How to Run Analyzers and Review Reports for an Observable

This topic provides step-by-step instructions for running analyzers on an observable and reviewing analyzer reports in TheHive.

Analyzers enrich observables with detailed, contextual intelligence, generating a report with the results. The type of each observable determines which analyzers are available.

Required permissions

Only users with the manageObservable permission can manage observables in TheHive.

Run analyzers on an observable

Bulk run

To run analyzers on multiple observables, go to the Observables tab in a case or alert and select next to each observable you want to include. Then select Run analyzers above the list.

1. Locate the observable on which you want to run analyzers.

2. In the observable, select .

   

3. Select Run analyzers.

4. In the Analyzer drawer, select the analyzers you want to run.

   Can't find an analyzer?

   If you can't find the analyzer you need, it might not be available for this observable type. Contact someone with admin-level permissions on Cortex to change the types associated with the analyzer.

5. Select Run selected analyzers.

Review analyzer reports for an observable

1. Locate the observable on which you ran analyzers.

2. In the observable details, move through the Reports section to select a report, or move through the Analyzers section and select any green item in the Last analysis column.

   

3. Optional: Import observables from reports. See Import Observables from Analyzer Reports for detailed instructions.

Next steps

• Add an Observable
• Remove an Observable
• Update the Status of an Observable
• Edit Multiple Observables
• Pin an Observable
• Export Data from Observables
• Run Responders and Review Reports for an Observable
• Import Observables from Analyzer Reports
• Exclude an Observable from Similarity Checks