Using Sighting Search Parameters

Release version: Yokohama

Updated January 30, 2025

2 minutes to read

Summarize

Summarized using AI

Summary of Using Sighting Search Parameters

Sighting search parameters in ServiceNow's Threat Intelligence Security Center enable you to define complex queries for threat sightings by incorporating logic and operators supported by your specified log store. These parameters allow you to customize how observables are queried within integrations, improving the precision and relevance of threat intelligence enrichment.

Show full answer Show less

Accessing and Managing Sighting Search Parameters

To view or manage sighting search parameters, you must have the snsectisc.admin role. Navigate to Workspaces > Threat Intelligence Security Center > Integrations, then go to Enrichment Integrations > Sighting Search. Select your target integration and edit it. Under the Sighting Search Configurations tab, select a configuration and then access the Sighting Search Parameters tab to view or modify parameters.

From the parameters tab, you can:

Refresh the list of parameters.
Perform list actions such as editing columns and filtering parameters based on conditions.
View detailed information about individual sighting search parameters.

Creating and Using Sighting Search Parameters

Creating a new sighting search parameter involves specifying how observables are incorporated into the query. This includes defining strings that appear before, between, and after each observable value to construct the final search query.

For example, given observables 172.32.31.41 and 192.168.10.12, and appropriate configuration, the resulting query might be:

ipaddress = 172.32.31.41 OR ipaddress = 192.168.10.12

To create a new parameter:

Navigate as described above to the Sighting Search Parameters tab.
Click New and fill in the form fields:
- After each value: Text appended after each observable.
- Between each value: Text placed between observables (e.g., "OR").
- Before each value: Text prepended before each observable.
- Configuration: Details of the search parameter setup.
- Observable type: Defines the category of observable this parameter applies to.
- Substitution variable: Variable name replaced by the observable value in the query.
Save the new parameter.

Practical Benefits

By configuring sighting search parameters, ServiceNow customers can tailor threat intelligence enrichment queries to match their specific log store syntax and logic. This customization leads to more accurate sightings, better integration with external data sources, and enhanced threat detection capabilities within the Threat Intelligence Security Center.

You can use sighting search parameters that define more complex queries, which include logic and other operators supported by the specified log store.

View Sighting Search Parameters

Role required: sn_sec_tisc.admin

To view the sighting search parameters, perform the following steps:

Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
From the Integrations page, navigate to Enrichment Integrations > Sighting Search.
Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
Click on the required Sighting Search Configuration to view the details of the configuration.
Select the Sighting Search Parameters tab.
You can view the list of sighting search parameters.
Click on the required Sighting Search Parameter to view the details of the parameter.
You can also perform the following actions on the Sighting Search Parameters tab:
1. To refresh the list of sighting search parameters, click icon.
2. To perform a list action on the sighting search parameters, click the icon.
  Edit columns: You can use this action to add or remove existing columns and modify the order according to your requirements.
3. To filter sighting search parameters based on conditions, click the icon.
  The value 1 indicates that one condition is used for the filtering.

Create Sighting Search Parameter

Example for query generation

Configured Query: ${Observable}

Observables Substitutes for Sightings search: Obs1 , Obs2

Query: {Before each Value}Obs1{After each Value}{Between each value}{Before each Value}Obs2{After each Value}



Let observables are: 172.32.31.41 & 192.168.10.12

Query Formed with below configuration will be: “ip_address = 172.32.31.41 OR ip_address = 192.168.10.12”

To create a sighting search parameter, perform the following steps:

Navigate to Workspaces > Threat Intelligence Security Center > Integrations.
From the Integrations page, navigate to Enrichment Integrations > Sighting Search.
Look for the integration for which you want to view the Sighting Search Configuration, and click Edit.
Select the Sighting Search Configurations tab.
You can view the list of sighting search configurations.
Click on the required Sighting Search Configuration to view the details of the configuration.
Select the Sighting Search Parameters tab.
You can view the list of sighting search parameters.
To create a sighting search parameter, click New.

On the form, fill the fields.

Table 1. Create a sighting search parameter
Field	Description
After each value	The sighting search parameter after each observable when the search query is generated.
Between each value	The sighting search parameter between each observable when the search query is generated. For example, OR.
Before each value	The sighting search parameter before each observable when the search query is generated.
Configuration	The configuration details of the search parameter.
Observable type	Defines the type of observable category.
Substitution variable	Specifies the name of the variable that is replaced by an observable value.

Click Save.