Manually create sightings

This feature is available in EclecticIQ Platform Integration for IBM Resilient starting from release 1.1.2.

Manually create sightings from incident artifacts in IBM Resilient, and push them to EclecticIQ Platform.

EclecticIQ Platform Integration for IBM Resilient supports the following artifact types:

To manually create a sighting in the IBM Resilient GUI:

Open a web browser tab, and log in to IBM Resilient through the GUI.
In the top navigation bar click List Incidents.
In the All Open Incidents view, click an existing incident to open it.
Alternatively:
Create a new incident, and then open it.
In the open incident view, click the Artifacts tab.
From the Actions drop-down menu, click Create EclecticIQ Sighting.
The name of this option may vary, based on the value you assigned to the Display Name field when you created the menu item.
Upon successful creation, a confirmation message is displayed briefly at the top of the active view.

Manually and automatically created sightings differ slightly:

Manually created sighting	Automatically created sighting
Each manual sighting creation action produces one sighting that includes all artifacts in the incident. The artifacts are saved as observables, and they are nested in the sighting.	Each detected hit produces one sighting that includes one nested observable per incident artifact.
If you trigger a manual sighting creation in an incident with no artifacts, the resulting sighting has no nested observables. It is an empty sighting.	Only detected hits produce sightings. Therefore, an incident with no artifacts does not produce any automatically created sightings.
The created sighting naming format is: Resilient CTS Sighting - incident name Example: Resilient CTS Sighting - Spear phishing attack by ATP38	The created sighting naming format is: Resilient CTS Sighting - observable type:observable value Example: Resilient CTS Sighting - ipv4:80.190.131.158