About Observables

Observables are data points that represent specific events or properties within a system and can be directly observed. They serve as indicators monitored for signs of suspicious or malicious activity.

Observables include stateful properties like IP addresses, domain names, file MD5 hashes, and system behaviors. They also cover measurable events such as the creation or deletion of files, registry keys, and other activities crucial to system and network operations.

This topic provides an overview of the main characteristics of observables in TheHive.

Type

An observable type defines the category or classification of an observable in TheHive. While TheHive includes a predefined set of types, this list can be expanded with custom types to meet specific needs.

Available analyzers depend on the observable’s type.

Data

Data can take the following forms:

• For types that don't require attachments: values entered into a text area.
• For types that require attachments: a file, which is hashed.

Users can add one or more values to a single observable in TheHive, but they can only add one file at a time.

Statuses

Indicator of compromise (IOC)

An observable can be marked as an indicator of compromise (IOC) once it's identified as being linked to suspicious or malicious activity.

Sighted

An observable can be marked as sighted once it has been detected or observed in the environment.

Similar alerts and cases

Observables are key to identifying similar cases and correlating malicious activity across different alerts and cases. TheHive uses observables to detect patterns and surface related items in the Similar alerts and Similar cases tabs. Similarity checks apply between cases and cases, alerts and alerts, and between alerts and cases.

Observables that lack relevance for threat correlation, such as the company’s domain name, can be excluded from similarity checks.

Rules for similarity

Cases and alerts are considered similar if all the following conditions are met:

• At least one observable not excluded from similarity checks shares the same value, such as an identical file name or IP address.
• The related cases and alerts belong to the same organization or to linked organizations.
• Alerts don't have the status Imported. Alerts that have been merged into a case are no longer included in similarity checks—but the case is.

Permissions

Required permissions

Only users with the manageObservable permission can manage observables in TheHive.

Next steps

• Add an Observable
• Remove an Observable
• Update the Status of an Observable
• Edit Multiple Observables
• Pin an Observable
• Export Data from Observables
• Run Analyzers and Review Reports for an Observable
• Run Responders and Review Reports for an Observable
• Import Observables from Analyzer Reports
• Exclude an Observable from Similarity Checks