How to Update the Status of an Observable

This topic provides step-by-step instructions for updating the status of an observable in TheHive.

Required permissions

Only users with the manageObservable permission can manage observables in TheHive.

Bulk updates

You can edit multiple observables at once. Follow the instructions in the Edit Multiple Observables topic.

Mark an observable as sighted

Mark an observable as sighted when you detect or observe it in your environment.

1. Locate the observable you want to update.

2. In the observable details, turn on the Sighted toggle.

3. Select Save.

Mark an observable as indicator of compromise (IOC)

Mark an observable as an indicator of compromise (IOC) if you recognize it as related to suspicious or malicious activity.

1. Locate the observable you want to update.

2. In the observable details, turn on the IOC toggle.

3. Select Save.

Next steps

• Add an Observable
• Remove an Observable
• Edit Multiple Observables
• Pin an Observable
• Export Data from Observables
• Run Analyzers on an Observable
• Run Responders on an Observable
• Import Observables from Analyzer Reports
• Exclude an Observable from Similarity Checks