Trusted Security Circles threat data sharing Observables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files, URLs, or domain names. Users in a trusted circle can share observables to other users in the same circle of trust. When you share an observable, all local sightings of that observable are shared. There are several options available for sharing observables, including: Share the results of a Sightings Search on individual or multiple observables in a security incident for a selected date range. Share an observable from a security incident. Share observables from Threat Intelligence. When observables are shared, the tags associated with the observables are not shared to the trusted circle. So, for example, if a member shares observables that are tagged as Blacklist, they are not necessarily blacklisted on the instances of the shared members. Records that are tagged with Block from Sharing, however, are excluded. Additionally, whenever observables are shared, a notification is sent to all members in the circle to whom the observables are shared.Note: Before sharing threat data, please review the Trusted Security Circles and Threat Intelligence sharing guidelines, below. Run a Sightings Search Determine the prevalence of a threat over time or test remediation or eradication efforts. You can select individual or multiple observables and the date range for your search from a security incident. Results are included in the Security Incident Observables related list. Before you beginRole required: sn_si.analyst About this taskThe Sightings Search capability has a workflow, Security Operations Integration - Sightings Search workflow, that executes the sightings search. This workflow accepts a list of observables, finds any implementing capabilities, creates the queries based on Sightings Search Configurations, and executes the searches based on the configured workflow. Note: An active implementation must be configured. Sightings Search supports Elasticsearch, Splunk, McAfee ESM, HPE ArcSight Logger, and QRadar incident enrichment. If no implementations are available, capability actions, such as Run Sightings Search, are not displayed in product menus. Procedure Navigate to a security incident. Click the Show IoC related link. Select Observables from the Related List tab. Select the observables you want to perform a sightings search on. Click Run Sightings Search in the Actions on selected rows... drop-down menu. The Run Sightings Search dialog box opens. Note: Values entered in the dialog box overwrite capability configuration values for this run. Choose the number of days or a date range to search for data. OptionDescription Last The number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days. between Range of dates to search. Default dates are: The date and time the incident was opened. The date and time seven days prior to the opening of the incident. Note: Last is the number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days. Click Search. A Sightings Search record is created. Aggregate and associated sightings data are displayed in the security incident under the Sightings Search Results and Sightings Search Details tabs. Note: Sightings search results data can be shared with Trusted Security Circles, with the exception of raw data in the case of implementations configured to include raw data.Table 1. Sightings Search Results Result Description Number The identifier for the sightings search. Observable count Number of observables searched for by query. Internal sightings Count of internal sightings. External sightings Count of external sightings. (Received from threat sharing.) Matched configuration items Count of configuration items that matched an existing record in your cmdb for each observable found in your environment. Start date range Time to start looking for sightings. End date range Time to stop looking for sightings. Updated Date and time of the last modification. Note: If the implementation used for the sightings search is configured to include raw data, and at least one sighting is found, an attachment containing raw data samples appears at the top of the security incident. Table 2. Sighting Search Details Detail Description Sighting search The identifier for the sightings search. Observable Observable searched for by query. Observable type Type of observable searched for by query. Internal sightings Aggregated count of internal sightings. External sightings Aggregated count of external sightings. (Received from threat sharing.) Updated Date and time of the last modification. Share Sightings Search results You can share local sightings details or results that are associated with a particular search with your Trusted Security Circle. Before you beginRole required: sn_si.analyst About this taskSharing can be automated using the following Security Incident Response Properties. Automatically share the results of a sightings search to the default ServiceNow trusted circle Include observables with no local sightings when automatically sharing sightings search results Respond with local sightings whenever a threat share is received from a trusted circle Procedure Navigate to a security incident. Click the Show IoC related list and select the Sightings Search Results tab to view the list of sightings searches. Click on a sightings search result. On the Sightings Search Result form, click the Share sighting search result related link. The Sighting Search Result Share dialog box appears. Enter a Name for this observable share record. Enter a Description of the observables to share. Choose Circles to share the observables with. Click Submit. The observable(s) are shared with the specified Trusted Circle. Share observables from Threat Intelligence Observables can be shared from Threat Intelligence to members in your trusted circle. Before you beginThreat Intelligence must be activated.Role required: sn_ti.analyst Procedure Navigate to Threat Intelligence > Ioc Repository > Observables. Select the check boxes for observables you want to share to your trusted security circle. From the Actions on selected rows drop-down list, select Share observable. The Observable Share dialog box appears. Enter a Name for this threat share record. Enter a Description of the observables to share. Choose Circles to share the observables with. Click Submit. The observable(s) are shared with the specified Trusted Circle.