Investigate observables related to an investigation in Splunk Enterprise Security
Filter and sort observables
Filter, sort, and search for observables on the Intelligence tab of your investigation in Splunk Enterprise Security. To manage observables, complete the following steps:
- In Splunk Enterprise Security, select Mission Control.
- Select an investigation from the analyst queue.
- Select View details.
- Select the Intelligence tab.
- To filter observables, select the column header of the field you want to filter by. You can sort and filter a field by selecting the down arrow icon ( ) in the column header or by entering a search in the observable search bar. Fields that aren't filterable don't have a filter menu with check boxes. 
- In the filter menu, select a value. For some fields, such as Score, you can select multiple values, such as Medium and High.
- To remove a filter so that it no longer applies to observables, select the remove icon ( ) next to the respective filter, or select Clear all to remove them all. 
- To sort observables, select the column header of the field you want to sort by. Then, select the up arrow icon ( ) or the down arrow icon ( ) to determine which observables appear first. 
Review priority scores for observables
After you set up threat intelligence in Splunk Enterprise Security, select an observable in the Intelligence tab of your investigation to begin exploring potential pain points.
The list of observables includes those found in the following investigation fields:
- host
- orig_host
- dvc
- dest
- src
- src_user
- user
- cve
- dest_dns
- dest_ip
- dest_nt_domain
- dest_nt_host
- dest_translated_ip
- dns
- dvc_dns
- dvc_ip
- dvc_nt_host
- file_hash
- file_name
- file_path
- hash
- ip
- nt_host
- orig_host
- orig_host_dns
- orig_host_ip
- orig_host_nt_host
- path
- recipient
- sender
- src_dns
- src_ip
- src_nt_domain
- src_nt_host
- src_user_email
- src_user_identity
- src_user_id
- threat_ip
- url
- user_email
- user_identity
- user_id
- threat_source_path
- risk_object
- risk_object_type
- threat_object
- threat_object_type
- threat_match_value
- threat_match_field
Some of these fields require other fields in order for intelligence data to appear in the intelligence tab of an investigation:
- risk_object requires risk_object_type
- threat_object requires threat_object_type
- threat_match_value requires threat_match_field
Different intelligence sources often use different scoring systems, which makes it difficult to compare threats across sources. For example, one source might use the scale of 1 through 10 for severity, and another source might use text labels such as Benign or Malicious.
The threat intelligence system normalizes the different scores using a conversion table so that you can compare all scores across different intelligence sources. You can use these scores to evaluate the risk associated with an observable or risk event.
After you select an observable, you can find its passthru score and normalized score by expanding the Most recent reporting from each source section.  The priority score is the badge that appears in the Summary of "<observable>" section. 
The following table defines the scores associated with each observable.
| Score | Description | 
|---|---|
| Passthru score | The original score assigned to the observable by an external intelligence source. | 
| Normalized score | The score created by the threat intelligence system and assigned to the observable to show the relative severity of the observable. Normalized scoring automatically converts the passthru score from an intelligence source into a value that reflects the observable's severity on a standardized scale. | 
| Priority score | The score that aggregates the normalized scores from all the IOCs to create one score for that observable. | 
Intelligence sources provide the tags and attributes for the observable in the Summary of "<observable>" section. However, you can't distinguish which specific intelligence source provided each tag or attribute.
See also
For more details on threat intelligence in Splunk Enterprise Security, see the product documentation:
- Overview of threat intelligence in Splunk Enterprise Security
- Configure intelligence source integrations in Splunk Enterprise Security
- Turn on threat-matching searches in Splunk Enterprise Security
- Configure threat lists in Splunk Enterprise Security
- Create and manage safelist libraries in Splunk Enterprise Security