Add New Artifacts in Preprocessing Playbook

Last updated: September 05, 2025

Adds new artifacts of the selected type to the ingested event in the preprocessing playbook.

Implementation	Python
Command Category	System Utility
Tags	ARTIFACT EVENT

READER NOTE

This command is only applicable within a preprocessing playbook's On Event Ingestion trigger.

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Source Type	Required	The source type whose data will be manipulated.	Trigger Output Data
Artifact Type	Required	The built-in or custom artifact type. By default, the command will automatically match built-in composite (legacy) artifact types from the values provided in Artifact Fields.	URL Built-in artifacts Single Field and Composite Built-In Artifacts single field artifacts Internal Endpoint Domain Name External Endpoint Domain Name Internal IP External IP Host Name Username Filename File Hash SHA256 File Hash MD5 File Hash SHA1 Process Guid Signature Identity Registry Key Path File Location User Agent Common Vulnerabilities and Exposure File Hash SHA512 File Hash SSDeep Import Hash Authentication Hash IPv4 CIDR XMPP Address Bitcoin Address Monero Address MAC Address Traffic Light Protocol Label Autonomous System Number Google Adsense Publisher ID Google Analytics Tracker ID Enterprise Attack Mitigation Mobile Attack Mitigation Pre Attack Tactic Enterprise Attack Tactic Mobile Attack Tactic Pre Attack Technique Enterprise Attack Technique Mobile Attack Technique Composite (legacy) artifacts URL Internal Endpoint External Endpoint Email Address User File Process Service Module Drive Signature Certificate Registry Unknown
Artifact Fields	Required	A JSON array containing objects of a single artifact type. Each artifact object follows the schema associated with the type. Each composite artifact type has its own unique schema. Single-field artifacts—both built-in and custom—follow a prescribed format.	JSON `[ { "Url": "<url>", "REP": { "RiskLevel": "<risk_level>" } } ]` Composite Artifacts Object Mappings URL JSON `{ "Url": "<url>", "REP": { "RiskLevel": "<risk_level>" } }` Internal Endpoint JSON `{ "Internal_HostName": "<internal_host_name>", "Internal_IPAddress": "<internal_ip_address>", "Internal_HostFQDN": "<internal_host_fqdn>" }` external Endpoint JSON `{ "External_HostName": "<external_host_name>", "External_IPAddress": "<external_ip_address>", "External_HostFQDN": "<external_host_fqdn>", "REP": { "RiskLevel": "<risk_level>" } }` Email Address JSON `{ "EmailAddress": "<email_address>" }` User JSON `{ "UserName": "<user_name>", "UserFQDN": "<user_fqdn>" }` File JSON `{ "FileName": "<file_name>", "FilePath": "<file_path>", "SHA256": "<sha256>", "MD5": "<md5>", "SHA1": "<sha1>", "REP": { "RiskLevel": "<risk_level>" } }` Process JSON `{ "ProcessGuid": "<process_guid>", "ProcessName": "<process_name>", "ProcessID": "<process_id>", "ProcessIntegrityLevel": "<process_integrity_level>", "ProcessCurrentDirectory": "<process_current_directory>", "ProcessCommandLine": "<process_command_line>", "ProcessOS": "<process_os>" }` Service JSON `{ "ServiceId": "<service_id>", "ServiceName": "<service_name>", "ServiceStartMode": "<service_start_mode>", "ServiceStatus": "<service_status>" }` Module JSON `{ "ModuleBaseAddr": "<module_base_addr>" }` Driver JSON `{ "DriverBaseAddr": "<driver_base_addr>" }` Signature JSON `{ "Signature": "<signature>", "SignatureID": "<signature_id>", "SignatureSeverity": "<signature_severity>", "SignatureSource": "<signature_source>", "SignatureType": "<signature_type>" }` Certificate JSON `{ "CertName": "<cert_name>", "CertSerial": "<cert_serial>" }` Registry JSON `{ "RegistryKey": "<registry_key>", "RegistryPath": "<registry_path>", "RegistryValueName": "<registry_value_name>", "RegistryValueData": "<registry_value_data>", "RegistryDetails": "<registry_details>" }` Single field / Custom artifacts Single Field Artifact Object Format JSON `{ "Identity": "<identity>", "REP": { "RiskLevel": "<risk_level>" }, "Additional": { "<custom_key1>": "<custom_value1>", "<custom_key2>": "<custom_value2>", "<custom_key3>": "<custom_value3>", ... "<custom_keyN>": "<custom_valueN>" } }`

Parameter Name

Required/Optional

Description

Sample Data

Source Type

Required

The source type whose data will be manipulated.

Trigger Output Data

Artifact Type

Required

The built-in or custom artifact type.

By default, the command will automatically match built-in composite (legacy) artifact types from the values provided in Artifact Fields.

URL

Built-in artifacts

Single Field and Composite Built-In Artifacts

single field artifacts

Internal Endpoint Domain Name
External Endpoint Domain Name
Internal IP
External IP
Host Name
Username
Filename
File Hash SHA256
File Hash MD5
File Hash SHA1
Process Guid
Signature Identity
Registry Key Path
File Location
User Agent
Common Vulnerabilities and Exposure
File Hash SHA512
File Hash SSDeep
Import Hash
Authentication Hash
IPv4 CIDR
XMPP Address
Bitcoin Address
Monero Address
MAC Address
Traffic Light Protocol Label
Autonomous System Number
Google Adsense Publisher ID
Google Analytics Tracker ID
Enterprise Attack Mitigation
Mobile Attack Mitigation
Pre Attack Tactic
Enterprise Attack Tactic
Mobile Attack Tactic
Pre Attack Technique
Enterprise Attack Technique
Mobile Attack Technique

Composite (legacy) artifacts

URL
Internal Endpoint
External Endpoint
Email Address
User
File
Process
Service
Module
Drive
Signature
Certificate
Registry
Unknown

Artifact Fields

Required

A JSON array containing objects of a single artifact type. Each artifact object follows the schema associated with the type.

Each composite artifact type has its own unique schema.
Single-field artifacts—both built-in and custom—follow a prescribed format.

JSON

[
    {
        "Url": "<url>",
        "REP": {
            "RiskLevel": "<risk_level>"
        }
    }
]

Composite Artifacts

Object Mappings

URL

JSON

{
    "Url": "<url>",
    "REP": {
        "RiskLevel": "<risk_level>"
    }
}

Internal Endpoint

JSON

{
    "Internal_HostName": "<internal_host_name>",
    "Internal_IPAddress": "<internal_ip_address>",
    "Internal_HostFQDN": "<internal_host_fqdn>"
}

external Endpoint

JSON

{
    "External_HostName": "<external_host_name>",
    "External_IPAddress": "<external_ip_address>",
    "External_HostFQDN": "<external_host_fqdn>",
    "REP": {
        "RiskLevel": "<risk_level>"
    }
}

Email Address

JSON

{
    "EmailAddress": "<email_address>"
}

User

JSON

{
    "UserName": "<user_name>",
    "UserFQDN": "<user_fqdn>"
}

File

JSON

{
    "FileName": "<file_name>",
    "FilePath": "<file_path>",
    "SHA256": "<sha256>",
    "MD5": "<md5>",
    "SHA1": "<sha1>",
    "REP": {
        "RiskLevel": "<risk_level>"
    }
}

Process

JSON

{
    "ProcessGuid": "<process_guid>",
    "ProcessName": "<process_name>",
    "ProcessID": "<process_id>",
    "ProcessIntegrityLevel": "<process_integrity_level>",
    "ProcessCurrentDirectory": "<process_current_directory>",
    "ProcessCommandLine": "<process_command_line>",
    "ProcessOS": "<process_os>"
}

Service

JSON

{
    "ServiceId": "<service_id>",
    "ServiceName": "<service_name>",
    "ServiceStartMode": "<service_start_mode>",
    "ServiceStatus": "<service_status>"
}

Module

JSON

{
    "ModuleBaseAddr": "<module_base_addr>"
}

Driver

JSON

{
    "DriverBaseAddr": "<driver_base_addr>"
}

Signature

JSON

{
    "Signature": "<signature>",
    "SignatureID": "<signature_id>",
    "SignatureSeverity": "<signature_severity>",
    "SignatureSource": "<signature_source>",
    "SignatureType": "<signature_type>"
}

Certificate

JSON

{
    "CertName": "<cert_name>",
    "CertSerial": "<cert_serial>"
}

Registry

JSON

{
    "RegistryKey": "<registry_key>",
    "RegistryPath": "<registry_path>",
    "RegistryValueName": "<registry_value_name>",
    "RegistryValueData": "<registry_value_data>",
    "RegistryDetails": "<registry_details>"
}

Single field / Custom artifacts

Single Field Artifact Object Format

JSON

{
    "Identity": "<identity>",
    "REP": {
        "RiskLevel": "<risk_level>"
    },
    "Additional": {
        "<custom_key1>": "<custom_value1>",
        "<custom_key2>": "<custom_value2>",
        "<custom_key3>": "<custom_value3>",
        ...
        "<custom_keyN>": "<custom_valueN>"
    }
}

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

Sample Data

JSON

{
    "EmailAddrs": [
        {
            "AFTypeId": 6,
            "RoleId": 1301,
            "EmailAddr": "sampleSender@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1302,
            "EmailAddr": "sampleRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1303,
            "EmailAddr": "sampleOriginalSender@gamil.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1304,
            "EmailAddr": "sampleOriginalRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1306,
            "EmailAddr": "sampleToRecipient@gmail.com",
            "REP": null
        },
        {
            "AFTypeId": 6,
            "RoleId": 1307,
            "EmailAddr": "sampleCcRecipient@gmail.com",
            "REP": null
        }
    ]
}