For example, one user can't add an artifact twice, but different users can add the same artifact. However, inconsistencies occur when using a mix of input sources. Splunk SOAR attempts to prevent duplicate artifacts from appearing in the system. The list of tags assigned to this artifact.Īs a case proceeds, users and automation can add artifacts of interest. The ID of the container that contains this artifact. The hash is used by the platform to avoid saving duplicate artifacts for the same container.Ī normalized representation of the data mapped to each field's representative CEF key. The hash of the contents of the artifact. The kill-chain value as specified by the ingestion app and data source. The type is used to identify the origin of this artifact, such as "network" or "host". For example, medium, high, or a custom severity created by an administrator. The timestamp of this artifact as last seen in the ingestion data source. This timestamp typically coincides with when the artifact was initially detected or produced by the device that generated it. The timestamp of when this artifact was first seen.
The timestamp of when this artifact was created in. The identifier of the artifact as found in the ingestion data source. For example, labels can be event, FWAlert, AVAlert, to name a few. Labels can be anything that is found to be the label of the data or event in the ingestion data source. The label as identified by the app that is ingesting the data. "hash": "7a61100894c1eb24a59c67ce245d2d8c",Ī unique identifier for the artifact, generated by the platform.Ī name of the artifact as identified by the ingestion app from the data source.
0 kommentar(er)
