Case ManagerInvestigate a Security Incident

Table of Contents

Manually Add an Artifact

Provide external evidence to your investigation. You can choose from five artifact types.The Difference Between Entities and Artifacts

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new artifact A grey circle with a white finger print, and a blue circle with a white + in the top right..

  3. Under Artifact type, select File.

  4. To extract a file's name, hash value, and size, select Upload file. To manually enter all details, select Manually enter file details.

    • If you selected Upload file, click UPLOAD FILE, then select a file from your file system. Fill in the fields:

      • File path – Enter where in the file system this file is located.

      • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

      • Role – Specify if the artifact describes a victim, attacker, or unknown.

      • Related entity – Indicate which entity the artifact is related to.

    • If you selected Manually enter file details, fill in the fields:

      • File name – Enter the name used to uniquely identify the file in the file system.

      • Hash type – Enter at least one hash value from a MD5, SHA256, SHA1, or SHA512 function.

      • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

      • Role – Specify if the artifact describes a victim, attacker, or unknown.

      • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new artifact A grey circle with a white finger print, and a blue circle with a white + in the top right..

  3. Under Artifact type, select IP.

  4. Fill in the fields:

    • IP – Enter the IP address this artifact describes.

    • Location – Enter the city, U.S. state (if applicable), and country this IP last connected from.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Select the fingerprint A grey circle with a white finger print, and a blue circle with a white + in the top right. button.

  3. Under Artifact type, select Process.

  4. Fill in the fields:

    • Process name – Enter the file name of the program that executed the process.

    • Process path – Enter where in the file system the program file was located.

    • Process ID – Enter the ID of the process the artifact describes.

    • UID – Enter process's user ID, available in Unix-like operating systems.

    • Start time – Enter the date and time the process started running. You may also select the calendar and clock icons to enter a date and time.

    • End time – Enter the date and time the process stopped running. You may also select the calendar and clock icons to enter a date and time.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new artifact A grey circle with a white finger print, and a blue circle with a white + in the top right..

  3. Under Artifact type, select URL.

  4. Fill in the fields:

    • URL – Enter the URL the artifact describes.

    • IP – Enter the the URL's corresponding IP address.

    • Location – Enter the city, U.S. state (if applicable), and country the URL was last accessed from.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.

  1. Navigate to an incident or its workbench:

    • To start from an incident, in the navigation bar, click INCIDENTS, then select an incident.

    • To start from an incident's workbench, in the navigation bar, click INCIDENTS, select an incident, then select View Workbench

  2. Click Add a new artifact A grey circle with a white finger print, and a blue circle with a white + in the top right..

  3. Under Artifact type, select Email Address.

  4. Fill in the fields:

    • Email address – Enter the email address the artifact describes.

    • Threat status – Indicate if the artifact is a malicious, benign, or unknown threat, or a false positive.

    • Role – Specify if the artifact describes a victim, attacker, or unknown.

    • Related entity – Indicate which entity the artifact is related to.

  5. Click SAVE. The artifact appears in the incident under the Artifact tab.