- Case Manager Release Notes
- Get Started with Case Manager
- Configure Case Manager Settings
- Investigate a Security Incident
- Manually Create an Incident
- Edit an Incident
- Delete an Incident
- Manually Add an Entity
- Manually Add an Artifact
- Delete an Entity or Artifact
- Add Advanced Analytics Evidence to a Case Manager Incident
- Manage Tasks During an Investigation
- Send Messages from an Incident
- Filter Incidents
- Search for an Incident
- Sort Incidents
- Export Incidents
Artifact Types
When you add an artifact to an incident, it falls under five types. Each type contains its own unique set of data, which you can input to action nodes in Incident Responder playbooks.
Email Address – An email address observed on an email client or server. An email address artifact contains specific data, including role and threat status.
File - A file observed on a device. It may or may not have a payload. You may retrieve the file, but not download, display, or execute it because it may be malicious. A file artifact contains specific data, including file path, size, and hash
IP - An IP address in IPv4 or IPv6 format. An IP artifact contains specific data, including geolocation, role, and threat status.
Process - A process executed by a program observed on an operating system. A process artifact contains specific data, including run time, ID, and parent process.
URL – A URL associated with an IP address. A URL artifact contains specific data, including geolocation, IP, and role.
Email Address Artifact Data
Every artifact type contains a unique set of data. The email address artifact contains data like the email address's role and threat status. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Artifact frequency
Number of open incidents that contain this artifact. Click to view a list of these incidents.
Example: 2
- Email address
Email address the artifact describes.
Example: [email protected]
- Related entity
The entity this artifact is related to.
Example: fweber
- Role
Whether the email is a victim, was attacked, or unknown.
- Source
Link to the email asset's Advanced Analytics notable session timeline.
- Threat status
Whether the email is a malicious, benign, or unknown threat, or a false positive.
File Artifact Data
Every artifact type contains a unique set of data. The file artifact contains data like path, size, and hash. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Artifact frequency
Number of open incidents that contain this artifact. Click to view a list of these incidents.
Example: 2
- File created time
Date and time this file was created.
Example: 2019-05-06 15:56
- File name
Name used to uniquely identify the file in the file system.
Example: barbarian.jar
- File path
Where in the file system the file was located. If you add a hash, the artifact will not contain this information.
Example: c:\user\windows\XXX
- File size
How much space the file takes up in storage, in MB. If you add a hash, the artifact will not contain this information.
Example: 1.7 MB
- MD5
MD5 hash value.
Example: b1d64dfbc73158114f20dee14b994755
- Role
Whether the file is a victim, was attacked, or unknown.
- SHA1
SHA1 hash value.
Example: aed420a76e730364ca8d804873a7f3c6ca2ff4f4
- SHA256
SHA256 hash value.
Example: ee424b6d4657808c1c634fcaa7fc52e2ec9f30b1cb8ed457178559d5f840b40b
- SHA512
SHA512 hash value.
Example: 20a5ab43c7106846e4954adec2c2c1348d157beb686fbbb0f23a5efcf89cb49c4ab6c6c369869e05da7661d1386b5f439dfad9e6d60b11cac599be83b0146200
- Source
Link to the file asset's Advanced Analytics notable session time. If you manually uploaded the file, there is no link.
- Threat status
Whether the file is a malicious, benign, or unknown threat, or a false positive.
IP Artifact Data
Every artifact type contains a unique set of data. The IP artifact contains data like geolocation, role, and threat status. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Artifact frequency
Number of open incidents that contain this artifact. Click to view a list of these incidents.
Example: 2
- City
City this IP address last connected from.
Example: San Francisco
- Country
Country this IP address last connected from.
Example: United States
- IP
IP address the artifact describes.
Example: 8.8.8.8
- Related entity
The entity this artifact is related to.
Example: fweber
- Role
Whether the IP address is a victim, was attacked, or unknown.
- Source
Link to the IP asset's Advanced Analytics notable session timeline.
- State
U.S. state this IP address last connected from. If the IP address connected from outside the U.S., the artifact doesn't contain this information.
Example: California
- Threat status
Whether the IP address is malicious, benign, or unknown threat.
Process Artifact Data
Every artifact type contains a unique set of data. The process artifact contains data like run time, ID, and parent process. In Incident Responder, you can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Artifact frequency
Number of open incidents that contain this artifact. Click to view a list of these incidents.
Example: 2
- End time
Date and time the process stopped running.
Example: 2019-05-06 18:56
- Parent PID
Parent process ID.
Example: 2130
- Parent process name
Program filename of the parent process.
Example: explorer.exe
- Process ID
ID of the process the artifact describes.
Example: 4109
- Process name
File name of the program that executed the process.
Example: a.exe
- Process path
Where in the file system the program file was located.
Example: C:\Users\Developer\Exabeam\Test\...
- Process UID
Process's user ID, available in Unix-like operating systems.
Example: 39569
- Related entity
The entity this artifact is related to.
Example: fweber
- Role
Whether the process is a victim, was attacked, or unknown.
- Source
Link to the process asset's Advanced Analytics notable session timeline.
- Start time
Date and time the process started running.
Example: 2019-05-06 15:56
- Threat status
Whether the process is a malicious, benign, or unknown threat, or a false positive.
URL Artifact Data
Every artifact type contains a unique set of data. The URL artifact type contains data like geolocation, IP, and role. You can input this data to a playbook action node.
If you turned on data masking in Advanced Analytics settings and you click on a link that redirects you from Case Manager to Advanced Analytics, you must have View Unmasked Data (PII) privileges to view the data in Advanced Analytics.
Glossary
- Artifact frequency
Number of open incidents that contain this artifact. Click to view a list of these incidents.
Example: 2
- City
City this URL was last accessed from.
Example: San Francisco
- Country
Country this URL was last accessed from.
Example: United States
- IP
URL's corresponding IP address.
Example: 8.8.8.8
- Related entity
The entity this artifact is related to.
Example: fweber
- Role
Whether the URL is a victim, was attacked, or unknown.
- Source
Link to the URL asset's Advanced Analytics notable session timeline.
- State
U.S. state this URL was last accessed from. If the URL was accessed outside the U.S., the entity doesn't contain this information.
Example: California
- Threat status
Whether the URL is a malicious, benign, or unknown threat, or a false positive.
- URL
URL the artifact describes.
Example: https://www.exabeam.com