Artifacts Overview
  • 08 Feb 2024
  • 1 Minute to read
  • Dark

Artifacts Overview

  • Dark

Article Summary

In ThreatConnect®, an Artifact is any piece of data not captured in a Note that provides information relevant to a Workflow Case that may be useful to an analyst. Potential Artifact types include all ThreatConnect Indicator types, as well as a variety of other data types. Examples of Artifacts include domains, email addresses, log files, emails, PCAP files, screenshots, SIEM event files, and malware documents.

A Case’s Artifacts card displays a table containing all Artifacts that belong to the Case. When viewing an Artifact’s details, you can view Indicators and Groups associated or potentially associated to the Artifact and create associations to Indicators and Groups in your Organization, Communities, and Sources. Creating these associations connects information gathered in a Case with your threat intelligence data. In addition to viewing these associations on the Artifacts card, you can view them on the Artifacts card of the Associations tab on an associated Indicator’s or Group’s Details screen. If viewing an associated Indicator’s or Group’s legacy Details screen, associated Artifacts are displayed in the Associated Artifacts section of the Associations card while the card is in table view.

When viewing an Artifact whose type maps to a ThreatConnect Indicator type, you can enrich the Artifact with data retrieved from third-party enrichment services enabled and configured for the corresponding Indicator type.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for viewing Artifacts, copying hash codes for Artifacts, and enriching Artifacts with data retrieved from third-party enrichment services)
  • Organization role of Standard User (for creating and editing Artifacts and managing their associations)
  • Workflow enabled by a System Administrator
  • A Workflow Case created in your Organization
  • Cross-owner associations enabled by a System Administrator (for creating associations between Artifacts in your Organization and Groups and Indicators in Communities and Sources to which you have access)
  • An enrichment service enabled and a valid API key for that enrichment service entered by a System Administrator on the Indicators tab of the System Settings screen (for enriching Artifacts whose type maps to an Indicator type for which a third-party enrichment service is available; see the “Enrichment Tools” section of ThreatConnect System Administration Guide for more information)

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20123-01 v.04.A

Was this article helpful?

What's Next