Configuring artifact types

You can create, edit and test artifact types, and determine default behavior.

An artifact is data that supports or relates to an incident. The SOAR Platform organizes artifacts by type, such as file name, MAC address, suspicious URL, MD5 and SHA1 file hashes, and more. An artifact can also have an attachment, such as an email, log file, and malware sample.

The Artifacts tab lists the system and user created artifacts types. A system provided artifact has a Yes in the Built-in column. User created artifact types have a No in the column.

Use the tab to define the default behavior for the following settings. An incident owner can change the setting for a specific artifact value at the incident level.

Relate Incidents. Determine whether the SOAR Platform shows a relationship between incidents when they contain the same artifact. See Show Incident Relationships for details.
Threat scan. Determine whether an artifact of the artifact type is sent to a cyberthreat source to be scanned. This setting applies only to system provided artifact types that can be scanned by system provided threat sources.

Use Create Artifact Type to create your own custom artifact types that better organize artifacts for your environment.

You can delete any artifact type by clicking the delete icon; however, you cannot delete an artifact type if it is referenced by a condition in a rule or playbook. When deleted, users can no longer select that artifact type, but any artifacts of that type that are attached to an incident are still available.