Review enrichment observables#
To view enrichment information on the entity detail pane:
In the left navigation bar, go to one of the following:
Select an entity to open the corresponding detail pane.
In the entity detail pane, click Observables.
The Observables tab shows an overview of the enrichment observables the entity has been augmented with.
To view enrichment information on the entity detail pane:
In the left navigation bar, go to Search > GO TO SEARCH AND BROWSE > Browse > Entities.
Select an entity to open the corresponding detail pane.
In the entity detail pane, click Observables.
The Observables tab shows an overview of the enrichment observables the entity has been augmented with.
To view enrichment data and their connections with other entities and observables in the graph:
In the row of the observable you want to load in the graph, click the actions menu , and select Add to graph.
To load the parent entity whose detail pane you are viewing, instead of its observables, in the top-right corner click the actions menu , and select Add to graph.
Click the graph thumbnail on the lower side of the screen to expand it.
In the graph, right-click the entity you want to inspect.
From the Context menu, select Load entities > All, Load observables > All.
Or, select Load entities, click Load entities by extract > All.
Right-click an extract or an entity for further inspection.
From the Context menu, select Load entities > All, Load observables > All.
Alternatively:
Select Load entities > Load entities by extract > All.
To view enrichment data and their connections with other entities and observables in the graph:
In the graph, right-click the entity you want to inspect.
From the Context menu, select Load entities > All, Load observables > All.
Or, select Load entities, click Load entities by extract > All.
Right-click an extract or an entity for further inspection.
From the Context menu, select Load entities > All, Load observables > All.
Alternatively:
Select Load entities > Load entities by extract > All.
To see how entities, observables and enrichment observables are connected, and to inspect relationships between distant items:
CTRL + click two nodes on the graph to select them.
Right-click either selected node, and from the context menu, select Find path to query the graph database about the existence of a path between the nodes, or Show path to highlight as an existing path on the graph.
If a path exists, the selected nodes and all the intermediate ones are highlighted on the graph to show the path that links them.
Search for enrichment observables#
You can use the search box to look for enrichment observables.
You can find the search box on the sidebar:
Quick search: hover over the magnifier and enter search queries. Click the search icon to run the search.
Specific search: click the search icon , and enter search terms and search queries.
Click ENTER or click the search icon to run the search.
Searches you run through this search box are executed platform-wide.
The search functionality uses Elasticsearch query syntax.
To access a cheatsheet with search examples using entity types, filters, and for help with the search syntax, click Help to display thematic drop-down lists with common search queries:
Filters: examples of quick search filters.
Help: examples of Boolean, wildcards, and tag search usage.
Entities: examples of searchable entity types.
About wildcards#
Currently supported wildcards:
*
and?
Escape character:
\
Avoid starting a wildcard query term with
*
or?
, as it may result in an extremely slow-running query.Search and rules use literal values and regex patterns to look for matching values assigned to the corresponding JSON path fields.
About complex searches#
Besides full text search, you can use Boolean operators and wildcards.
You can combine these filtering options to create more refined searches.
Use operators to combine multiple quick filters and create a more complex search query.
Search example:
enrichment_extracts.meta.blacklisted:true AND enrichment_extracts.kind:hash-md5
Search result example:
{
"instance_meta":{
"classification":"bad",
"confidence":"low",
"blacklisted":true
},
"id":123456,
"value":"7cd7ekhc5f5742fdccf655767b15h7g78",
"meta":{
"classification":"bad",
"confidence":"low",
"blacklisted":true
},
"kind":"hash-md5",
"instance_id":123456
}
Field |
Description |
Example |
---|---|---|
|
string The alphanumeric ID string that uniquely identifies the enrichment observable. |
|
|
string The enrichment observable data type. |
|
|
Boolean An observable is blacklisted when it is included in the results returned by an ignore extraction rule. Allowed values:
|
|
|
string This value is defined in Rules by selecting appropriate options under Action and Confidence. Allowed classification metadata values:
|
|
|
string This value is defined in Rules by selecting the appropriate option under Action and Confidence. The selected action must be Mark as malicious for the Confidence drop-down list to become available. Allowed confidence metadata values:
|
|
|
string The actual value of the enrichment observable, based on the enrichment observable data type. |
|
For reference, in Kibana you can look up a list of all available Elasticsearch index fields:
To access Kibana, in the web browser address bar append
/private/kibana/app/kibana#
to the platform base URL.Example:
https://${platform_host_name}/private/kibana/app/kibana#
In the side navigation bar click Management.
The default tab view is Index patterns.
In the Index patterns tab, click stix on the index list under Create Index Pattern.
The resulting view lists every field in the stix index along with the field type, as recorded in Elasticsearch.
Use the Filter field to look for specific index fields.
If the index pattern list is empty, no index patterns have been defined in Kibana, yet.
You can proceed to define index patterns as necessary.
After looking up an index field, you can search for specific values or data patterns:
In the , click Discover.
From the drop-down menu, select the stix index field.
In the search field, you can run queries on index fields by specifying literals, wildcards, ranges, and Boolean operators using the Lucene query syntax.