Invoke Sighting Search from a Security Incident

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Invoke the sightings search from a SIR security incident by following the below procedure.

    Before you begin

    Role required: ServiceNow AI Platform administrator (sn_si.admin)

    Procedure

    1. Navigate to the Security Incidents.
    2. Open any existing SIR or create a new SIR.
    3. Click Show IoC in Related Links.
    4. Click Associated Observables related lists.
      Associated Observables related list selected
    5. Add any existing observables or create new observable.
      Add a new or existing Associated Observable to the related list
    6. Select the observables and from Actions on selected rows, click Run Sightings Search.
      Observables in the list selected and Run Sightings Search selected
    7. Ignore the inputs in the next dialog box that asks for time data.
      There are default values populated. However, the search is performed real time and the time values are ignored for this integration.
      Run Sightings search
    8. Check the worknotes for status.
      Security Incident work notes
    9. On completion of the search, check the results and details in the related lists.
    10. Click on Sightings Search Details tab for details and Sightings Search Results tab for search results.
      Sighting Search Details
      Sightings Search Results