Fill Observed Data Details
Observed Data represents raw information about cyber-related entities such as files, systems, or networks, captured through STIX Cyber-observable Objects (SCOs). This data may include details like IP addresses, network connections, or file hashes, but it does not provide any intelligence interpretation—it is simply the raw data.
Observed Data can record both single instances and aggregated observations. If the number_observed property is 1, it signifies a single observation; if greater than 1, it captures multiple occurrences, possibly over a specific time window marked by the first_observed and last_observed properties. In aggregated data, certain details (for example, timestamps) may be omitted since they would vary across observations.
This data can be used independently, sourced from reports, sandboxes, or detection tools, and should include as much context (like SCOs) as possible to aid its utility in security systems. For instance, a firewall could generate Observed Data for each network connection or an aggregated report summarizing multiple observations over time.
Observed Data can also be linked to other SDOs, such as Indicators or Malware, to provide raw evidence supporting intelligence conclusions. For backward compatibility, the objects or object_refs property should be used to relate SCOs, but both properties must not be used simultaneously.
The observed data component contains the following:
Basic Details
Common Fields
Custom Attributes
Object Reference
External References
Basic Details
Field Name | Required | Description |
|---|---|---|
Name | Optional | Specify the name of the observed data. NoteIf you select pre-existing Observed Data, all fields auto-populate except for the Object Reference fields. You need to enter the SCO type field manually in the Object Reference tab. |
Number Observed | Mandatory | The count of times each Cyber Observable Object referenced in the objects or object_ref property was observed. If provided, this must be an integer between 1 and 999,999,999, inclusive. |
First Observed | Mandatory | The start of the time window during which the data was first seen. |
Last Observed | Mandatory | The end of the time window during which the data was seen. This value must be greater than or equal to the timestamp in First Observed. |
Common Fields
Field Name | Description |
|---|---|
Tags | Specify the tags for the observed data. |
TLP | Specify the TLP of the observed data, such as RED, AMBER, GREEN, WHITE, and NONE. |
Confidence | Specify the confidence score for the observed data. |
Custom Scores | This field allows for the assignment of scores to threat data objects based on factors that influence the lifecycle of indicators of compromise (IOCs), such as relevance, severity, and risk. Custom scores aid analysts in prioritizing their analysis, guiding actions, and facilitating the sharing of threat intelligence. |
Created by Reference | Specify the entity that created the CTIX object. |
Revoked | Select this option to mark the component as revoked or invalid. |
Custom Attributes
Field Name | Description |
|---|---|
Add Custom Attribute | Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for the report. |
Object Reference
Field Name | Description |
|---|---|
Select SDO Type | Specify the STIX Objects that are referred to by this STIX component. |
External References
Field Name | Description |
|---|---|
Source Name | Enter a source name. |
Description | Enter a description. |
External ID | Enter an external ID. |
URL | Enter the URL of the external reference. |
Hash Type | Select the hash type. |
Hash Value | Enter the hash value. |