About observables#

Observables are discrete pieces of information that represent properties, attributes, actions, and events.

Observables:

  • record a distinct piece of information. E.g.: an IP address, a hash, name of a country. See Observable types.

  • are basic, factual units.

Entities provide context for observables#

Observables contain only a limited amount of information.

It inherits context from the entities that they are linked/related to.

In addition, they inherit the following properties from entities they are linked/related to:

  • Source

  • Permissions for access (You control this with Allowed sources in groups)

When you manually create observables, they are not associated with a visible entity, and can only be accessed through Search Search icon > Go to search and browse > Observables.

If observables are detected in a specific context, you may want to create entities from observables.

Observable types#

Available observable types

List observable types
    "actor-id",
    "address",
    "asn",
    "bank-account",
    "card",
    "card-owner",
    "cce",
    "certificate-serial-number",
    "city",
    "company",
    "country",
    "country-code",
    "cpu-architecture",
    "crypto-address",
    "cve",
    "cwe",
    "domain",
    "email",
    "email-subject",
    "eui-64",
    "file",
    "file-size",
    "forum-name",
    "forum-room",
    "forum-thread",
    "fox-it-portal-uri",
    "geo",
    "geo-lat",
    "geo-long",
    "handle",
    "hash-authentihash",
    "hash-imphash",
    "hash-md5",
    "hash-rich-pe-header",
    "hash-sha1",
    "hash-sha224",
    "hash-sha256",
    "hash-sha384",
    "hash-sha512",
    "hash-ssdeep",
    "hash-vhash",
    "host",
    "industry",
    "inetnum",
    "ipv4",
    "ipv4-cidr",
    "ipv6",
    "ipv6-cidr",
    "ja3-full",
    "ja3-hash",
    "ja3s-full",
    "ja3s-hash",
    "mac-48",
    "malware",
    "malware-key",
    "mutex",
    "name",
    "nationality",
    "netname",
    "organization",
    "person",
    "port",
    "postcode",
    "process",
    "process-name",
    "product",
    "region",
    "registrar",
    "rule",
    "snort",
    "street",
    "telephone",
    "uri",
    "uri-hash-sha256",
    "user-agent",
    "winregistry",
    "yara",

Observable types only from ingestion

These observable types can only be set for observables ingested through incoming feeds or manually uploaded files.

List of ingestion-only observable types
    "cce",
    "cve",
    "cwe",
    "rule",
    "snort",
    "yara",

Observables extracted from unstructured text#

Entities ingested through Incoming feeds or from manually uploading files can be automatically processed to create observables from unstructured intelligence in these entities.

Observables created this way do not have Observable link types. See Link types for observables extracted from unstructured text.

To achieve this, select Extract observables from unstructured text when setting up incoming feeds or manually uploading files for ingestion.

Tip

Setting up observable rules allow you to restrict the observables that you ingest this way.

EclecticIQ Intelligence Center has default observable rules that you can enable.

Difference between observables from structured data, and observables extracted from unstructured data.

Difference between observables from structured data, and observables extracted from unstructured data.#

Note

CybOX content is processed as both structured and unstructured data. When Extract observables from unstructured text is selected, EclecticIQ Intelligence Center also extracts observables from the text of CybOX XML. This can produce more than one observable with the same value and path.