Define queries for Sighting Search
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Define queries for Sighting Search
Sighting Search configurations in ServiceNow enable you to define and manage queries that identify the prevalence of observables within your environment. These queries facilitate observable investigations by searching integrated data sources for relevant sightings.
Show less
Viewing Sighting Search Configurations
- Requires the snsectisc.admin role.
- Navigate via Workspaces > Threat Intelligence Security Center > Integrations, then to Enrichment Integrations > Sighting Search.
- Select an integration and click Edit, then open the Sighting Search Configurations tab to view existing configurations.
- Generate test queries using multiple observables with various separators (comma, newline, tab, pipe) to validate configurations, contingent on having query parameters configured.
- Manage the list of configurations by refreshing, editing columns, resetting column widths, and filtering based on conditions.
Creating Sighting Search Configurations
- Requires the snsectisc.admin role.
- Access the same navigation path as viewing configurations.
- Click New on the Sighting Search Configurations tab to create a configuration.
- Key configuration fields include:
- Name: Identifier for the configuration.
- Observable type: Specifies the observable category to search.
- Sightings search source: The configured source for the integration.
- Maximum observables per search: Sets the max number of observables per query before splitting (recommended value: 500).
- Search: The native search string query, which can include substitution variables like ${observable} to dynamically inject observables.
- Is saved search: Indicates if the query runs a saved search by matching its name.
- Active: Enables the query to run only if selected.
- Save the configuration to apply.
Practical Benefits for ServiceNow Customers
By defining and managing sighting search queries, your security team can efficiently investigate observables across integrated data sources, improving threat detection and response. The ability to test queries with multiple observables ensures accuracy before deployment. Configuration flexibility, including substitution variables and saved searches, allows tailoring searches to your environment and operational needs.
You can use sighting search configurations for defining the queries used to find the prevalence of observables in your environment as part of observable investigation.
View queries for Sighting Search
Role required: sn_sec_tisc.admin
To view the sighting search configurations, perform the following steps:
- Navigate to .
- From the Integrations page, navigate to .
- Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
- Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
- Click on the required Sighting Search Configuration to view the details of the configuration.
- To generate a test sighting search query, click the Generate Test Sighting Search Query action.Note:The Generate Test Sighting Search Query action would only work if you had configured sighting search query parameters. For more information, see Using Sighting Search Parameters.
- In the Generate Test Sighting Search Query pop-up, enter or paste multiple observables using comma, new line, tab, or pipe separators to generate a test query.
- Click Generate to generate the test sighting search query.
- You can also perform the following actions on the Sighting Search Configurations tab:
- To refresh the list of sighting search configurations, click the
icon. - To perform a list action on the sighting search configurations, click the
icon.You can perform the following two list actions:- Edit columns: You can use this action to add or remove existing columns and modify the order according to your requirements.
- Reset widths: You can use this action to reset the widths of the columns.
- To filter sighting search configurations based on conditions, click the
icon.The value 1 indicates that one condition is used for the filtering.
- To refresh the list of sighting search configurations, click the
Create Sighing Search Configurations
Role required: sn_sec_tisc.admin
Maximum observables per search = "maximum number of observables that can be substituted in a single search query"
Search = "Search query that should be executed in sighting search source.
Search query can contain substitution variables that would be substituted with observables of specific type as configured in sighting search parameters when sighting search query is formed"To create a sighting search configuration, perform the following steps:
- Navigate to .
- From the Integrations page, navigate to .
- Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
- Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
- To create a sighting search configuration, click New.
- On the form, fill the fields.
Table 1. Create a sighting search configuration Field Description Name Name for the sighting search configuration. Observable type Defines the type of observable category. Sightings search source Defines the source configured for the integration. Maximum observables per search The number of observables before the search query is split into multiple queries. Set this value to 500 for this integration. Search Add a native search string to form a query. For example, ${observable}. Is saved search Runs a saved search, that is, the Name field should match the name of the saved search. Active Query runs only if it active option is selected. - Click Save.