Run a Sightings Search

Determine the prevalence of a threat over time or test remediation or eradication efforts. You can select individual or multiple observables and the date range for your search from a security incident. Results are included in the Security Incident Observables related list.

Before you begin

Role required: sn_si.analyst

About this task

The Sightings Search capability has a workflow, Security Operations Integration - Sightings Search workflow, that executes the sightings search. This workflow accepts a list of observables, finds any implementing capabilities, creates the queries based on Sightings Search Configurations, and executes the searches based on the configured workflow.
Note: An active implementation must be configured. Sightings Search supports Elasticsearch, Splunk, Intel McAfee ESM, HPE ArcSight Logger, and QRadar incident enrichment. If no implementations are available, capability actions, such as Run Sightings Search, are not displayed in product menus.

Procedure

  1. Navigate to a security incident.
  2. Click the Show IoC related link.
  3. In the Observables tab, select the observables for which you want to run a sightings search.
  4. Click Run Sightings Search in the Actions on selected rows... drop-down menu.
    The Run Sightings Search dialog box opens.
    Run Sighting Search dialog box
    Note: Values entered in the dialog box overwrite capability configuration values for this run.
  5. Choose the number of days or a date range to search for data.
    OptionDescription
    Last The number of hours or days prior to the creation of the incident to search.

    The default is 7 days. The limit is 99 hours or days.

    between Range of dates to search. Default dates are:
    • The date and time the incident was opened.
    • The date and time seven days prior to the opening of the incident.
    Note: Last is the number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days.
  6. Click Search.
    A Sightings Search record is created. Aggregate and associated sightings data are displayed in the security incident under the Sightings Search Results and Sightings Search Details tabs.
    Note: This data can be shared with Trusted Security Circles.
    Table 1. Sightings Search Results
    Result Description
    Observable count Number of observables searched for by query.
    Internal sightings Count of internal sightings.
    External sightings Count of external sightings. (Received from threat sharing.)
    Matched configuration items Count of configuration items that matched an existing record in your cmdb for each observable found in your environment..
    Start date range Time to start looking for sightings.
    End date range Time to stop looking for sightings.
    Updated Date and time of the last modification.
    Table 2. Sighting Search Details
    Detail Description
    Observable Observable searched for by query.
    Observable type Type of observable searched for by query.
    Internal sightings Aggregated count of internal sightings.
    External sightings Aggregated count of external sightings. (Received from threat sharing.)
    Updated Date and time of the last modification.