The Evidence tab lists all of the case artifacts and you can add, edit, delete, and take actions on artifacts. If the list is long, you can filter by artifact type. This tab also shows findings, attachments, and notes.
The Findings table shows the case findings. The Severity shows the severity of each finding, which is the total of the severities of each of the unique artifacts associated with the finding. The Artifacts column shows the number of artifacts associated with the finding.
Click a finding name to go to the finding, which shows finding details such as severity, associated artifacts, enrichments, related findings, and finding properties.
From Evidence > Artifacts, you can add artifacts by clicking Add Artifact. Select the type of artifact enter information such as the type, an attachment if prompted, and a description of the artifact, including how it relates to the case. For some artifact types, you can enter multiple values, such as IP addresses. Make sure to separate new values with a newline, space, or comma, depending on the artifact type. See the tooltip by the artifact value to see the valid separators. After you add an artifact to the case, it is also added to the account-wide artifacts view, as described in Artifacts view.
You can limit the view to specific artifacts. Click Filters to specify the criteria. For most selections, you can further filter the results. Additionally, you can click Set timeframe and limit the view to artifacts added or modified within a specific time.
You can take actions on each artifact in the Evidence tab by clicking the vertical ellipsis under Actions. The available actions depend on the type of artifact. For example, if there is an IP address artifact, you can click […] and then Run Query in Data Explorer in the action menu to run a query in Data Explorer on this artifact, as shown in the following graphic.
- Severity: one of high, medium, or low. This value is automatically assigned.
- Type: specifies the type of artifact. such as an IP address or a file.
- Value: shows the artifact value.
- Related case count: shows the total number of cases containing artifacts with the same value, regardless of artifact type.
- Related findings: shows the number of related findings for the artifact for the case.
- Threat source: specifies the threat intelligence source that identified the artifact.
- Added by: shows the user who added the artifact, if it was added manually.
- Description: shows the artifact description, if one was provided.
- Tags: displays any tags that were added to the artifact.
- Actions: use this to remove an artifact or ignore a relationship.
- From here you can see the case artifact details, showing the details of this artifact as it relates to the case, for example, when it was added to the case. You can click in the Description to edit inline.
- Below this is the account-wide view of the artifact, with the account name displayed. This shows the artifact details, such as when the artifact itself was created. You can click in the Summary to edit inline, or click in Tags to add or remove artifact tags, where tags are case-sensitive. Click the First seen link to go to the case to which the artifact was first added. Click the Last seen link to go to the case to which the artifact was most recently added.
- From the Artifact properties section, any artifact properties such as name, type, and hashes are shown in a table.
- The Related Findings section shows any findings that are associated with this artifact.
- For DNS and IP address artifacts, the Whois section shows Whois information for the DNS name or IP address, if IBM X-Force Exchange is enabled.
- From the Related Cases section, you can see a list of any related cases. You can click cases for which you have permission to view. If you do not have permission, you can see the case ID and owner but you cannot access the case.
- From the Geolocation section, you can see geolocation data for IP address artifact types.
- From the Artifact History section, you can view a newsfeed of the artifact history, showing when the artifact was created, changed, added to or removed from a case. You can add or remove filters to control what is shown in the history, for example, if tags were added or removed.
You can upload attachments that are related to a case. You can upload attachments to the case or individual task.
To attach a file, open the case or task and click Evidence > Attachments. Click Upload File and select the file that you want to attach. The maximum file size is 25 MB. You can delete attachments from the case or task by clicking Delete.
To add a note or a comment to share with other members of the case management team, go to Evidence > Notes in a case. You can also add notes from the Notes tab in a task.
Type your comment in the text box. You can use the toolbar to add pictures, links, or accent your text. Click Post to post the note. If you have permissions, you can edit or delete notes by selecting the appropriate option on the Notes tab.
To direct a note to a specific case member, place your cursor in the text box and type the “@” symbol, and a list of all the case members appears. Select the members and continue entering the note. When complete, click Post.