Artifact
  • 01 Nov 2024
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

Artifact

  • Dark
    Light

Article summary

The Artifact Extension provides low-level collection capabilities which can be configured to run automatically via Detection & Response rules, Sensor collections, or pushed via REST API. When enabled, an Artifact Collection menu will be available within the LimaCharlie web UI.

Billing for Artifacts

Note that while the Artifact extension is free to enable, ingested artifacts do incur a charge. Please refer to pricing details to confirm Artifact ingestion and retention costs.

Enabling the Artifact Extension

To enable the Artifact extension, navigate to the Artifact extension page in the marketplace. Select the Organization you wish to enable the extension for, and select Subscribe.

After clicking Subscribe, the Artifact extension should be available almost immediately.

Note that the Artifact extension first requires enabling of the Reliable Tasking extension. You can find more on that extension here.

Using the Artifact Extension

When enabled, you will see an Artifact Collection option under Sensors menu for the respective Organization.

Within the Artifact Collection page, you can configure:

  • Artifact Collection rules for files.

  • Artifact Collection rules to stream Windows Event Log (WEL) events.

  • Artifact Collection rules to stream Mac Unified Log (MUL) events.

  • PCAP Capture rules to capture network traffic (Only available on Linux)

The following screenshot provides examples of capturing Windows Security and Sysmon Windows Event Logs via Artifact Collection. Rather than using an Adapter, capturing WEL events via the wel:// pattern adds the corresponding events to the Sensor telemetry, creating a real-time stream of Windows Event Log data. However, you can also specify the pattern to collect the specific .evtx files.

More information on Artifact collections can be found here.


Was this article helpful?