Case ManagerInvestigate a Security Incident

Artifact Types

When you add an artifact to an incident, they fall under five types. Each type contains its own unique set of data, which you can input to action nodes in Incident Responder playbooks.Add an Action NodeAdd an Action NodePlaybooks

Email Address – An email address observed on an email client or server.

File - A file observed on a device. It may or may not have a payload. You may retrieve the file, but not download, display, or execute it because it may be malicious.

IP - An IP address in IPv4 or IPv6 format.

Process - A process executed by a program observed on an operating system.

URL – A URL associated with an IP address.

Email Address Artifact Data

Every artifact type contains a unique set of data. The email address artifact contains data about the email address's role, threat status, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

Email address

Email address the artifact describes.

Example: alerts@microsft.com

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the email is a victim, was attacked, or unknown.

Source

Link to the email asset's Advanced Analytics notable session timeline.

Threat status

Whether the email is a malicious, benign, or unknown threat, or a false positive.

File Artifact Data

Every artifact type contains a unique set of data. The email artifact contains data about the file's path, size, hash, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

File created time

Date and time this file was created.

Example: 2019-05-06 15:56

File name

Name used to uniquely identify the file in the file system.

Example: barbarian.jar

File path

Where in the file system the file was located. If you add a hash, the artifact will not contain this information.

Example: c:\user\windows\XXX

File size

How much space the file takes up in storage, in MB. If you add a hash, the artifact will not contain this information.

Example: 1.7 MB

MD5

MD5 hash value.

Example: b1d64dfbc73158114f20dee14b994755

Role

Whether the file is a victim, was attacked, or unknown.

SHA1

SHA1 hash value.

Example: aed420a76e730364ca8d804873a7f3c6ca2ff4f4

SHA256

SHA256 hash value.

Example: ee424b6d4657808c1c634fcaa7fc52e2ec9f30b1cb8ed457178559d5f840b40b

SHA512

SHA512 hash value.

Example: 20a5ab43c7106846e4954adec2c2c1348d157beb686fbbb0f23a5efcf89cb49c4ab6c6c369869e05da7661d1386b5f439dfad9e6d60b11cac599be83b0146200

Source

Link to the file asset's Advanced Analytics notable session time. If you manually uploaded the file, there is no link.

Threat status

Whether the file is a malicious, benign, or unknown threat, or a false positive.

IP Artifact Data

Every artifact type contains a unique set of data. The IP artifact contains data about the IP's geolocation, role, threat status, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

City

City this IP address last connected from.

Example: San Francisco

Country

Country this IP address last connected from.

Example: United States

IP

IP address the artifact describes.

Example: 8.8.8.8

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the IP address is a victim, was attacked, or unknown.

Source

Link to the IP asset's Advanced Analytics notable session timeline.

State

U.S. state this IP address last connected from. If the IP address connected from outside the U.S., the artifact doesn't contain this information.

Example: California

Threat status

Whether the IP address is malicious, benign, or unknown threat.

Process Artifact Data

Every artifact type contains a unique set of data. The process artifact contains data about the process's run time, ID, parent process, and more. In Incident Responder, you can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

End time

Date and time the process stopped running.

Example: 2019-05-06 18:56

Parent PID

Parent process ID.

Example: 2130

Parent process name

Program filename of the parent process.

Example: explorer.exe

Process ID

ID of the process the artifact describes.

Example: 4109

Process name

File name of the program that executed the process.

Example: a.exe

Process path

Where in the file system the program file was located.

Example: C:\Users\Developer\Exabeam\Test\...

Process UID

Process's user ID, available in Unix-like operating systems.

Example: 39569

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the process is a victim, was attacked, or unknown.

Source

Link to the process asset's Advanced Analytics notable session timeline.

Start time

Date and time the process started running.

Example: 2019-05-06 15:56

Threat status

Whether the process is a malicious, benign, or unknown threat, or a false positive.

URL Artifact Data

Every artifact type contains a unique set of data. The URL artifact type contains data about the URL geolocation, IP, and more. You can input this data to a playbook action node.

When you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics if you've turned on data masking in Advanced Analytics settings.

Glossary

Artifact frequency

Number of open incidents that contain this artifact. Click to view a list of these incidents.

Example: 2

City

City this URL was last accessed from.

Example: San Francisco

Country

Country this URL was last accessed from.

Example: United States

IP

URL's corresponding IP address.

Example: 8.8.8.8

Related entity

The entity this artifact is related to.

Example: fweber

Role

Whether the URL is a victim, was attacked, or unknown.

Source

Link to the URL asset's Advanced Analytics notable session timeline.

State

U.S. state this URL was last accessed from. If the URL was accessed outside the U.S., the entity doesn't contain this information.

Example: California

Threat status

Whether the URL is a malicious, benign, or unknown threat, or a false positive.

URL

URL the artifact describes.

Example: https://www.exabeam.com