According to STIX 2.1, Observables are captured artifact objects such as an IP address, a network connection, a file, or a registry key.
Here are the Observable items that you can add on scoutTHREAT:
Domain
URLs
MAC Addresses
IPv4 addresses
IPv6 addresses
Email Addresses
Email Messages
Mutex
Files
Windows Registry
Autonomous System (ASN)
Software
Network Traffic
Process
An Observable may be used by itself (without relationships) to convey raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools.
An intelligence producer conveying this artifacts should include as much context as possible to utilize this data for improved security.
Observables can capture that a piece of information was seen one or more times. Meaning, it can capture both a single observation of a single entity (file, network connection) as well as the aggregation of multiple observations of an entity.
โ
For more information on Observable Data, review STIX 2.1 documentation online.
Related Content