Using Sighting Search Parameters

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Using Sighting Search Parameters

    This guide outlines how to utilize sighting search parameters within the Threat Intelligence Security Center (TISC) to create complex queries for enhanced threat intelligence analysis. These parameters enable users to define specific search criteria using logical operators supported by the log store.

    Show full answer Show less

    Key Features

    • Accessing Sighting Search Parameters: Administrators can view and edit sighting search configurations through the TISC interface.
    • Creating Search Parameters: Users can create new sighting search parameters by specifying observable values and defining the structure of the query, such as conditions before, after, and between observables.
    • Filtering and Customization: Users can filter lists of search parameters and modify the displayed columns to suit their analysis needs.

    Key Outcomes

    By following the outlined procedures, ServiceNow customers can effectively create and manage sighting search parameters, allowing for more precise and relevant threat intelligence queries. This capability enhances the overall efficiency of security operations and supports proactive threat management.

    You can use sighting search parameters that define more complex queries, which include logic and other operators supported by the specified log store.

    View Sighting Search Parameters

    Role required: sn_sec_tisc.admin

    To view the sighting search parameters, perform the following steps:
    1. Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
    2. From the Integrations page, navigate to Enrichment Integrations > Sighting Search.
    3. Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
    4. Select the Sighting Search Configurations tab.

      You can view the list of sighting search configurations.

    5. Click on the required Sighting Search Configuration to view the details of the configuration.

      Sighting Search Parameters tab

    6. Select the Sighting Search Parameters tab.

      You can view the list of sighting search parameters.

    7. Click on the required Sighting Search Parameter to view the details of the parameter.
    8. You can also perform the following actions on the Sighting Search Parameters tab:
      1. To refresh the list of sighting search parameters, click Refresh option icon.
      2. To perform a list action on the sighting search parameters, click the List actions icon.

        Edit columns: You can use this action to add or remove existing columns and modify the order according to your requirements.

      3. To filter sighting search parameters based on conditions, click the Filter panel icon.

        The value 1 indicates that one condition is used for the filtering.

    Create Sighting Search Parameter

    Example for query generation
    Configured Query: ${Observable}​

Observables Substitutes for Sightings search: Obs1 , Obs2​

Query: {Before each Value}Obs1{After each Value}{Between each value}{Before each Value}Obs2{After each Value}​

​

Let observables are: 172.32.31.41 & 192.168.10.12​

Query Formed with below configuration will be: “ip_address = 172.32.31.41 OR ip_address = 192.168.10.12”
    To create a sighting search parameter, perform the following steps:
    1. Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
    2. From the Integrations page, navigate to Enrichment Integrations > Sighting Search.
    3. Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
    4. Select the Sighting Search Configurations tab.

      You can view the list of sighting search configurations.

    5. Click on the required Sighting Search Configuration to view the details of the configuration.
    6. Select the Sighting Search Parameters tab.

      You can view the list of sighting search parameters.

    7. To create a sighting search parameter, click New.

      Create a Sighting Search Parameter

    8. On the form, fill the fields.
      Table 1. Create a sighting search parameter
      Field Description
      After each value The sighting search parameter after each observable when the search query is generated.
      Between each value The sighting search parameter between each observable when the search query is generated. For example, OR.
      Before each value The sighting search parameter before each observable when the search query is generated.
      Configuration The configuration details of the search parameter.
      Observable type Defines the type of observable category.
      Substitution variable Specifies the name of the variable that is replaced by an observable value.
    9. Click Save.