Determine the prevalence of a threat over time or test remediation or eradication efforts. You can select individual or multiple observables and the date range for your search from a security incident. Results are included in the Security Incident Observables related list.

1. Navigate to a security incident.
2. Click the Show IoC related link.
3. Select Observables from the Related List tab.
4. Select the observables you want to perform a sightings search on.
5. Click Run Sightings Search in the Actions on selected rows... drop-down menu.

   

   The Run Sightings Search dialog box opens.

   

   Note: Values entered in the dialog box overwrite capability configuration values for this run.
6. Choose the number of days or a date range to search for data.

   Option	Description
   Last	The number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days.
   between	Range of dates to search. Default dates are: The date and time the incident was opened. The date and time seven days prior to the opening of the incident.

   Note: Last is the number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days.
7. Click Search.
   A Sightings Search record is created. Aggregate and associated sightings data are displayed in the security incident under the Sightings Search Results and Sightings Search Details tabs.

   Note: Sightings search results data can be shared with Trusted Security Circles, with the exception of raw data in the case of implementations configured to include raw data.

   Table 1. Sightings Search Results

   Result	Description
   Number	The identifier for the sightings search.
   Observable count	Number of observables searched for by query.
   Internal sightings	Count of internal sightings.
   External sightings	Count of external sightings. (Received from threat sharing.)
   Matched configuration items	Count of configuration items that matched an existing record in your cmdb for each observable found in your environment.
   Start date range	Time to start looking for sightings.
   End date range	Time to stop looking for sightings.
   Updated	Date and time of the last modification.

   Note: If the implementation used for the sightings search is configured to include raw data, and at least one sighting is found, an attachment containing raw data samples appears at the top of the security incident.

   Table 2. Sighting Search Details

   Detail	Description
   Sighting search	The identifier for the sightings search.
   Observable	Observable searched for by query.
   Observable type	Type of observable searched for by query.
   Internal sightings	Aggregated count of internal sightings.
   External sightings	Aggregated count of external sightings. (Received from threat sharing.)
   Updated	Date and time of the last modification.

Observables can be shared from Threat Intelligence to members in your trusted circle.

1. Navigate to Threat Intelligence > Ioc Repository > Observables.
2. Select the check boxes for observables you want to share to your trusted security circle.
3. From the Actions on selected rows drop-down list, select Share observable.
   The Observable Share dialog box appears.

   

4. Enter a Name for this threat share record.
5. Enter a Description of the observables to share.
6. Choose Circles to share the observables with.
7. Click Submit.
   The observable(s) are shared with the specified Trusted Circle.