Manually create sightings#
Note
This feature is available in EclecticIQ Intelligence Center Integration for IBM Resilient starting from release 1.1.2.
Manually create sightings from incident artifacts in IBM QRadar SOAR, and push them to EclecticIQ Intelligence Center.
EclecticIQ Intelligence Center Integration for IBM QRadar SOAR supports the following artifact types:
IBM QRadar SOAR artifact |
Artifact type JSON field |
|---|---|
DNS Name |
net.name |
Email Body |
|
Email Recipient |
email.header.to |
Email Sender |
email.header.sender_address |
Email Subject |
email.header |
IP Address |
net.ip |
Malware MD5 Hash |
hash.md5 |
Malware SHA-1 Hash |
hash.sha1 |
Malware SHA-256 Hash |
hash.sha256 |
Malware SHA-512 Hash |
hash.sha512 |
URL |
net.uri |
URI Path |
net.uri.path |
Create a sighting in the GUI#
To manually create a sighting in the IBM QRadar SOAR GUI:
Open a web browser tab, and log in to IBM QRadar SOAR through the GUI.
In the top navigation bar click List Incidents.
In the All Open Incidents view, click an existing incident to open it.
Alternatively:
Create a new incident, and then open it.
In the open incident view, click the Artifacts tab.
From the Actions drop-down menu, click Create EclecticIQ Sighting.
The name of this option may vary, based on the value you assigned to the Display Name field when you created the menu item.
Upon successful creation, a confirmation message is displayed briefly at the top of the active view.
About manually and automatically created sightings#
Manually and automatically created sightings differ slightly:
Manually created sighting |
Automatically created sighting |
|---|---|
Each manual sighting creation action produces one sighting that includes all artifacts in the incident. The artifacts are saved as observables, and they are nested in the sighting. |
Each detected hit produces one sighting that includes one nested observable per incident artifact. |
If you trigger a manual sighting creation in an incident with no artifacts, the resulting sighting has no nested observables. It is an empty sighting. |
Only detected hits produce sightings. Therefore, an incident with no artifacts does not produce any automatically created sightings. |
The created sighting naming format is: Resilient CTS Sighting - incident name Example: Resilient CTS Sighting - Spear phishing attack by ATP38 |
The created sighting naming format is: Resilient CTS Sighting - observable type:observable value Example: Resilient CTS Sighting - ipv4:80.190.131.158 |