Create a sighting from an observable
When an organization records a discrete instance of an observed indicator of compromise inside their own environment — for example, a suspicious entry in a log file — the malicious item is sighted, and the organization environment is compromised.
To represent this scenario in the Intelligence Center, you can create a sighting from the sighted observable.
You can create a sighting from an observable in one of the following ways:
In the Observables view
In the left navigation bar, go to Search > GO SEARCH AND BROWSE > Browse > Observables.
Click the menu icon in the row corresponding to the observable you want to convert to a sighting.
From the drop-down menu select Create sighting.
The entity editor opens on Create sighting, and you can start populating the input fields with details about the sighting you are creating:
In the Observables detail pane
In the left navigation bar, go to Search > GO SEARCH AND BROWSE > Browse > Observables.
Click anywhere in the row corresponding to the observable you want to convert to a sighting.
In the observable detail pane, click the menu icon .
From the drop-down menu select Create sighting
The entity editor opens on Create sighting, and you can start populating the input fields with details about the sighting you are creating:
In the Observables tab on the entity detail pane
Open the entity detail pane of the entity related to the observable you want to convert to a sighting.
In the entity detail pane, click the Observables tab.
In the Observables tab, click the menu icon .
From the drop-down menu select Create sighting
The entity editor opens on Create sighting, and you can start populating the input fields with details about the sighting you are creating:
Bulk action on multiple observables
You can also select multiple observables, and then you can convert them to sightings at once:
Browse to the Observables view or open the Observables tab in the entity detail pane of the entity whose observables you want to convert to sightings.
Select the checkboxes corresponding to the observables you want to convert to sightings.
Click the menu icon above the table header, and from the drop-down menu select Create sighting.
The entity editor opens on Create sighting, and you can start populating the input fields with details about the sighting you are creating: