Observer¶
The Observer module tracks analyst work and captures institutional knowledge about security operations. It provides structured workflows for documenting investigations, defining threat patterns, and recording observations.
Components¶
Work Units¶
Individual tasks or investigation steps performed by analysts. Work units track time spent, status, and outcomes for each piece of security work.
Work Collections¶
Groups of related work units organized into logical investigations. Work collections aggregate time and effort across multiple tasks.
MO Definitions¶
Modus operandi (MO) definitions describe known attack patterns and threat behaviors. Analysts create MO definitions to codify institutional knowledge about recurring threats.
Observations¶
Freeform notes and findings recorded during investigations. Observations capture context that doesn't fit into structured fields — analyst insights, external research, and contextual notes.
Workflow¶
graph TD
I[Incident Detected] --> WC[Create Work Collection]
WC --> WU1[Work Unit: Triage]
WC --> WU2[Work Unit: Investigation]
WC --> WU3[Work Unit: Remediation]
WU2 --> O[Record Observations]
WU2 --> MO[Match/Create MO Definition]- An incident triggers a new work collection
- Analysts create work units for each investigation step
- During investigation, analysts record observations and match to known MO definitions
- Work collection aggregates total effort for reporting
Permissions¶
| Action | Required Permission |
|---|---|
| View observer data | observer:read |
| Create/edit work items | observer:write |
| Manage MO definitions | observer:manage |