Observable Entities

In CTIM, an Observable is a recognizable token which we can use as the basis of our investigation. Observables include things like domain names, IP addresses, file hashes, URLs and other values of similar nature.

Observables are not top level entities in CTIM. They are inline data types, included as part of both Sighting and Judgment entities, which we will learn about later.

Observable Field Summary

An Observable must have both of the following fields:

• type - Describes the type of this observable (eg. ip, domain, md5, sha256, url). The definitive set of observable type identifiers that are supported in CTIM is available at https://github.com/threatgrid/ctim/blob/master/src/ctim/schemas/vocabularies.cljc.
• value - A non-empty string containing the value.

What Merits an Observable?

Not all information that can be observed in a system is necessarily a good candidate for an observable record. Ideally, observables are only created when they have direct bearing on a cyber threat incident. Tokens that we can observe but which we have no reason to believe are relevant to new or ongoing cyber threats do not, therefore, need to be captured as observables in CTIM.

Example: We can observe that a user's keyboard is beige, but we don't record an observable about that fact, because keyboard color is not relevant to any known threat. However, if we notice that their system is trying to contact a known malware command and control domain, we would definitely record that fact. This seems like a trivial and obvious distinction to point out, but we will use it later to help guide our thinking when we create Sighting and Judgment entities.

Example Observable

{
    "type": "domain",
    "value": "google.com"
}