Determine the prevalence of a threat over time or test remediation or eradication
efforts. You can select individual or multiple observables and the date range for your
search from a security incident. Results are included in the Security Incident
Observables related list.
Avant de commencer
Role required: sn_si.analyst
Pourquoi et quand exécuter cette tâche
The Sightings Search capability has a flow, Security Operations Integration - Sightings Search Flow, that executes the sightings search. This flow accepts a list of observables, finds any implementing capabilities, creates the queries based on Sightings Search
Configurations, and executes the searches based on the configured flow.
Remarque :
An active implementation must be configured. Sightings Search supports Elasticsearch, Splunk, McAfee ESM, HPE ArcSight Logger, and QRadar incident
enrichment. If no implementations are available, capability actions, such as Run Sightings Search, are not displayed in product menus.
Procédure
Navigate to a security incident.
Click the Show IoC related link.
Select Observables from the Related List tab.
Select the observables you want to perform a sightings search on.
Click Run Sightings Search in the Actions on
selected rows... drop-down menu.
The Run Sightings Search dialog box opens.
Remarque :
Values entered in the dialog box overwrite capability configuration
values for this run.
Choose the number of days or a date range to search for data.
Option
Description
Last
The number of hours or days prior to the creation of the incident to
search.
The default is 7 days. The limit is 99 hours or
days.
between
Range of dates to search. Default dates are:
The date and time the incident was opened.
The date and time seven days prior to the opening of the
incident.
Remarque :
Last is the number of hours or days prior to the
creation of the incident to search. The default is 7 days. The limit is 99
hours or days.
Click Search.
A Sightings Search record is created. Aggregate and associated sightings
data are displayed in the security incident under the Sightings
Search Results and Sightings Search
Details tabs.
Remarque :
Sightings search results data can be shared
with Trusted Security Circle, with the exception of raw data in
the case of implementations configured to include raw data.
Tableau 1. Sightings Search Results
Result
Description
Number
The identifier for the sightings search.
Observable count
Number of observables searched for by query.
Internal sightings
Count of internal sightings.
External sightings
Count of external sightings. (Received from threat
sharing.)
Matched configuration items
Count of configuration items that matched an existing
record in your cmdb for each observable found in your
environment.
Start date range
Time to start looking for sightings.
End date range
Time to stop looking for sightings.
Updated
Date and time of the last modification.
Note: If the implementation used for the sightings search is
configured to include raw data, and at least one sighting is found, an
attachment containing raw data samples appears at the top of the security
incident.
Tableau 2. Sighting Search Details
Detail
Description
Sighting search
The identifier for the sightings search.
Observable
Observable searched for by query.
Observable type
Type of observable searched for by query.
Internal sightings
Aggregated count of internal sightings.
External sightings
Aggregated count of external sightings. (Received from
threat sharing.)