Artifact Overview

Introduction

This article provides information about the artifact field in the Event Management panel.

 

Artifact

Logsign creates a case for the security incidents it detects and allows you to investigate them from the Event Management panel. Collecting the findings related to the detected incident requires serious effort in terms of reporting, dashboarding, and analysis.

In the Event Management - Artifact field, Logsign shares the findings related to the incident with you in categories such as Intelligence Map, Entities, Response, Incidents, Last Triggered Alert, Events, Networks, Process, File, DNS, and Identity.

Let's illustrate with an example scenario;

When an alarm is triggered for the IP address 10.100.100.16, we can find the column to which the IP belongs in the artifact in the event case panel as 'action.object'. We can find the user, file, hash, and network activities that may be associated with this IP address under the artifact.

When you access the Event Management panel, the findings related to the incident are shared with you in the Artifacts Monitor. You can investigate user, source, URL, IP, file, and hash activities within the findings related to the incident as a widget.

1.png

 

We need to go to the Artifact section to examine the detailed information.

2.png

 

You can review all the findings related to the event from the section shown below. The objects within the artifact include the users, IP addresses, and sources that Logsign associates with the event. In addition to these, you can also manually add your own findings and improve the contents by using the + Artifact button.

3.png

Based on the above image, we can say that the IPs 10.100.100.16, 192.241.237.24, and 10.10.0.13 are associated with the event.

4.png

Let's explain this situation with another example, in the above image we can say that the adminlgs user is associated with the event. We can also say that the source or domain addresses of EDU-HOST11.logsign.academy and zg-1220i-143.stretchoid.com are also related to the event.

Further down the panel, there are event actions that are sorted according to the timeline.

 

Action Result: Provides the output of the notification made in case of an action (Response) related to the incident.

Entities: Provides the output when there is a match with the user or entity specified in the system related to the incident.

5.png

 

Incidents: Provides the output of the temporal graph of the alarms related to the incident. Clicking on the alarms in the panel provides the output of the logs that triggered the alarms.

6.png

 

Intelligence Map: Provides the information about the geographical location of an IP address related to the incident when the IP address is identified as malicious.

7.png

 

Activities: Provides logs about network, file, user, and DNS activities related to the incident.

Events: A panel that provides general logs related to the incident.

8.png

Network: Provides the network activities of the IP address related to the incident. You can use the following query for detailed analysis.

Action.Object: 10.100.100.16

Query: "10.100.100.16" (Event.VendorID:(5156 OR 3) OR (DataType:"log" EventMap.Context:"Network")) Destination.Position:"out"

9.png

Process: Displays the process logs related to the IP address found in the incident on the source side.

You can use the following query for detailed analysis.

Action.Object: 10.100.100.16

Query: "10.100.100.16" Event.VendorID:(1 OR 10 OR 4688 OR 4689) EventMap.Type:"Process"

10.png

 

File: Shows the file movements associated with the incident.

Action.Object: 10.100.100.16

Query: "10.100.100.16" Event.VendorID:(11 OR 4656 OR 4660 OR 4663)

11.png

 

DNS: Shows the DNS requests of the IP address associated with the incident.

Action.Object: 10.100.100.16

Query: "10.100.100.16" @@DNSEvents

12.png

 

Identity: Displays the user login attempts with the IP address associated with the incident.

Action.Object: 10.100.100.16

Query: "10.100.100.16" Event.VendorID:(4704 OR 4705 OR 4624 OR 4625 OR 4634 OR 4720 OR 4722 OR 4723 OR 4724 OR 4725 OR 4726 OR 4738 OR 4740 OR 4767)

13.png

 

Last Triggered Alert: Shows the last triggered alarm associated with the incident.

14.png

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.