Add New Artifacts in Preprocessing Playbook

LAST UPDATED: SEPTEMBER 05, 2025

Adds new artifacts of the selected type to the ingested event in the preprocessing playbook.

Implementation	Python
Command Category	System Utility
Tags	ARTIFACTEVENT

READER NOTE

This command is only applicable within a preprocessing playbook's On Event Ingestion trigger.

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Source Type

Required

The source type whose data will be manipulated.

Trigger Output Data

Artifact Type

Required

The built-in or custom artifact type.

By default, the command will automatically match built-in composite (legacy) artifact types from the values provided in Artifact Fields.

URL

BUILT-IN ARTIFACTS

Single Field and Composite Built-In Artifacts

SINGLE FIELD ARTIFACTS

Internal Endpoint Domain Name
External Endpoint Domain Name
Internal IP
External IP
Host Name
Username
Filename
File Hash SHA256
File Hash MD5
File Hash SHA1
Process Guid
Signature Identity
Registry Key Path
File Location
User Agent
Common Vulnerabilities and Exposure
File Hash SHA512
File Hash SSDeep
Import Hash
Authentication Hash
IPv4 CIDR
XMPP Address
Bitcoin Address
Monero Address
MAC Address
Traffic Light Protocol Label
Autonomous System Number
Google Adsense Publisher ID
Google Analytics Tracker ID
Enterprise Attack Mitigation
Mobile Attack Mitigation
Pre Attack Tactic
Enterprise Attack Tactic
Mobile Attack Tactic
Pre Attack Technique
Enterprise Attack Technique
Mobile Attack Technique

COMPOSITE (LEGACY) ARTIFACTS

URL
Internal Endpoint
External Endpoint
Email Address
User
File
Process
Service
Module
Drive
Signature
Certificate
Registry
Unknown

Artifact Fields

Required

A JSON array containing objects of a single artifact type. Each artifact object follows the schema associated with the type.

Each composite artifact type has its own unique schema.
Single-field artifacts—both built-in and custom—follow a prescribed format.

JSON

[
    {
        "Url": "<url>",
        "REP": {
            "RiskLevel": "<risk_level>"
        }
    }
]

COMPOSITE ARTIFACTS

Object Mappings

URL

JSON

{
    "Url": "<url>",
    "REP": {
        "RiskLevel": "<risk_level>"
    }
}

INTERNAL ENDPOINT

JSON

{
    "Internal_HostName": "<internal_host_name>",
    "Internal_IPAddress": "<internal_ip_address>",
    "Internal_HostFQDN": "<internal_host_fqdn>"
}

EXTERNAL ENDPOINT

JSON

{
    "External_HostName": "<external_host_name>",
    "External_IPAddress": "<external_ip_address>",
    "External_HostFQDN": "<external_host_fqdn>",
    "REP": {
        "RiskLevel": "<risk_level>"
    }
}

EMAIL ADDRESS

JSON

{
    "EmailAddress": "<email_address>"
}

USER

JSON

{
    "UserName": "<user_name>",
    "UserFQDN": "<user_fqdn>"
}

FILE

JSON

{
    "FileName": "<file_name>",
    "FilePath": "<file_path>",
    "SHA256": "<sha256>",
    "MD5": "<md5>",
    "SHA1": "<sha1>",
    "REP": {
        "RiskLevel": "<risk_level>"
    }
}

PROCESS

JSON

{
    "ProcessGuid": "<process_guid>",
    "ProcessName": "<process_name>",
    "ProcessID": "<process_id>",
    "ProcessIntegrityLevel": "<process_integrity_level>",
    "ProcessCurrentDirectory": "<process_current_directory>",
    "ProcessCommandLine": "<process_command_line>",
    "ProcessOS": "<process_os>"
}

SERVICE

JSON

{
    "ServiceId": "<service_id>",
    "ServiceName": "<service_name>",
    "ServiceStartMode": "<service_start_mode>",
    "ServiceStatus": "<service_status>"
}

MODULE

JSON

{
    "ModuleBaseAddr": "<module_base_addr>"
}

DRIVER

JSON

{
    "DriverBaseAddr": "<driver_base_addr>"
}

SIGNATURE

JSON

{
    "Signature": "<signature>",
    "SignatureID": "<signature_id>",
    "SignatureSeverity": "<signature_severity>",
    "SignatureSource": "<signature_source>",
    "SignatureType": "<signature_type>"
}

CERTIFICATE

JSON

{
    "CertName": "<cert_name>",
    "CertSerial": "<cert_serial>"
}

REGISTRY

JSON

{
    "RegistryKey": "<registry_key>",
    "RegistryPath": "<registry_path>",
    "RegistryValueName": "<registry_value_name>",
    "RegistryValueData": "<registry_value_data>",
    "RegistryDetails": "<registry_details>"
}

SINGLE FIELD / CUSTOM ARTIFACTS

Single Field Artifact Object Format

JSON

{
    "Identity": "<identity>",
    "REP": {
        "RiskLevel": "<risk_level>"
    },
    "Additional": {
        "<custom_key1>": "<custom_value1>",
        "<custom_key2>": "<custom_value2>",
        "<custom_key3>": "<custom_value3>",
        ...
        "<custom_keyN>": "<custom_valueN>"
    }
}

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "EmailAddrs": [
        {
            "AFTypeId": 6,
            "RoleId": 1301,
            "EmailAddr": "sampleSender@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1302,
            "EmailAddr": "sampleRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1303,
            "EmailAddr": "sampleOriginalSender@gamil.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1304,
            "EmailAddr": "sampleOriginalRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1306,
            "EmailAddr": "sampleToRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1307,
            "EmailAddr": "sampleCcRecipient@gmail.com",
            "REP": null
        }
    ]
}