Artifacts tab
The Artifacts tab lists all of the artifacts added to the case and allows you to add, edit, delete, and perform actions on artifacts. If the list is long, you can filter by artifact type.
You add artifacts by clicking Add Artifact. Select the type of artifact then entering information such as the type, an attachment if prompted, and a description of the artifact including how it relates to the case. For some artifact types, you can enter multiple values, such as IP addresses. Make sure to separate new values with a newline, space or comma depending on the artifact type. See the tooltip by the artifact value to see the valid separators. After you add an artifact to the case, it is also added to the account-wide artifacts view, as described in Artifacts view.
You can limit the view to specific artifacts. Click Filters to specify the criteria. For most selections, you can further filter the results. Additionally, you can click Set timeframe and limit the view to artifacts added or modified within a specific time.
You can export the incident artifacts to a .csv file to share indicators of
compromise with third parties. To export the incident artifacts, click Export
Artifacts and then click Download.
You can take actions on each artifact in the Artifacts tab by clicking the vertical ellipsis under Actions. The available actions depend on the type of artifact. For example, if there is an IP address artifact, you can click […] and then Run Query in Data Explorer in the action menu to run a query in Data Explorer on this artifact, as shown in the following graphic.
In the list of artifacts, you can see any matches from threat intelligence feeds in the Hits column. The Value column shows the artifact value.
The setting for each artifact type determines whether to show or ignore relationships with other cases. If you can view relationships, the Related Case Count column displays the total number of cases that have artifacts with the same value, regardless of artifact type. A dash in the Related Case Count column indicates the relate case settings is not enabled.
Individual artifact
- From here you can see the case artifact details, showing the details of this artifact as it relates to the case, for example, when it was added to the case. You can click in the Description to edit inline.
- Below this is the account-wide view of the artifact, with the account name displayed. This shows the artifact details, such as when the artifact itself was created. You can click in the Summary to edit inline, or click in Tags to add or remove artifact tags, where tags are case sensitive. Click the First seen link to go to the case to which the artifact was first added. Click the Last seen link to go to the case to which the artifact was most recently added.
- From the Hits section, you can view the hits information, which shows any hits from threat intelligence sources.
- For DNS and IP Address type artifacts, the Whois section shows Whois information for the DNS name or IP address, if IBM X-Force Exchange is enabled.
- From the Related Cases section, you can see a list of any related cases. You can click cases for which you have permission to view. If you do not have permission, you can see the case ID and owner but you cannot access the case.
- From the Geolocation section, you can see geolocation data for IP address artifact types, if your organization enabled this feature.
- From the Artifact History section, you can view a newsfeed of the artifact history, showing when the artifact was created, changed, added to or removed from a case. You can add or remove filters to control what is shown in the history, for example, if tags were added or removed.
