Using Sighting Search Parameters

Release version: Xanadu

Updated August 1, 2024

2 minutes to read

Summarize

Summarized using AI

Summary of Using Sighting Search Parameters

ServiceNow's Threat Intelligence Security Center enables you to define complex sighting search parameters to create advanced queries for threat investigations. These parameters allow the use of logic and operators supported by your specified log store, improving the precision and flexibility of your threat sightings searches.

Show full answer Show less

Accessing and Managing Sighting Search Parameters

Role Required: snsectisc.admin
Navigate to Workspaces > Threat Intelligence Security Center > Integrations, then to Enrichment Integrations > Sighting Search.
Select the integration and edit its Sighting Search Configurations to view or manage parameters.
Within the Sighting Search Parameters tab, you can view, refresh, filter, and customize the list of parameters.
List actions let you edit which columns display and apply filters to focus on specific parameters.

Creating and Configuring Sighting Search Parameters

To create a new sighting search parameter:

Navigate to the relevant integration as above.
Open the Sighting Search Parameters tab and click New.
Complete the form fields, which include:

Field	Description
After each value	Text appended after each observable during query generation.
Between each value	Text placed between observables (e.g., "OR") to form logical connections.
Before each value	Text prepended before each observable in the query.
Configuration	Details of the search parameter’s configuration.
Observable type	Defines the category/type of observable (e.g., IP address).
Substitution variable	Name of the variable replaced by observable values in the query.

After filling the form, click Save to create the parameter.

Practical Example

Given observables like IP addresses (e.g., 172.32.31.41 and 192.168.10.12) and a configuration that applies "ipaddress = " before each observable and "OR" between values, the generated query would be:

ipaddress = 172.32.31.41 OR ipaddress = 192.168.10.12

This demonstrates how the parameters allow dynamic and precise query construction based on multiple observables.

Benefits for ServiceNow Customers

Enables creation of tailored, complex queries for threat sightings across integrated log stores.
Improves threat detection accuracy by leveraging logical operators and observable substitution.
Offers flexible management and customization of sighting search parameters through an intuitive UI.

You can use sighting search parameters that define more complex queries, which include logic and other operators supported by the specified log store.

View Sighting Search Parameters

Role required: sn_sec_tisc.admin

To view the sighting search parameters, perform the following steps:

Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
From the Integrations page, navigate to Enrichment Integrations > Sighting Search.
Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
Click on the required Sighting Search Configuration to view the details of the configuration.
Select the Sighting Search Parameters tab.
You can view the list of sighting search parameters.
Click on the required Sighting Search Parameter to view the details of the parameter.
You can also perform the following actions on the Sighting Search Parameters tab:
1. To refresh the list of sighting search parameters, click icon.
2. To perform a list action on the sighting search parameters, click the icon.
  Edit columns: You can use this action to add or remove existing columns and modify the order according to your requirements.
3. To filter sighting search parameters based on conditions, click the icon.
  The value 1 indicates that one condition is used for the filtering.

Create Sighting Search Parameter

Example for query generation

Configured Query: ${Observable}

Observables Substitutes for Sightings search: Obs1 , Obs2

Query: {Before each Value}Obs1{After each Value}{Between each value}{Before each Value}Obs2{After each Value}



Let observables are: 172.32.31.41 & 192.168.10.12

Query Formed with below configuration will be: “ip_address = 172.32.31.41 OR ip_address = 192.168.10.12”

To create a sighting search parameter, perform the following steps:

Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
From the Integrations page, navigate to Enrichment Integrations > Sighting Search.
Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
Click on the required Sighting Search Configuration to view the details of the configuration.
Select the Sighting Search Parameters tab.
You can view the list of sighting search parameters.
To create a sighting search parameter, click New.

On the form, fill the fields.

Table 1. Create a sighting search parameter
Field	Description
After each value	The sighting search parameter after each observable when the search query is generated.
Between each value	The sighting search parameter between each observable when the search query is generated. For example, OR.
Before each value	The sighting search parameter before each observable when the search query is generated.
Configuration	The configuration details of the search parameter.
Observable type	Defines the type of observable category.
Substitution variable	Specifies the name of the variable that is replaced by an observable value.

Click Save.