Sightings Search Configuration

Configure Sightings Searches for SIEMs or other log stores for instances of observables to determine the presence of malicious observables in your environment.

Before you begin

Role required: sn_si_analyst


  1. Navigate to Security Operations > Integrations > Sightings Search Configuration.
  2. Click New
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Name The name of the configuration.
    Sightings Search Source Reference field to an integration, for example, Splunk, Elasticsearch, and so on.
    Search $(observable) is the default search string but it can be configured through security incident properties if this syntax conflicts with your log stores.
    Observable Type Choice of IP, hash value, URL or domain name.
    Maximum observables per search Maximum number of observables to return from the search.
  4. Click Submit.