Introduction
This article provides information about the artifact field in the Event Management panel.
Artifact
Logsign creates a case for the security incidents it detects and allows you to investigate them from the Event Management panel. Collecting the findings related to the detected incident requires serious effort in terms of reporting, dashboarding, and analysis.
In the Event Management - Artifact field, Logsign shares the findings related to the incident with you in categories such as Intelligence Map, Entities, Response, Incidents, Last Triggered Alert, Events, Networks, Process, File, DNS, and Identity.
Let's illustrate with an example scenario;
When an alarm is triggered for the IP address 10.100.100.16, we can find the column to which the IP belongs in the artifact in the event case panel as 'action.object'. We can find the user, file, hash, and network activities that may be associated with this IP address under the artifact.
When you access the Event Management panel, the findings related to the incident are shared with you in the Artifacts Monitor. You can investigate user, source, URL, IP, file, and hash activities within the findings related to the incident as a widget.
We need to go to the Artifact section to examine the detailed information.
You can review all the findings related to the event from the section shown below. The objects within the artifact include the users, IP addresses, and sources that Logsign associates with the event. In addition to these, you can also manually add your own findings and improve the contents by using the + Artifact button.
Based on the above image, we can say that the IPs 10.100.100.16, 192.241.237.24, and 10.10.0.13 are associated with the event.
Let's explain this situation with another example, in the above image we can say that the adminlgs user is associated with the event. We can also say that the source or domain addresses of EDU-HOST11.logsign.academy and zg-1220i-143.stretchoid.com are also related to the event.
Further down the panel, there are event actions that are sorted according to the timeline.
Action Result: Provides the output of the notification made in case of an action (Response) related to the incident.
Entities: Provides the output when there is a match with the user or entity specified in the system related to the incident.
Incidents: Provides the output of the temporal graph of the alarms related to the incident. Clicking on the alarms in the panel provides the output of the logs that triggered the alarms.
Intelligence Map: Provides the information about the geographical location of an IP address related to the incident when the IP address is identified as malicious.
Activities: Provides logs about network, file, user, and DNS activities related to the incident.
Events: A panel that provides general logs related to the incident.
Network: Provides the network activities of the IP address related to the incident. You can use the following query for detailed analysis.
Action.Object: 10.100.100.16
Query: "10.100.100.16" (Event.VendorID:(5156 OR 3) OR (DataType:"log" EventMap.Context:"Network")) Destination.Position:"out"
Process: Displays the process logs related to the IP address found in the incident on the source side.
You can use the following query for detailed analysis.
Action.Object: 10.100.100.16
Query: "10.100.100.16" Event.VendorID:(1 OR 10 OR 4688 OR 4689) EventMap.Type:"Process"
File: Shows the file movements associated with the incident.
Action.Object: 10.100.100.16
Query: "10.100.100.16" Event.VendorID:(11 OR 4656 OR 4660 OR 4663)
DNS: Shows the DNS requests of the IP address associated with the incident.
Action.Object: 10.100.100.16
Query: "10.100.100.16" @@DNSEvents
Identity: Displays the user login attempts with the IP address associated with the incident.
Action.Object: 10.100.100.16
Query: "10.100.100.16" Event.VendorID:(4704 OR 4705 OR 4624 OR 4625 OR 4634 OR 4720 OR 4722 OR 4723 OR 4724 OR 4725 OR 4726 OR 4738 OR 4740 OR 4767)
Last Triggered Alert: Shows the last triggered alarm associated with the incident.