Artifact operations

To access the artifact operations, the selected Object Type for the script must be Artifact. The object contains artifact data and helper methods.

Type artifact. in the script line to see the available operations.

Operation Description 
attachment
 Returns an array of attachment metadata objects. The attachment metadata objects are not visible in the script editor type-ahead. 
created
 Returns the date that the artifact was created. 
description
 Returns the artifact description. 
global_info.
first_associated_time
last_associated_time
related_incident_count
relating_incidents
scan_option
summary
 Returns artifact properties.
  • First and last associated times are the First Seen and Last Seen properties.
  • Incident count shows the number of incidents that are impacted by the artifact.
  • Relating incidents is the option to show or hide the related incidents.
  • Scan option is the setting to send or not send the artifact to a threat source.
  • Summary is the text that describes the artifact.

You can set relating_incidents, scan_option, and summary.

This operation does not apply to artifacts of the type Observed Data, and is available in Python 3 only.

 
hits
 Returns the content of matches with intelligence threat feeds. 
id
 Returns the artifact ID. 
inc_id
 Returns the incident ID. 
ip
 Returns properties of an IP artifact, such as 'source': False, and 'destination': True. 
last_modified_time
 Returns the time that the artifact was last modified. 
relating
 Returns the value that determines whether the artifact is configured to show a relationship between incidents when they contain the same artifact. 
type
 Returns the artifact type. 
value
 Returns the artifact's value. 
addHit

Adds a hit to an artifact that you provide. You must provide a name, value, and type for each property. The type must be a string, number, uri, ip, or lat_lng. Within value, you can use \n to add line breaks for readability of the text in the user interface.

This operation does not support the Observed Data artifact type, and is available in Python 3 only. The hit must be defined as a list of dictionaries before you use this operation. See the example after the table.

 
addTags
 Adds one or more tags to an artifact, except for the Observed Data artifact type. This operation is available in Python 3 only. 
getAllTags
 Returns the artifact's tags, except for the Observed Data artifact type. This method is available in Python 3 only. 
containsTag
 Returns those artifacts with the tags that you specify. It does not return tags from artifacts with the type of Observed Data. This method is available in Python 3 only. 
getParentObject
 Returns the incident script object that owns this artifact. 
removeTags
 Deletes one or more tags to from artifact, except for the Observed Data artifact type. This method is available in Python 3 only.
The following example is a post-process script used to add hits from Google Safe Browsing.
# This link contains further information on the site status of the url that is being checked
LINK_URL = "https://www.google.com/transparencyreport/safebrowsing/diagnostic/#url={}"
if results.success:
  if results.content:
    resp = results.content
    hit = []
    for match in resp.get("matches", []):
      linkurl = match["threat"]["url"]
      link = LINK_URL.format(match["threat"]["url"])
      hit = [
      {
        "name": "Threat Type",
        "type": "string",
        "value": "{}".format(match["threatType"])
      }, 
      {
        "name": "Report Link",
        "type": "uri",
        "value": "{}".format(link)
      }, 
      {
        "name": "Platform Type",
        "type": "string",
        "value": "{}".format(match["platformType"])
      },
      {
        "name": "URL Name",
        "type": "string",
        "value": "{}".format(linkurl)
      }
      ]
      artifact.addHit("Google Safe Browsing Function", hit)
else:
  incident.addNote("Google Safe Browsing url check failed: {}".format(results.reason))