Create a security incident from shared observables

Automatically create Security Incidents from threat intelligence shared with you, if the sighting count after a sightings search exceeds your preset threshold.

Before you begin

Role required: sn_si.analyst

Procedure

  1. Configure the sightings threshold.
  2. Define a threshold for each Sightings Search Source for which you want to automatically create security incidents when the defined threshold is exceeded.
    When the sighting count of any observable searched in your environment exceeds the threshold, a security incident is created and all the observables in the search are added to that security incident. If a security incident already exists with the same list of observables, it is reflected in the worknotes.