Artifact Reference Guide

PERSON

Represents a real individual in your organization. Used to track human users with HR data like employee ID, department, and manager information.

IDENTITY

The base type for all accounts. Represents any account that can authenticate to systems. This is a parent type for both human and non-human identities.

HUMAN_IDENTITY

Represents a user account belonging to a person. This is the most common artifact type for tracking individual user accounts across different systems.

NON_HUMAN_IDENTITY

Represents service accounts, machine accounts, and automated identities (bots, API keys, system services).

GROUP

Represents security groups and distribution lists used for permission management.

ROLE

Represents roles that grant sets of permissions (e.g., "Administrator", "Viewer").

PERMISSION

Represents specific access rights or privileges (e.g., "Read", "Write", "Execute").

SAAS_APP

Represents cloud-based SaaS applications (e.g., Office 365, Salesforce).

NETWORK_ENDPOINT

Represents a network service or listening port (host:port).

URL_ENDPOINT

Represents web URLs and API endpoints (HTTP/HTTPS services).

NETWORK_ENDPOINT_ACTION

Tracks operations performed against network endpoints, such as authentication, reads, or writes.

PROCESS

Represents running processes on devices. Critical for tracking command lines and process trees.

LOGON_SESSION

Represents user login sessions across interactive, remote, and service logons.

HOSTING_SERVICE

Represents cloud infrastructure providers hosting your resources.

NETWORK_ADDRESS

Base type for IPv4 and IPv6 addresses, including geolocation information.

SRC_ADDRESS

The originating IP address in a network connection.

DST_ADDRESS

The target/destination IP address in a network connection.

FQDN

Fully Qualified Domain Names (FQDN). Represents domain names with subdomain breakdown.

DNS_RECORD

DNS resource records associated with domains.

NAMESERVER

Authoritative name servers for domains.

WHOIS_RECORD

Domain registration and ownership details.

ASN

Autonomous System Numbers (ASN), representing network ownership and routing.

NETWORK_CONNECTION

Traffic flows between source and destination. Critical for tracking lateral movement and C2.

NETWORK_INTERMEDIARY

Base type for network middle boxes. Represents proxies, VPNs, CDNs, and other intermediary services.

NETWORK_PROXY

HTTP/SOCKS proxies.

NETWORK_VPN

VPN endpoints and concentrators.

NETWORK_CDN

Content Delivery Network (CDN) nodes.

DEVICE

Base type for all physical and virtual endpoints (computers, servers).

DESKTOP

Workstations assigned to users.

SERVER

Server systems.

MOBILEDEVICE

Smartphones and mobile phones.

TABLET

Tablet devices.

NETWORKDEVICE

Base type for network infrastructure.

ROUTER

Network routers.

SWITCH

Network switches.

OTDEVICE

Operational Technology and IoT devices.

DATA_OBJECT

Base type for data and file objects. Represents various types of stored or transmitted data.

FILE

Files and executables, including hash information for threat intelligence.

EMAIL

Email messages and metadata, used for phishing investigations.

CLOUD_RESOURCE

Cloud storage objects like S3 buckets or Azure blobs.

CREDENTIAL

Base type for authentication credentials.

CERTIFICATE

X.509 digital certificates (SSL/TLS, code signing).

SECRET

API keys, passwords, and tokens.

OAUTH_TOKEN

OAuth 2.0 access and refresh tokens.

SAML_ASSERTION

SAML 2.0 tokens used for Single Sign-On (SSO).

IOC

Indicator of Compromise (IoC). Represents evidence of malicious activity.

CVE

Common Vulnerabilities and Exposures (CVE). Represents known security vulnerabilities.

CONTAINMENT

Tracks remediation actions taken to contain threats.