Add New Artifacts in Event Playbook

LAST UPDATED: AUG 06, 2024

Adds new artifacts of the selected type to the ingested event in the event playbook.

Implementation	Python
Command Category	System Utility
Tags	ARTIFACTEVENT

READER NOTE

This command is only applicable within an event Playbook’s "On Event Ingestion" trigger .

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Source Type

Required

The source type whose data will be manipulated.

Trigger Output Data

Artifact Type

Required

The type of the artifact(s). The command supports both system artifact and user-defined artifact types. System composite artifact types include: URL, User, File, ExternalEndpoint, InternalEndpoint, EmailAddress, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match system composite artifact types based on the values provided in Artifact Fields.

URL

Artifact Fields

Required

The value of the artifact(s). For system composite artifact types, please adhere to the JSON format provided in the sample data. For single-field artifacts, an identity field must be provided along with any additional fields and reputation.

JSON

[
    {
        "Internal_HostName": "InternalHost",
        "Internal_IPAddress": "192.168.1.1",
        "Internal_HostFQDN": "internalEndpoint.com"
    },
    {
        "External_HostName": "ExternalHost",
        "External_IPAddress": "64.233.161.147",
        "External_HostFQDN": "externalEndpoint.com",
        "REP": {
            "RiskLevel": "low"
        }
    },
    {
        "Url": "http://sampleurl.com",
        "REP": {
            "RiskLevel": "low"
        }
    },
    {
        "FileName": "sampleFile",
        "FilePath": "samplePath",
        "SHA256": "5e966c80f6122cd1c766e1c6c45fba3584940f9d99135ab7fe8fa000f859c469",
        "MD5": "098f6bcd4621d373cade4e832627b4f6",
        "SHA1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
        "REP": {
            "RiskLevel": "High"
        }
    },
    {
        "UserName": "sampleUser",
        "UserFQDN": " "
    },
    {
        "EmailAddress": "sampleEmailAddress@gmail.com"
    },
    {
        "DriverBaseAddr": "sampleDriver.com"
    },
    {
        "ProcessGuid": "1589170327575",
        "ProcessName": "powershell.exe",
        "ProcessID": "21721",
        "ProcessIntegrityLevel": "",
        "ProcessCurrentDirectory": "",
        "ProcessCommandLine": "powershell -Command $File=\\C:\\Users\\devin\\AppData\\Local\\Temp\\bbotstage.png\\;$Content=get-content $File;$Contento=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Content));Set-ExecutionPolicy Bypass -Scope Process -Force;IEX($Contento)",
        "ProcessOS": ""
    },
    {
        "RegistryKey": "sampleKey",
        "RegistryPath": "samplePath",
        "RegistryValueName": "sampleRegistryValueName",
        "RegistryValueData": "sampleRegistryValueData",
        "RegistryDetails": "sampleRegistryDetails"
    },
    {
        "ServiceId": "sampleServiceId",
        "ServiceName": "sampleServiceName",
        "ServiceStartMode": "sampleServiceStartMode",
        "ServiceStatus": "sampleServiceStatus"
    },
    {
        "ModuleBaseAddr": "sampleModuleBaseAddr.com"
    },
    {
        "Signature": "sampleSignature",
        "SignatureID": "sampleSignatureID",
        "SignatureSeverity": "Low",
        "SignatureSource": "sampleSignatureSource",
        "SignatureType": "sampleSignatureType"
    },
    {
        "CertName": "sampleCertName",
        "CertSerial": "sampleCertSerial"
    },
    {
        "Identity": "customartifactid",
        "REP": {
            "RiskLevel": "High"
        },
        "Additional": {
            "Action result": "action result update",
            "Action result ID": "",
            "Action taken": "",
            "Affected Machine Name": "affected Machines Name"
        }
    }
]

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "InternalEndpoints": [
        {
            "AFTypeId": 1,
            "REP": null,
            "RoleId": 102,
            "HostName": "InternalHost",
            "IPAddress": "192.168.1.1",
            "IPAddresses": [
                {
                    "IPAddress": "192.168.1.1",
                    "IPType": 1
                }
            ],
            "HostFQDN": "internalEndpoint.com"
        }
    ],
    "ExternalEndpoints": [
        {
            "AFTypeId": 2,
            "REP": null,
            "RoleId": 102,
            "HostName": "ExternalHost",
            "IPAddress": "192.168.2.1",
            "IPAddresses": [
                {
                    "IPAddress": "192.168.2.1",
                    "IPType": 1
                }
            ],
            "HostFQDN": "externalEndpoint.com"
        }
    ],
    "Users": [
        {
            "AFTypeId": 5,
            "RoleId": 200,
            "REP": null,
            "UserName": "sampleUser",
            "UserFQDN": "sampleUser.com",
            "UserSID": "1"
        }
    ],
    "Processes": [
        {
            "ProcessName": "sampleProcess",
            "ProcessGuid": "D1340448-23CC-4BE8-A07F-CBB79AE5D0A7",
            "REP": {
                "RiskLevel": 1,
                "RiskResult1": null,
                "RiskResult2": null,
                "Resource": "",
                "UTCDateModified": null
            },
            "AFTypeId": 7,
            "RoleId": 400
        }
    ],
    "Registries": [
        {
            "AFTypeId": 13,
            "RoleId": 900,
            "REP": null,
            "RegistryKey": "sampleKey",
            "RegistryPath": "samplePath"
        }
    ],
    "EmailAddrs": [
        {
            "AFTypeId": 6,
            "RoleId": 1301,
            "EmailAddr": "sampleSender@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1302,
            "EmailAddr": "sampleRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1303,
            "EmailAddr": "sampleOriginalSender@gamil.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1304,
            "EmailAddr": "sampleOriginalRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1306,
            "EmailAddr": "sampleToRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1307,
            "EmailAddr": "sampleCcRecipient@gmail.com",
            "REP": null
        }
    ],
    "Files": [
        {
            "AFTypeId": 4,
            "RoleId": 300,
            "REP": null,
            "FileName": "sampleFile",
            "FilePath": "samplePath",
            "SHA256": "5e966c80f6122cd1c766e1c6c45fba3584940f9d99135ab7fe8fa000f859c469",
            "MD5": "098f6bcd4621d373cade4e832627b4f6",
            "SHA1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
            "FileSignatureExists": "True",
            "FileSignatureVerified": "True",
            "FileVersion": "1.0",
            "FileDesc": "Sample file",
            "CreationUtcTime": "2022-06-16",
            "PreviousCreationUtcTime": "2022-06-15",
            "FileAccessTimeUtc": "2022-06-15",
            "FileModifyTimeUtc": "2022-06-15"
        }
    ],
    "InternalURLs": [
        {
            "AFName": "test3.com",
            "AFTypeId": 3,
            "RoleId": 1200,
            "REP": null,
            "UrlHash": "de8190c59e122d397cf759e01c83feebd1e0d94b382a44ff33df008e4395f63c",
            "Url": "test3.com"
        }
    ],
    "Drivers": [
        {
            "AFTypeId": 10,
            "RoleId": 500,
            "REP": null,
            "DriverBaseAddr": "sampleDriver.com"
        }
    ]
}