- Case Manager
- Case Manager Terminology
- The Difference Between Entities and Artifacts
- The Incidents Page
- Get to Know an Incident
- The Workbench
- The Case Manager Metrics Page
- Case Manager on the Home Page
- Configure Case Manager Settings
The Difference Between Entities and Artifacts
While entities and artifacts are both objects, they are different when you look at them in context and the different roles they play in your investigation.
An entity is the primary object you are investigating. An artifact is the additional evidence you discover as you investigate. An artifact enriches an entity.
An artifact is an object you collect when you investigate an incident, like evidence a police finds when investigating a crime. It is timestamped. You create an artifact manually, or automatically through an action. Although not all artifacts are important to your investigation, you add it to the incident to record it just in case.
An entity is what the artifact supports or describes; it is the crime the police investigates. You link an artifact to an entity. You may pivot on entities, and add or edit its information.
An item can't be both an entity and an artifact. However, in specific cases, something might appear under both the Artifact and Entities sections in an incident's details. For example: a malicious file is an entity, but its contents are artifacts.
File – Any electronic file; for example, Word and Excel documents, Windows or Linux executables.
Device – A computer, either on an internal network or the internet.
User – A person identified by a corporate directory account ID, email address, or other means (app login ID, full name, etc.).
Email Address – An email address observed on an email client or server.
File - A file observed on a device. It may or may not have a payload. You may retrieve the file, but not download, display, or execute it because it may be malicious.
IP - An IP address in IPv4 or IPv6 format.
Process - A process executed by a program observed on an operating system.
URL – A URL associated with an IP address.