Configure Sighting Search

  • Release version: Australia
  • Updated April 22, 2026
  • 1 minute to read

    • Configure sighting search integration to search your organization logs for one or more observables to determine how many times each observable appears, within a specified date range or number of days.

    Before you begin

    Important:
    The enrichment integrations appears only if at least one enrichment integration is installed and active.
    The Threat Intelligence Security Center supports Sightings Search for the following integrations only:
    • Splunk Search
    • Elasticsearch

    Role required: sn_sec_tisc.admin

    Note:
    The Sightings Search section lists integrations of the Sightings Search type. Each configured integration appears as a card, which you can enable or disable.

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Select the Integrations icon.
      Sighting Search page showing three enabled enrichment integration cards: two Splunk integrations and one Elasticsearch integration, each with a last-modified timestamp and View button.
    3. Select the Configure new enrichment action.
      A dialog displays the available integrations. You must select the integration that you want to configure.
    4. Select an integration from the list of available integrations.
      The Configure new enrichment page for the selected integration opens. This page is pre filled with details of the selected integration by default. For example, Splunk integration.

      Create Enrichment Integration form with Vendor Name set to Splunk, Integration Type set to Sighting Search, and the Integration Configuration section visible.

    5. On the Create Integration form, fill the fields.
      Table 1. Create Integration form
      Field Description
      Enrichment Integration
      Name Name of the new enrichment integration. For example, Splunk-1.
      Vendor Name Name of the vendor.
      Note:
      The details of the selected vendor are pre-filled by default. For example, Splunk.
      Integration Type Type of the selected integration.
      Note:
      This field is automatically set to Sighting Search and prefilled by default.
      Description Unique description of the new enrichment integration.
      Create Enrichment Integration form with Vendor Name set to Splunk and Integration Type set to Sighting Search.
    6. In the Integration Configuration section, configure the integration details based on your requirements.
      The Integration Configuration section includes configuration details such as the API key, API Client ID or Secret, username, and password. The required details vary depending on the integration.
    7. Select Save to create the enrichment integration configuration.
      The provided details are validated and the enrichment integration is inactive by default.
    8. Select Save as Draft to save the enrichment configuration as inactive.

      You can activate it later.

      Note:
      If you're unsure about the configuration details, select Save as Draft. After you obtain the required details, open the draft and enter the remaining information, and select Save to activate the integration.
    9. Select Enable to enable the enrichment integration.
      The enrichment integration is enabled. You can also enable a particular enrichment integration from the Actions on the integration tile on the Catalog.