Alert Management
Alert Observables
Manage indicators and observables associated with alerts
Overview
The Observables tab allows you to track and manage various types of indicators associated with an alert. These observables can include IP addresses, domains, file hashes, and other relevant technical artifacts.Observable Types
Network Indicators
- IP Addresses
- Domain Names
- URLs
- Email Addresses
- Network Services
File Indicators
- File Hashes (MD5, SHA1, SHA256)
- File Names
- File Paths
- File Types
System Indicators
- Registry Keys
- Process Names
- System Commands
- User Accounts
Custom Indicators
- Custom Observable Types
- Organization-specific Indicators
- Industry-specific Artifacts
Managing Observables
Adding Observables
- Click “Add Observable” button
- Select observable type
- Enter observable value
- Add optional description
- Set TLP/PAP levels if applicable
Bulk Operations
- Import multiple observables
- Export observable list
- Bulk update TLP/PAP
- Bulk delete observables
Observable Properties
- Type classification
- Value
- Description
- TLP (Traffic Light Protocol) level
- PAP (Permissible Actions Protocol) level
- First/Last seen timestamps
- Source information
Observable Enrichment
Automatic Enrichment
- Reputation data
- Geolocation information
- WHOIS data
- Historical context
- Related indicators
Manual Analysis
- Add analysis notes
- Link to external sources
- Document investigation findings
- Tag related observables
Visualization
List View
- Sortable columns
- Quick filters
- Type indicators
- Enrichment status
Relationship View
- Observable connections
- Related alerts
- Common patterns
- Timeline visualization
Best Practices
-
Data Quality
- Validate observable format
- Remove false positives
- Document context
- Maintain consistent format
-
Enrichment
- Review enrichment data
- Update stale information
- Document findings
- Link related data
-
Organization
- Use consistent naming
- Group related observables
- Tag effectively
- Document relationships