Observable
An observable is a domain, IP address, URL, file hash, email address, phone number, or wallet address that can be examined during a security investigation. A submitted observable is not automatically malicious and is not automatically an indicator of compromise.
Frequently Asked Questions
What is Observable?
An observable is a domain, IP address, URL, file hash, email address, phone number, or wallet address that can be examined during a security investigation. A submitted observable is not automatically malicious and is not automatically an indicator of compromise.
How is Observable related to Indicator?
Observable and Indicator are both key concepts in threat intelligence. An indicator is an observable whose evidence makes it relevant to a security investigation or detection. It becomes an indicator of compromise only when the evidence supports compromise or malicious activity.
Related Terms
Indicator
An indicator is an observable whose evidence makes it relevant to a security investigation or detection. It becomes an indicator of compromise only when the evidence supports compromise or malicious activity.
IOC (Indicator of Compromise)
An indicator of compromise is an indicator supported by evidence of compromise or malicious activity. Security teams use IOCs to detect, contain, and investigate threats; an arbitrary IP address, domain, URL, file hash, or email address is only an observable until evidence supports that promotion.
Threat Intelligence
Threat intelligence is evidence-based knowledge about cyber threats, including observed infrastructure, behaviors, campaigns, and likely intent. It combines source observations with context so security teams can make a specific detection, triage, containment, or response decision.
Put this intelligence to work
Query indexed indicators — IPs, domains, URLs, and hashes — in seconds.