Case ManagerGet Started With Case Manager

Table of Contents

The Difference Between Entities and Artifacts

While entities and artifacts are both objects, they are different when you look at them in context and the different roles they play in your investigation.

An entity is the primary object you are investigating. An artifact is the additional evidence you discover as you investigate. An artifact enriches an entity.

An artifact is an object you collect when you investigate an incident, like evidence a police finds when investigating a crime. It is timestamped. You create an artifact manually, or automatically through an action. Although not all artifacts are important to your investigation, you add it to the incident to record it just in case.

An entity is what the artifact supports or describes; it is the crime the police investigates. You link an artifact to an entity. You may pivot on entities, and add or edit its information.

An item can't be both an entity and an artifact. However, in specific cases, something might appear under both the Artifact and Entities sections in an incident's details. For example: a malicious file is an entity, but its contents are artifacts.

Entity Types

When you add an entity to an incident, they fall under three types. Each type contains a unique set of data, which you can input to action nodes in Incident Responder playbooks.Manually Add an EntityAdd an Action NodeAdd an Action NodePlaybooks

File – Any electronic file; for example, Word and Excel documents, Windows or Linux executables.

Device – A computer, either on an internal network or the internet.

User – A person identified by a corporate directory account ID, email address, or other means (app login ID, full name, etc.).

Artifact Types

When you add an artifact to an incident, they fall under five types. Each type contains its own unique set of data, which you can input to action nodes in Incident Responder playbooks.Manually Add an ArtifactAdd an Action NodeAdd an Action NodePlaybooks

Email Address – An email address observed on an email client or server.

File - A file observed on a device. It may or may not have a payload. You may retrieve the file, but not download, display, or execute it because it may be malicious.

IP - An IP address in IPv4 or IPv6 format.

Process - A process executed by a program observed on an operating system.

URL – A URL associated with an IP address.