Manually create sightings#


This feature is available in EclecticIQ Intelligence Center Integration for IBM Resilient starting from release 1.1.2.

Manually create sightings from incident artifacts in IBM QRadar SOAR, and push them to EclecticIQ Intelligence Center.

EclecticIQ Intelligence Center Integration for IBM QRadar SOAR supports the following artifact types:

IBM QRadar SOAR artifact

Artifact type JSON field

DNS Name

Email Body


Email Recipient

Email Sender


Email Subject


IP Address


Malware MD5 Hash


Malware SHA-1 Hash


Malware SHA-256 Hash


Malware SHA-512 Hash




URI Path


Create a sighting in the GUI#

To manually create a sighting in the IBM QRadar SOAR GUI:

  1. Open a web browser tab, and log in to IBM QRadar SOAR through the GUI.

  2. In the top navigation bar click List Incidents.

  3. In the All Open Incidents view, click an existing incident to open it.


    Create a new incident, and then open it.

  4. In the open incident view, click the Artifacts tab.

  5. From the Actions drop-down menu, click Create EclecticIQ Sighting.

    The name of this option may vary, based on the value you assigned to the Display Name field when you created the menu item.

  6. Upon successful creation, a confirmation message is displayed briefly at the top of the active view.

About manually and automatically created sightings#

Manually and automatically created sightings differ slightly:

Manually created sighting

Automatically created sighting

Each manual sighting creation action produces one sighting that includes all artifacts in the incident.

The artifacts are saved as observables, and they are nested in the sighting.

Each detected hit produces one sighting that includes one nested observable per incident artifact.

If you trigger a manual sighting creation in an incident with no artifacts, the resulting sighting has no nested observables.

It is an empty sighting.

Only detected hits produce sightings.

Therefore, an incident with no artifacts does not produce any automatically created sightings.

The created sighting naming format is:

Resilient CTS Sighting - incident name


Resilient CTS Sighting - Spear phishing attack by ATP38

The created sighting naming format is:

Resilient CTS Sighting - observable type:observable value


Resilient CTS Sighting - ipv4: