Define queries for Sighting Search
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Define queries for Sighting Search
Sighting Search configurations in ServiceNow enable you to define and manage queries that detect the presence of observables within your environment. This is a key part of investigating observables by searching for their prevalence through integrated enrichment sources.
Show less
Access to these configurations requires the snsectisc.admin role, and they are managed within the Threat Intelligence Security Center workspace under Integrations.
Viewing Sighting Search Configurations
- Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
- Go to Enrichment Integrations > Sighting Search.
- Select the desired integration and click Edit.
- Open the Sighting Search Configurations tab to see the list of configurations.
- Click a configuration to view details.
- Use the Generate Test Sighting Search Query action to test queries with multiple observables entered via comma, newline, tab, or pipe separators. Note that this requires prior setup of sighting search parameters.
- Additional list actions allow refreshing the list, editing displayed columns, resetting column widths, and filtering configurations by conditions.
Creating Sighting Search Configurations
To create a new sighting search configuration:
- Navigate to the same location as for viewing configurations.
- Click New on the Sighting Search Configurations tab.
- Fill out the form fields:
| Field | Description |
|---|---|
| Name | Assign a descriptive name for the sighting search configuration. |
| Observable type | Specify the category/type of observable this query targets. |
| Sightings search source | Select the source configured for the integration where the query will execute. |
| Maximum observables per search | Set the maximum number of observables to include in a single search query before splitting; typically set to 500. |
| Search | Enter the native search query string. This can include substitution variables (e.g., ${observable}) that will be replaced with actual observables when the query runs. |
| Is saved search | Select this if the search is a saved search; the Name field should then match the saved search name. |
| Active | Mark the configuration active to enable query execution. |
Click Save to finalize the configuration.
Practical Benefits for ServiceNow Customers
- This capability streamlines observable investigations by allowing you to precisely define and test queries that detect observable sightings across integrated sources.
- Customizing maximum observables per search helps optimize performance and manage query execution efficiently.
- Testing queries before deployment ensures correctness and relevance of search results.
- Filtering and customizing the configuration list enhances manageability as your integrations and queries grow.
You can use sighting search configurations for defining the queries used to find the prevalence of observables in your environment as part of observable investigation.
View queries for Sighting Search
Role required: sn_sec_tisc.admin
To view the sighting search configurations, perform the following steps:
- Navigate to .
- From the Integrations page, navigate to .
- Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
- Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
- Click on the required Sighting Search Configuration to view the details of the configuration.
- To generate a test sighting search query, click the Generate Test Sighting Search Query action.Note:The Generate Test Sighting Search Query action would only work if you had configured sighting search query parameters. For more information, see Using Sighting Search Parameters.
- In the Generate Test Sighting Search Query pop-up, enter or paste multiple observables using comma, new line, tab, or pipe separators to generate a test query.
- Click Generate to generate the test sighting search query.
- You can also perform the following actions on the Sighting Search Configurations tab:
- To refresh the list of sighting search configurations, click the
icon. - To perform a list action on the sighting search configurations, click the
icon.You can perform the following two list actions:- Edit columns: You can use this action to add or remove existing columns and modify the order according to your requirements.
- Reset widths: You can use this action to reset the widths of the columns.
- To filter sighting search configurations based on conditions, click the
icon.The value 1 indicates that one condition is used for the filtering.
- To refresh the list of sighting search configurations, click the
Create Sighing Search Configurations
Role required: sn_sec_tisc.admin
Maximum observables per search = "maximum number of observables that can be substituted in a single search query"
Search = "Search query that should be executed in sighting search source.
Search query can contain substitution variables that would be substituted with observables of specific type as configured in sighting search parameters when sighting search query is formed"To create a sighting search configuration, perform the following steps:
- Navigate to .
- From the Integrations page, navigate to .
- Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
- Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
- To create a sighting search configuration, click New.
- On the form, fill the fields.
Table 1. Create a sighting search configuration Field Description Name Name for the sighting search configuration. Observable type Defines the type of observable category. Sightings search source Defines the source configured for the integration. Maximum observables per search The number of observables before the search query is split into multiple queries. Set this value to 500 for this integration. Search Add a native search string to form a query. For example, ${observable}. Is saved search Runs a saved search, that is, the Name field should match the name of the saved search. Active Query runs only if it active option is selected. - Click Save.