Create a security incident from shared observables Automatically create Security Incidents from threat intelligence shared with you, if the sighting count after a sightings search exceeds your preset threshold. Before you beginRole required: sn_si.analyst Procedure Configure the sightings threshold. Define a threshold for each Sightings Search Source for which you want to automatically create security incidents when the defined threshold is exceeded. When the sighting count of any observable searched in your environment exceeds the threshold, a security incident is created and all the observables in the search are added to that security incident. If a security incident already exists with the same list of observables, the new incident is made a child incident.