Skip to content

How to Add an Observable#

This topic provides step-by-step instructions for adding an observable to a case or alert in TheHive.

Required permissions

Only users with the manageObservable permission can manage observables in TheHive.

Procedure

  1. Locate the case or alert where you want to add the observable.

  2. In the description, select the Observables tab.

    Observables tab

  3. Select .

  4. In the Adding an observable drawer, enter the following information:

    - Type

    The type of an observable determines which analyzers are available and whether it requires a value or an attachment. You can't change an observable’s type between one requiring a value and one requiring an attachment once it’s created.

    Can't find an observable type?

    If you can't find the type you need, it might not exist yet, or someone may have deleted it. Contact someone with admin-level permissions to create or restore it.

    - Value/attachment

    Depending on the type of the observable, provide:

    • One or more values: To enter multiple values, place each value on a separate line and turn on the One observable per line toggle.
    • A file: Hashed automatically and available for download from the observable details.

    You can't change an observable's value or file once it's created.

    - TLP *

    The TLP level for the observable. It indicates how you can share the observable's information with others.

    - PAP *

    The PAP level for the observable. It specifies which actions you can take with the observable data.

    - Is IOC

    Turn on the toggle if you recognize the observable as related to suspicious or malicious activity.

    - Has been sighted

    Turn on the toggle when you detect or observe the observable in your environment.

    - Ignore similarity

    Turn on the toggle of you don't want to include the observable in the algorithm used to identify similar alerts and cases based on observables. This can be useful for contextual observables, such as the company domain name, or for observables that aren't related to any potential threat.

    - Tags

    One or more tags for labeling the observable.

    - Description

    A description of the observable using TheHive-flavored Markdown syntax.

  5. Select Confirm.

Next steps