What is interesting about the Observables page?
An observable is a technical information that can detect a potential threat. They are derived from all data contained in the Intelligence Center but are not always contextualized. If an observable cleary represents a malicious activity, then it is considered as an IoC.
This page provides a quick and efficient search engine for all the technical information available within the Intelligence Center, observables and IoC.
A classic use case is when you are looking for any information regarding an IP address, domain name, url or file hash. It will give you an answer with the potential related threat or/and associated tag.
Tag information has a time validity and provides some technical enrichment depending of the type of the observable: geolocation, internet provider, reputation (e.g. scanner)
The telemetry of an observable shows the number of sightings of the observable on the perimeters that are monitored by SEKOIA.IO. The number of sightings is shown for each day over the last year. Each day is denoted by a small squared box colored proportionally to the number of sightings. These statistics are very useful:
- to check the anteriority of an observable before using it as an IoC and
- to gain more context on an observable that participates in an alert.
The user can filter the telemetry of an observable depending on its profile and permissions. We built the telemetry feature with MSSP in mind. The telemetry of an observable can be filtered to show the value for
- all SEKOIA.IO communities,
- the user community and all its sub communities (useful for MSSPs),
- the user community (for end clients).
It must be noted that we voluntary limited the telemetry feature to the following observable types:
- publicly addressable ipv4 addresses
- publicly addressable ipv6 addresses
- domain-names with public TLD (.fr, .com, .gov.uk, …)
- file hashes
How are the observables produced?
Technical information is automatically extracted from various sources: public, subscriptions, partners, SEKOIA internal analysis.
Depending of the source, a tag name could be associated with a
valid_until timestamp, providing an up-to-date technical information directly integrated to the Intelligence Center database: an IP address could be enriched with the tag
scanner once, then have the tag expired if that IP address scanning activity is no longer observed.
An observable also has relationships with other observables: an IP address could
belongs-to an subnet object, and have a url
hosted-on. It could become an indicator of compromise with its associated threat (e.g. malware, campaign).
The main features of the observables page
- Autonomous system
- x509 Certificate
- Domain name
- Email addr
- Ipv4 addr
- Ipv6 addr
- Mac addr
- Windows registry key
- SEKOIA C2 Tracker
- SEKOIA Malware Watcher
- amazon_aws (Amazon AWS IP Ranges)
- cloudflare (Cloudflare IPv4)
- country:* (Country)
- crl or ocsp (CRL and OCSP Domain Names)
- cryptomining (Domain Names related to Cryptomining activity)
- disposable_email (List of domain names providing disposable email services)
- domains_top_1_000_000 (Top 1M domain names)
- domains_top_100_000 (Top 100k domain names)
- domains_top_10_000 (Top 10k domain names)
- dynamic-dns (Top 5000 dynamic malicious domains)
- google (Domain Names used by Google products)
- googlebot (IP Addresses used by Google Bot)
- iplookup (IP Lookup Services)
- multicast (RFC 5771 multicast CIDR blocks)
- office365 (Office 365 IP Ranges and Domains)
- ovh_webhosting (Addresses IP OVH Web Hosting - Shared)
- rfc1918 (RFC1918 - Private Addresses)
- rfc5735 (RFC5735 - Special Use Addresses)
- rfc6598 (RFC6598 - Shared Address Space)
- rfc6761 (RFC6761 - Special Use Domain Names)
- scanner:* (Hosts involved in mass scanning and/or exploitation attempts)
- security_vendor (Security Vendor Blogs)
- sinkhole (Brakmic Sinkholes)
- tor (Tor Exit Nodes)
- university (University Domain Names and Websites)
- url_shortener (URL Shorteners)
You could proceed with bulk research, one observable on each line.
The result page will give you two tabs, one for the known the other for the unknown with the potential associated tags, threats related.
When clicking on an Observable, a dedicated page will display information, raw object and sometimes relationships as shown bellow:
Example Use Case
You found some domain names during an investigation and you want to know if those observables are known in the Intelligence Center and if there is more context to it.
Simply paste the domain names into the search fields and hit enter.
Known tab you will find observables known in the Intelligence Center and some context over it if there is some. The
Unknown tab will contain the observables never seen in the Intelligence Center.