Add observables#
EclecticIQ Intelligence Center uses enrichers to automatically retrieve data that augments an entity intelligence value by adding more context. These details are stored as discrete pieces of information called observables.
Besides enrichment, you can also manually add observables to entities to augment their intelligence value with additional context.
Manually add observables#
To manually add an observable, do one of the following:
In the entity detail pane, click the menu icon , and from the drop-down menu select Edit.
In the entity editor, under Observables, click Observables.
In the side navigation bar click the create icon > Observable.
Search > GO TO SEARCH AND BROWSE > Observables > Create observable +.
In the Add observables view, fill out these fields:
Field |
EIQ JSON field |
Description |
---|---|---|
Type* |
|
See Observable types |
Values(s)* |
|
Enter one or more values. One obesrvable is created per value when you select Save. If you enter more than one value, these values must comma-separated OR you must enter one value per newline. Do not use commas and newlines as value delimiters at the same time. |
Maliciousness* |
||
Source* |
Set on parent |
See Observable wrapper. |
From the Type drop-down menu, select the type of observable you are creating.
From the drop-down menu, select the appropriate value to correctly describe the type of relationship between the parent entity and the embedded observable.
In the Value(s) field, enter the values of the observable.
If you enter multiple values, separate them with a comma (
,
).From the Maliciousness drop-down menu, select the maliciousness level.
From the Source drop-down menu, select the data source associated with the observable.
To store your changes, click Save; to discard them, click Cancel.
Note
These observable types are not available through the UI. These are only created through automatic extraction from entities, or through the REST API.
cce (Common Configuration Enumeration)
cve (Common Vulnerability Enumeration)
cwe (Common Weakness Enumeration)
rule (generic rule type)
snort
yara
(Recommended) Use the following instead:
Vulnerability entity to represent
cce
,cve
,cwe
Indicator entities have a test mechanism component that can represent the generic
rule
type,snort
, andyara
.
Tip
To create observables with link names, see Observable link types.
Observable wrapper#
Entities provide context and the Source property for observables. However, when you Manually add observables, observables are created without an explicit entity to inherit context or properties from.
Instead, an invisible observable-wrapper
entity is
created to temporarily contain these entities.
The Source assignment you make when manually adding observables
is assigned to this observable-wrapper
entity,
allowing permissions to be correctly set for these observables through
the Allowed sources in groups.
Caution
observable-wrapper
entities cannot be accessed or modified
through the normal operation of EclecticIQ Intelligence Center.
If you need to change the source or context for an observable that is provided by a linked entity, explicitly add that observable to a different entity instead.