About Observables#

Observables are data points that can be directly observed and represent specific events or properties within a system. They are monitored for signs of suspicious or malicious activity.

Observables can include stateful properties like IP addresses, domain names, file MD5 hashes, or system behaviors. They can also cover measurable events such as the creation or deletion of files, registry keys, and other activities crucial to system and network operations.

This topic provides an overview of the main characteristics of observables in TheHive.

Type#

An observable type defines the category or classification of an observable in TheHive. While TheHive includes a predefined set of types, this list can be expanded with custom types to meet specific needs.

The available analyzers for an observable are based on its type.

Data#

A piece of data can be:

For types that don't require attachments: values entered into a text area.
For types that require attachments: a file, which is hashed.

Users can add one or more values to a single observable in TheHive, but they can only add one file at a time.

Statuses#

Indicator of compromise (IOC)#

An observable can be marked as an indicator of compromise (IOC) once it's identified as being linked to suspicious or malicious activity.

Sighted#

An observable can be marked as sighted once it has been detected or observed in the environment.

Similar alerts and cases#

Observables are key to correlating malicious activity across different alerts and cases. TheHive uses observables to identify patterns and surface related alerts and cases in the Similar alerts and Similar cases tabs.

If certain observables—like the company's domain name—aren’t meaningful for threat correlation, you can choose to exclude them from similarity checks.

Permissions#

Required permissions

Only users with the manageObservable permission can manage observables in TheHive.