Actions
Observables Actions
All the Case Management Observables Actions.
Create Observable
Adding an Observable to a Case by filling in parameters in the step.Create Observable: Required and Optional Parameters
Create Observable: Required and Optional Parameters
| Parameter | Description |
|---|---|
| Observable | The Observable ID |
| Name | The updated name of the Observable |
| Observable Type | The type of Observable |
| Content | The content value of the Observable |
| Verdict | The verdict type: Unknown, Benign,Suspicious, Malicious |
| Description | A brief explanation explaining the Observable |
| Enrichment Data | The enrichment data that provides additional information and context on the observable. |
| Custom Fields(JSON Format) | Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table. |
| Advanced- Dedup Table | The selected table to evaluate the duplicated condition (Dedup Condition)against. |
| Advanced- Dedup Condition | The duplicate condition to check whether to insert the record or not. When the condition is met, the record will not be inserted. |
| Advanced- Linked Observables | The Name and ID of the Observable you want to link to this Observable |
| Advanced- Linked Alerts | The Name and ID of the Alert you want to link to this Observable. |
| Advanced- Linked Attachments | The Name and ID of the Attachment you want to link to this Observable. |
| Advanced- Linked Tasks | The Name and ID of the Tasks you want to link to this Observable. |
| Advanced- Linked Cases | The Name and ID of a different Case you want link to this Observable |
Extract Observables
The Extract Observables action parses incoming alert payloads and extracting these critical observables, along with any detectable relations between them.| Parameter | Description |
|---|---|
| Alert ID | The ID of the Alert: can be the id or the alert_id field of the Alert |
| Create Observables | If the Create Observables option is enabled, extracted observables are added to the Observables Table, categorized by type (e.g., IP addresses, usernames). |
| Link Existing Observables | If the Link Existing Observables option is enabled, the extracted observables are linked to the alert record, associating them with existing data for further investigation. |
Delete Observable
Deleting an Observable from a Case by filling in parameters in the step.| Parameter | Description |
|---|---|
| Observable ID | The ID of the Observable: can be the id or the observable_id field of the observable |
Update Observable
Updating an already existing Observable in a Case by filling in the following parameters in the step. This action overwrites all of the Observable’s data.| Parameter | Description |
|---|---|
| Observable | The Observable ID |
| Name | The updated name of the Observable |
| Observable Type | The type of Observable |
| Content | The content value of the Observable |
| Verdict | Verdict type Unknown, Benign,Suspicious, Malicious |
| Description | A brief explanation explaining the Observable |
| Enrichment Data | The enrichment data that provides additional information and context on the observable |
| Custom Fields(JSON Format) | Add a Custom Field in JSON format. Please note that this applies only if you have manually added a custom record column to the subject table. |
