Hey Audrey,
This is definitely a valuable use-case. It would add value to the analyst handling a security incident and likely keep queries running smooth on SIEM solutions with explicit search queries vs searching across all data or large indexes of data.
Currently, you can create multiple `Sighting Search Configurations` for the same {Observable Type}. Unfortunately, without introducing customizations, there isn't a trivial way to configure these `Sighting Search Configurations` to be called under certain conditions (e.g. SIR Category = xyz).
I've submitted an Enhancement Request on your behalf here (FTASK42953) with these details and referenced this Community Post in that request.
As a temporary workaround, you could investigate introducing a new relationship / related list, that will actually display the individual Sighting Search results, from each Sighting Search Configuration you build.
Meaning, if you configure multiple `Sighting Search Configurations` for the same {Observable Type} - you will see the individual results returned for each configuration you make - e.g. one for phishing, one for reconnaissance, one for malware, etc.
With something like this approach, you can see the results returned for your "Phishing" query, your "Internet" query, etc. One downside here is we don't have the name of the `Sighting Search Configuration` presented here, but an analyst may be able to infer what each query represents...
It would look something like this:
Hey Audrey,
This is definitely a valuable use-case. It would add value to the analyst handling a security incident and likely keep queries running smooth on SIEM solutions with explicit search queries vs searching across all data or large indexes of data.
Currently, you can create multiple `Sighting Search Configurations` for the same {Observable Type}. Unfortunately, without introducing customizations, there isn't a trivial way to configure these `Sighting Search Configurations` to be called under certain conditions (e.g. SIR Category = xyz).
I've submitted an Enhancement Request on your behalf here (FTASK42953) with these details and referenced this Community Post in that request.
As a temporary workaround, you could investigate introducing a new relationship / related list, that will actually display the individual Sighting Search results, from each Sighting Search Configuration you build.
Meaning, if you configure multiple `Sighting Search Configurations` for the same {Observable Type} - you will see the individual results returned for each configuration you make - e.g. one for phishing, one for reconnaissance, one for malware, etc.
With something like this approach, you can see the results returned for your "Phishing" query, your "Internet" query, etc. One downside here is we don't have the name of the `Sighting Search Configuration` presented here, but an analyst may be able to infer what each query represents...
It would look something like this:
We have likely addressed these enhancement requests in Madrid. SIR in Madrid includes advancements to Sighting Search to include
a) Additional Sighting Search UI actions (Email traffic Sightings Search and Web Traffic Sightings Search)
b) Modifications to the abstract sightings search workflow to pass the specific sighting search type as an input parameter
c) Ability to specify individual observable types in the parameter and also invoke a saved search (for Splunk)
Let me know if these upgrades meet the use case you are looking to light up.
