Sightings Search Configuration Configure Sightings Searches for SIEMs or other log stores for instances of observables to determine the presence of malicious observables in your environment. Before you beginRole required: sn_si_analyst Procedure Navigate to Security Operations > Integrations > Sightings Search Configuration. Click New Fill in the fields on the form, as appropriate. Field Description Name The name of the configuration. Sightings Search Source Reference field to an integration, for example, Splunk, Elasticsearch, and so on. Search $(observable) is the default search string but it can be configured through security incident properties if this syntax conflicts with your log stores. Observable Type Choice of IP, hash value, URL or domain name. Maximum observables per search Maximum number of observables to return from the search. Click Submit. Run a Sightings SearchDetermine the prevalence of a threat over time or test remediation or eradication efforts. You can select individual or multiple observables and the date range for your search from a security incident. Results are included in the Security Incident Observables related list. Security Operations Integration - Sightings Search workflowSecurity Operations Integration - Sightings Search workflow is a high-level workflow independent of integrations. It uses the configured queries to search for a set of observables based on the configured integrations which support the capability. Use it to fulfill an integration such as Splunk or Elasticsearch. View Sightings Search ResultsYou can review Sightings Search Results for internal and external malicious indicators. View Sightings Search DetailsReview the aggregate details of all sighting searches.