Configure the sightings threshold

Sightings thresholds are used to determine whether a set of observables from a threat intelligence source merit being shared with a Trusted Security Circles. Only sightings whose counts exceed the specified threshold value are used to create automatic security incidents for the indicated circle.

Before you begin

Role required: sn_tis.admin

Procedure

  1. Navigate to Trusted Security Circles > Sightings Thresholds.
    The Sightings Thresholds list opens.
  2. Click New.
    The Sightings Threshold form opens.
    Adding a new sighting threshold record
  3. Fill in the fields as appropriate.
    Field Description
    Sightings Search Source Select the threat intelligence source to be analyzed.
    Circle Select the Trusted Security Circles with which you want to share the threat sightings.
    Threshold Enter the maximum number of sightings of a suspicious observable that are tolerated in your environment. Only observables with a sighting count greater than this value are used to create automatic security incidents for the specified circle.
  4. Click Submit.