Observable

observable

The observable object is a pivot element that contains related information found in many places in the event.

Contents

Attributes

Caption Name Type Is Array Default Description
Name name String The full name of the observable attribute. The name is a pointer/reference to an attribute within the event data. For example: file.name.
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Reputation Scores reputation Reputation Contains the original and normalized reputation scores.
Type type String The observable value type name.
Type ID type_id Integer The observable value type identifier.
0
Unknown
1
Hostname
2
IP Address
3
MAC Address
4
User Name
5
Email Address
6
URL String
7
File Name
8
Hash
9
Process Name
10
Resource UID
11
Port
12
Subnet
13
Command Line
14
Country
15
Process ID
16
HTTP User-Agent
17
CWE ID
18
CVE ID
20
Endpoint
21
User
22
Email
23
Uniform Resource Locator
24
File
25
Process
26
Geo Location
27
Container
28
Registry Key
29
Registry Value
30
Fingerprint
99
Other
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.
Value value String The value associated with the observable attribute. The meaning of the value depends on the observable type.
If the name refers to a scalar attribute, then the value is the value of the attribute.
If the name refers to an object attribute, then the value is not populated.

Context

Observable

JSON

            
{
  "caption": "Observable",
  "description": "The observable object is a pivot element that contains related information found in many places in the event.",
  "extends": "object",
  "name": "observable",
  "attributes": {
    "name": {
      "description": "The full name of the observable attribute. The <code>name</code> is a pointer/reference to an attribute within the event data. For example: <code>file.name</code>.",
      "requirement": "required",
      "caption": "Name",
      "type": "string_t"
    },
    "reputation": {
      "requirement": "optional",
      "caption": "Reputation Scores",
      "description": "Contains the original and normalized reputation scores.",
      "type": "reputation"
    },
    "type": {
      "description": "The observable value type name.",
      "requirement": "optional",
      "caption": "Type",
      "type": "string_t"
    },
    "type_id": {
      "description": "The observable value type identifier.",
      "requirement": "required",
      "enum": {
        "0": {
          "caption": "Unknown",
          "description": "Unknown observable data type."
        },
        "99": {
          "caption": "Other",
          "description": "The observable data type is not mapped. See the <code>type</code> attribute, which may contain data source specific value."
        },
        "17": {
          "caption": "CWE ID",
          "description": "The Common Weakness Enumeration unique number assigned to a specific weakness. A CWE Identifier begins \"CWE\" followed by a sequence of digits that acts as a unique identifier. For example: <code>CWE-123</code>."
        },
        "25": {
          "caption": "Process",
          "description": "The Process object describes a running instance of a launched program. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Process/'>d3f:Process</a>."
        },
        "23": {
          "caption": "Uniform Resource Locator",
          "description": "The Uniform Resource Locator(URL) object describes the characteristics of a URL. Defined in <a target='_blank' href='https://datatracker.ietf.org/doc/html/rfc1738'>RFC 1738</a> and by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:URL/'>d3f:URL</a>."
        },
        "22": {
          "caption": "Email",
          "description": "The Email object describes the email metadata such as sender, recipients, and direction. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:Email/'>d3f:Email</a>."
        },
        "20": {
          "caption": "Endpoint",
          "description": "The Endpoint object describes a physical or virtual device that connects to and exchanges information with a computer network. Some examples of endpoints are mobile devices, desktop computers, virtual machines, embedded devices, and servers. Internet-of-Things devices\u2014like cameras, lighting, refrigerators, security systems, smart speakers, and thermostats\u2014are also endpoints."
        },
        "26": {
          "caption": "Geo Location",
          "description": "The Geo Location object describes a geographical location, usually associated with an IP address. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:PhysicalLocation/'>d3f:PhysicalLocation</a>."
        },
        "21": {
          "caption": "User",
          "description": "The User object describes the characteristics of a user/person or a security principal. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:UserAccount/'>d3f:UserAccount</a>."
        },
        "30": {
          "caption": "Fingerprint",
          "description": "The Fingerprint object provides detailed information about a digital fingerprint, which is a compact representation of data used to identify a longer piece of information, such as a public key or file content. It contains the algorithm and value of the fingerprint, enabling efficient and reliable identification of the associated data."
        },
        "27": {
          "caption": "Container",
          "description": "The Container object describes an instance of a specific container. A container is a prepackaged, portable system image that runs isolated on an existing system using a container runtime like containerd."
        },
        "24": {
          "caption": "File",
          "description": "The File object represents the metadata associated with a file stored in a computer system. It encompasses information about the file itself, including its attributes, properties, and organizational details. Defined by D3FEND <a target='_blank' href='https://next.d3fend.mitre.org/dao/artifact/d3f:File/'>d3f:File</a>."
        },
        "18": {
          "caption": "CVE ID",
          "description": "The Common Vulnerabilities and Exposures unique number assigned to a specific computer vulnerability. A CVE Identifier begins with 4 digits representing the year followed by a sequence of digits that acts as a unique identifier. For example: <code>CVE-2021-12345</code>."
        },
        "5": {
          "caption": "Email Address",
          "description": "Email address. For example: <code>john_doe@example.com</code>."
        },
        "8": {
          "caption": "Hash",
          "description": "Hash. A unique value that corresponds to the content of the file, image, ja3_hash or hassh found in the schema. For example MD5: <code>3172ac7e2b55cbb81f04a6e65855a628</code>."
        },
        "7": {
          "caption": "File Name",
          "description": "File name. For example: <code>text-file.txt</code>."
        },
        "1": {
          "caption": "Hostname",
          "description": "Unique name assigned to a device connected to a computer network. A domain name in general is an Internet address that can be resolved through the Domain Name System (DNS). For example: <code>r2-d2.example.com</code>."
        },
        "2": {
          "caption": "IP Address",
          "description": "Internet Protocol address (IP address), in either IPv4 or IPv6 format. For example, <code>192.168.200.24</code> or <code>2001:0db8:85a3:0000:0000:8a2e:0370:7334</code>."
        },
        "3": {
          "caption": "MAC Address",
          "description": "Media Access Control (MAC) address. For example: <code>18:36:F3:98:4F:9A</code>."
        },
        "11": {
          "caption": "Port",
          "description": "The TCP/UDP port number. For example: <code>80</code> or <code>22</code>."
        },
        "9": {
          "caption": "Process Name",
          "description": "Process name. For example: <code>Notepad</code>."
        },
        "10": {
          "caption": "Resource UID",
          "description": "Resource unique identifier. For example, S3 Bucket name or EC2 Instance ID."
        },
        "12": {
          "caption": "Subnet",
          "description": "The subnet represented in a CIDR notation, using the format network_address/prefix_length. The network_address can be in either IPv4 or IPv6 format. The prefix length indicates the number of bits used for the network portion, and the remaining bits are available for host addresses within that subnet. <div>For example:<ul><li>192.168.1.0/24</li><li>2001:0db8:85a3:0000::/64</li></ul></div>"
        },
        "6": {
          "caption": "URL String",
          "description": "Uniform Resource Locator (URL) string. For example: <code>http://www.example.com/download/trouble.exe</code>."
        },
        "4": {
          "caption": "User Name",
          "description": "User name. For example: <code>john_doe</code>."
        },
        "13": {
          "caption": "Command Line",
          "description": "The full command line used to launch an application, service, process, or job. For example: <code>ssh user@10.0.0.10</code>. If the command line is unavailable or missing, the empty string <code>''</code> is to be used."
        },
        "14": {
          "caption": "Country",
          "description": "The ISO 3166-1 Alpha-2 country code. For the complete list of country codes see <a target='_blank' href='https://www.iso.org/obp/ui/#iso:pub:PUB500001:en' >ISO 3166-1 alpha-2 codes</a>.<p><b>Note:</b> The two letter country code should be capitalized. For example: <code>US</code> or <code>CA</code>.</p>"
        },
        "15": {
          "caption": "Process ID",
          "description": "The process identifier, as reported by the operating system. Process ID (PID) is a number used by the operating system to uniquely identify an active process."
        },
        "16": {
          "caption": "HTTP User-Agent",
          "description": "The request header that identifies the operating system and web browser."
        },
        "28": {
          "caption": "Registry Key",
          "description": "The registry key object describes a Windows registry key. Defined by D3FEND <a target='_blank' href='https://d3fend.mitre.org/dao/artifact/d3f:WindowsRegistryKey/'>d3f:WindowsRegistryKey</a>."
        },
        "29": {
          "caption": "Registry Value",
          "description": "The registry value object describes a Windows registry value."
        }
      },
      "caption": "Type ID",
      "sibling": "type",
      "type": "integer_t"
    },
    "value": {
      "description": "The value associated with the observable attribute. The meaning of the value depends on the observable type.<br/>If the <code>name</code> refers to a scalar attribute, then the <code>value</code> is the value of the attribute.<br/>If the <code>name</code> refers to an object attribute, then the <code>value</code> is not populated.",
      "requirement": "optional",
      "caption": "Value",
      "type": "string_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  }
}