How to Add an Observable

This topic provides step-by-step instructions for adding an observable to a case or alert in TheHive.

Required permissions

Only users with the manageObservable permission can manage observables in TheHive.

Procedure

1. Locate the case or alert where you want to add the observable.

   ---

2. In the alert or case, select the Observables tab.

   

   ---

3. Select .

   ---

4. In the Adding an observable drawer, enter the following information:

   - Type

   The type of an observable determines which analyzers are available and whether it requires a value or an attachment. You can't change an observable’s type between one requiring a value and one requiring an attachment once it’s created.

   Can't find an observable type?

   If you can't find the type you need, it might not exist yet, or someone may have deleted it. Contact someone with admin-level permissions to create or restore it.

   - Value/attachment

   Depending on the type of the observable, provide:

   • One or more values: To enter multiple values, place each value on a separate line and turn on the One observable per line toggle.
   • A file: Hashed automatically and available for download from the observable details.

   You can't change an observable's value or file once it's created.

   - TLP (traffic light protocol) *

   The TLP level for the observable. It indicates how you can share the observable's information with others. Refer to the MISP taxonomy for detailed definitions of TLP values.

   - PAP (permissible actions protocol) *

   The PAP level for the observable. It specifies which actions you can take with the observable data. Refer to the MISP taxonomy for detailed definitions of PAP values.

   - Is IOC

   Turn on the toggle if you recognize the observable as related to suspicious or malicious activity.

   - Has been sighted

   Turn on the toggle when you detect or observe the observable in your environment.

   - Ignore similarity

   Turn on the toggle of you don't want to include the observable in the algorithm used to identify similar alerts and cases based on observables. This can be useful for contextual observables, such as the company domain name, or for observables that aren't related to any potential threat.

   - Tags

   One or more tags for labeling the observable.

   - Description

   A description of the observable using TheHive-flavored Markdown syntax.

   ---

5. Select Confirm.

Next steps

• Remove an Observable
• Update the Status of an Observable
• Edit Multiple Observables
• Pin an Observable
• Export Data from Observables
• Run Analyzers and Review Reports for an Observable
• Run Responders and Review Reports for an Observable
• Import Observables from Analyzer Reports
• Exclude an Observable from Similarity Checks