphash",
"hash-md5",
"hash-rich-pe-header",
"hash-sha1",
"hash-sha256",
"hash-sha512",
"hash-ssdeep",
"hash-vhash",
"host",
"industry",
"inetnum",
"ipv4",
"ipv4-cidr",
"ipv6",
"ipv6-cidr",
"ja3-full",
"ja3-hash",
"ja3s-full",
"ja3s-hash",
"mac-48",
"malware",
"mutex",
"name",
"nationality",
"netname",
"organization",
"person",
"port",
"postcode",
"process",
"product",
"registrar",
"rule",
"snort",
"street",
"telephone",
"uri",
"uri-hash-sha256",
"winregistry",
"yara",
Observable types only from ingestion
These observable types can only be set for observables ingested through incoming feeds or manually uploaded files.
List of ingestion-only observable types
"cce",
"cve",
"cwe",
"rule",
"snort",
"yara",
Observables extracted from unstructured text#
By default, entities ingested through Incoming feeds or from manually uploading files are automatically processed to create observables from unstructured intelligence in these entities.
Observables created this way do not have link names. See Link names for observables extracted from unstructured text.
To prevent this, select Skip extraction of observables from unstructured text when setting up incoming feeds or when manually uploading files for ingestion.
Note
Entities ingested from feeds or manually uploaded files that use the EclecticIQ JSON content type always automatically skips extraction of observables from unstructured text.
Tip
Setting up observable rules allow you to restrict the observables that you ingest this way.
EclecticIQ Intelligence Center has default observable rules that you can enable.
Note
CybOX
content is processed as both structured and unstructured data.
When Skip extraction of observables from unstructured text
is not selected, EclecticIQ Intelligence Center also extracts observables from the text of CybOX XML.
This can produce more than one observable with the same value and
path
.