The Now Platform® Washington DC release is live. Watch now!

Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Leverage sightings searches to gauge and crush phishing and malware attacks

Dawn Jurek
ServiceNow Employee
ServiceNow Employee
‎03-13-2019 08:40 AM

Your network is under a phishing or malware attack - you need to know:

  • When did this attack first occur?
  • Is the attack on-going?
  • How many times have malicious observables been recorded in the logs?
  • Which users or devices have connected to the IP or URL?
  • Did any security compromises occur?

With sightings searches, you can answer all of these questions. In this installment of our NOWSupport best practices series, we provide an overview of the sightings search feature available in Security Incident Response.

See our video below for a demo of sightings search in action in the Madrid release, and see our FAQs below to learn more.

Hasn't sightings search been around for awhile?

Yes, it's been a feature in the Security Incident Response product since Jakarta, but with the Madrid release, we've enhanced it to help with better scoping of phishing and malware attacks. 

How do I get the latest version of sightings search?  

Download the latest version of Security Incident Response from the ServiceNow Store

How does it work? 

A sightings search is performed on your security information and event management (SIEM) log store to search for observables that potentially pose a threat to your data or assets. The sightings search results allow you to determine the prevalence of a threat over time.

Sightings search in Madrid can retrieve user records from log events to provide analysts with a list of organizational employees that have been targets of a phishing or malware attack. This helps analysts drive a thorough remediation and recovery procedure.  The enhanced implementation of sightings search in Madrid has been tested only with the Splunk Enterprise log store.

Can I configure sightings searches?

Yes, you can configure sightings searches and create saved configurations for SIEMs or other log stores. See Create sightings search configuration records for more information. 

For more information:

Sightings searches on the frequency of phishing and malware attacks (product documentation)

--

Behind the scenes here at ServiceNow, the Knowledge Management and Multimedia teams work closely with subject matter experts to deliver critical information to our customers. We’ve found that certain topics come up frequently, in the form of best practices that can help you keep your ServiceNow instances running smoothly. This series targets those topics so that you and your organization can benefit from our collective expertise. If you have a best practices topic you'd like us to cover in this series, please let us know in the comments below.

To access all the blog posts in this series, see our NOWSupport best practices series list.

Preview file
9 KB
  • 415 Views