Product documentation Docs
    • English
    • Deutsch
    • 日本語
    • 한국어
    • Français
  • More Sites
    • Now Community
    • Developer Site
    • Knowledge Base
    • Product Information
    • ServiceNow.com
    • Training
    • Customer Success Center
    • ServiceNow Support Videos
  • Log in

Product documentation

  • Home
How search works:
  • Punctuation and capital letters are ignored
  • Special characters like underscores (_) are removed
  • Known synonyms are applied
  • The most relevant topics (based on weighting and matching to search terms) are listed first in search results
Topics are ranked in search results by how closely they match your search terms
  • A match on the entire phrase you typed
  • A match on part of the phrase you typed
  • A match on ALL of the terms in the phrase you typed
  • A match on ANY of the terms in the phrase you typed

Note: Matches in titles are always highly ranked.

  • Release version
    Table of Contents
    • Security Operations
Table of Contents
Choose your release version
    Home London Security Incident Management Security Operations Trusted Security Circles Trusted Security Circles threat data sharing

    Trusted Security Circles threat data sharing

    • Save as PDF Selected topic Topic & subtopics All topics in contents
    • Unsubscribe Log in to subscribe to topics and get notified when content changes.
    • Share this page

    Trusted Security Circles threat data sharing

    Observables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files, URLs, or domain names. Users in a trusted circle can share observables to other users in the same circle of trust. When you share an observable, all local sightings of that observable are shared.

    There are several options available for sharing observables, including:
    • Share the results of a Sightings Search on individual or multiple observables in a security incident for a selected date range.
    • Share an observable from a security incident.
    • Share observables from Threat Intelligence.

    When observables are shared, the tags associated with the observables are not shared to the trusted circle. So, for example, if a member shares observables that are tagged as Blacklist, they are not necessarily blacklisted on the instances of the shared members. Records that are tagged with Block from Sharing, however, are excluded.

    Additionally, whenever observables are shared, a notification is sent to all members in the circle to whom the observables are shared.

    Run a Sightings Search

    Determine the prevalence of a threat over time or test remediation or eradication efforts. You can select individual or multiple observables and the date range for your search from a security incident. Results are included in the Security Incident Observables related list.

    Before you begin

    Role required: sn_si.analyst

    About this task

    The Sightings Search capability has a workflow, Security Operations Integration - Sightings Search workflow, that executes the sightings search. This workflow accepts a list of observables, finds any implementing capabilities, creates the queries based on Sightings Search Configurations, and executes the searches based on the configured workflow.
    Note: An active implementation must be configured. Sightings Search supports Elasticsearch, Splunk, McAfee ESM, HPE ArcSight Logger, and QRadar incident enrichment. If no implementations are available, capability actions, such as Run Sightings Search, are not displayed in product menus.

    Procedure

    1. Navigate to a security incident.
    2. Click the Show IoC related link.
    3. Select Observables from the Related List tab.
    4. Select the observables you want to perform a sightings search on.
    5. Click Run Sightings Search in the Actions on selected rows... drop-down menu.
      Observables
      The Run Sightings Search dialog box opens.
      Run Sighting Search dialog box
      Note: Values entered in the dialog box overwrite capability configuration values for this run.
    6. Choose the number of days or a date range to search for data.
      OptionDescription
      Last The number of hours or days prior to the creation of the incident to search.

      The default is 7 days. The limit is 99 hours or days.

      between Range of dates to search. Default dates are:
      • The date and time the incident was opened.
      • The date and time seven days prior to the opening of the incident.
      Note: Last is the number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days.
    7. Click Search.
      A Sightings Search record is created. Aggregate and associated sightings data are displayed in the security incident under the Sightings Search Results and Sightings Search Details tabs.
      Note: Sightings search results data can be shared with Trusted Security Circles, with the exception of raw data in the case of implementations configured to include raw data.
      Table 1. Sightings Search Results
      Result Description
      Number The identifier for the sightings search.
      Observable count Number of observables searched for by query.
      Internal sightings Count of internal sightings.
      External sightings Count of external sightings. (Received from threat sharing.)
      Matched configuration items Count of configuration items that matched an existing record in your cmdb for each observable found in your environment.
      Start date range Time to start looking for sightings.
      End date range Time to stop looking for sightings.
      Updated Date and time of the last modification.
      Note: If the implementation used for the sightings search is configured to include raw data, and at least one sighting is found, an attachment containing raw data samples appears at the top of the security incident.
      Table 2. Sighting Search Details
      Detail Description
      Sighting search The identifier for the sightings search.
      Observable Observable searched for by query.
      Observable type Type of observable searched for by query.
      Internal sightings Aggregated count of internal sightings.
      External sightings Aggregated count of external sightings. (Received from threat sharing.)
      Updated Date and time of the last modification.

    Share Sightings Search results

    You can share local sightings details or results that are associated with a particular search with your Trusted Security Circle.

    Before you begin

    Role required: sn_si.analyst

    About this task

    Sharing can be automated using the following Security Incident Response Properties.
    • Automatically share the results of a sightings search to the default ServiceNow trusted circle
    • Include observables with no local sightings when automatically sharing sightings search results
    • Respond with local sightings whenever a threat share is received from a trusted circle

    Procedure

    1. Navigate to a security incident.
    2. Click the Show IoC related list and select the Sightings Search Results tab to view the list of sightings searches.
    3. Click on a sightings search result.
      Share Sightings Search link
    4. On the Sightings Search Result form, click the Share sighting search result related link.
      The Sighting Search Result Share dialog box appears.
      Sightings Search Result Share dialog box
    5. Enter a Name for this observable share record.
    6. Enter a Description of the observables to share.
    7. Choose Circles to share the observables with.
    8. Click Submit.
      The observable(s) are shared with the specified Trusted Circle.

    Share observables from Threat Intelligence

    Observables can be shared from Threat Intelligence to members in your trusted circle.

    Before you begin

    Threat Intelligence must be activated.

    Role required: sn_ti.analyst

    Procedure

    1. Navigate to Threat Intelligence > Ioc Repository > Observables.
    2. Select the check boxes for observables you want to share to your trusted security circle.
    3. From the Actions on selected rows drop-down list, select Share observable.
      The Observable Share dialog box appears.
      Share Observable dialog box
    4. Enter a Name for this threat share record.
    5. Enter a Description of the observables to share.
    6. Choose Circles to share the observables with.
    7. Click Submit.
      The observable(s) are shared with the specified Trusted Circle.

    Tags:

    Feedback
    On this page

    Previous topic

    Next topic

    • Contact Us
    • Careers
    • Terms of Use
    • Privacy Statement
    • Sitemap
    • © ServiceNow. All rights reserved.

    Release version
    Choose your release version

      Trusted Security Circles threat data sharing

      • Save as PDF Selected topic Topic & subtopics All topics in contents
      • Unsubscribe Log in to subscribe to topics and get notified when content changes.
      • Share this page

      Trusted Security Circles threat data sharing

      Observables are artifacts found on a network or operating system that are likely to indicate an intrusion. Typical observables are IP addresses, MD5 hashes of malware files, URLs, or domain names. Users in a trusted circle can share observables to other users in the same circle of trust. When you share an observable, all local sightings of that observable are shared.

      There are several options available for sharing observables, including:
      • Share the results of a Sightings Search on individual or multiple observables in a security incident for a selected date range.
      • Share an observable from a security incident.
      • Share observables from Threat Intelligence.

      When observables are shared, the tags associated with the observables are not shared to the trusted circle. So, for example, if a member shares observables that are tagged as Blacklist, they are not necessarily blacklisted on the instances of the shared members. Records that are tagged with Block from Sharing, however, are excluded.

      Additionally, whenever observables are shared, a notification is sent to all members in the circle to whom the observables are shared.

      Run a Sightings Search

      Determine the prevalence of a threat over time or test remediation or eradication efforts. You can select individual or multiple observables and the date range for your search from a security incident. Results are included in the Security Incident Observables related list.

      Before you begin

      Role required: sn_si.analyst

      About this task

      The Sightings Search capability has a workflow, Security Operations Integration - Sightings Search workflow, that executes the sightings search. This workflow accepts a list of observables, finds any implementing capabilities, creates the queries based on Sightings Search Configurations, and executes the searches based on the configured workflow.
      Note: An active implementation must be configured. Sightings Search supports Elasticsearch, Splunk, McAfee ESM, HPE ArcSight Logger, and QRadar incident enrichment. If no implementations are available, capability actions, such as Run Sightings Search, are not displayed in product menus.

      Procedure

      1. Navigate to a security incident.
      2. Click the Show IoC related link.
      3. Select Observables from the Related List tab.
      4. Select the observables you want to perform a sightings search on.
      5. Click Run Sightings Search in the Actions on selected rows... drop-down menu.
        Observables
        The Run Sightings Search dialog box opens.
        Run Sighting Search dialog box
        Note: Values entered in the dialog box overwrite capability configuration values for this run.
      6. Choose the number of days or a date range to search for data.
        OptionDescription
        Last The number of hours or days prior to the creation of the incident to search.

        The default is 7 days. The limit is 99 hours or days.

        between Range of dates to search. Default dates are:
        • The date and time the incident was opened.
        • The date and time seven days prior to the opening of the incident.
        Note: Last is the number of hours or days prior to the creation of the incident to search. The default is 7 days. The limit is 99 hours or days.
      7. Click Search.
        A Sightings Search record is created. Aggregate and associated sightings data are displayed in the security incident under the Sightings Search Results and Sightings Search Details tabs.
        Note: Sightings search results data can be shared with Trusted Security Circles, with the exception of raw data in the case of implementations configured to include raw data.
        Table 1. Sightings Search Results
        Result Description
        Number The identifier for the sightings search.
        Observable count Number of observables searched for by query.
        Internal sightings Count of internal sightings.
        External sightings Count of external sightings. (Received from threat sharing.)
        Matched configuration items Count of configuration items that matched an existing record in your cmdb for each observable found in your environment.
        Start date range Time to start looking for sightings.
        End date range Time to stop looking for sightings.
        Updated Date and time of the last modification.
        Note: If the implementation used for the sightings search is configured to include raw data, and at least one sighting is found, an attachment containing raw data samples appears at the top of the security incident.
        Table 2. Sighting Search Details
        Detail Description
        Sighting search The identifier for the sightings search.
        Observable Observable searched for by query.
        Observable type Type of observable searched for by query.
        Internal sightings Aggregated count of internal sightings.
        External sightings Aggregated count of external sightings. (Received from threat sharing.)
        Updated Date and time of the last modification.

      Share Sightings Search results

      You can share local sightings details or results that are associated with a particular search with your Trusted Security Circle.

      Before you begin

      Role required: sn_si.analyst

      About this task

      Sharing can be automated using the following Security Incident Response Properties.
      • Automatically share the results of a sightings search to the default ServiceNow trusted circle
      • Include observables with no local sightings when automatically sharing sightings search results
      • Respond with local sightings whenever a threat share is received from a trusted circle

      Procedure

      1. Navigate to a security incident.
      2. Click the Show IoC related list and select the Sightings Search Results tab to view the list of sightings searches.
      3. Click on a sightings search result.
        Share Sightings Search link
      4. On the Sightings Search Result form, click the Share sighting search result related link.
        The Sighting Search Result Share dialog box appears.
        Sightings Search Result Share dialog box
      5. Enter a Name for this observable share record.
      6. Enter a Description of the observables to share.
      7. Choose Circles to share the observables with.
      8. Click Submit.
        The observable(s) are shared with the specified Trusted Circle.

      Share observables from Threat Intelligence

      Observables can be shared from Threat Intelligence to members in your trusted circle.

      Before you begin

      Threat Intelligence must be activated.

      Role required: sn_ti.analyst

      Procedure

      1. Navigate to Threat Intelligence > Ioc Repository > Observables.
      2. Select the check boxes for observables you want to share to your trusted security circle.
      3. From the Actions on selected rows drop-down list, select Share observable.
        The Observable Share dialog box appears.
        Share Observable dialog box
      4. Enter a Name for this threat share record.
      5. Enter a Description of the observables to share.
      6. Choose Circles to share the observables with.
      7. Click Submit.
        The observable(s) are shared with the specified Trusted Circle.

      Tags:

      Feedback

          Share this page

          Got it! Feel free to add a comment
          To share your product suggestions, visit the Idea Portal.
          Please let us know how to improve this content

          Check any that apply

          To share your product suggestions, visit the Idea Portal.
          Confirm

          We were unable to find "Coaching" in Jakarta. Would you like to search instead?

          No Yes
          • Contact Us
          • Careers
          • Terms of Use
          • Privacy Statement
          • Sitemap
          • © ServiceNow. All rights reserved.

          Subscribe Subscribed Unsubscribe Last updated: Tags: January February March April May June July August September October November December No Results Found Versions Search preferences successfully updated My release version successfully updated My release version successfully deleted An error has occurred. Please try again later. You have been unsubscribed from all topics. You are now subscribed to and will receive notifications if any changes are made to this page. You have been unsubscribed from this content Thank you for your feedback. Form temporarily unavailable. Please try again or contact  docfeedback@servicenow.com  to submit your comments. The topic you requested does not exist in the release. You were redirected to a related topic instead. The available release versions for this topic are listed There is no specific version for this documentation. Explore products Click to go to the page. Release notes and upgrades Click to open the dropdown menu. Delete Remove No selected version Reset This field is required You are already subscribed to this topic Attach screenshot The file you uploaded exceeds the allowed file size of 20MB. Please try again with a smaller file. Please complete the reCAPTCHA step to attach a screenshot
          Log in to personalize your search results and subscribe to topics
          No, thanks Login