Manage Global Artifacts
Global Artifacts allow you to leverage data from your existing workflows or create data that can be reused in multiple workflows, increasing efficiency across your organization. You can manage your global artifacts from the Global Artifact page, where you can create or delete global artifacts, and add entries to a global artifact.
To use global artifacts:
Use Case Examples
Global artifacts enable you to maintain a centralized repository of data that your workflow can reference, reduce the time required to analyze incidents, and provide you with better visibility into the true scope of an incident.
Maintain and Update Reference Data in one Centralized Location
You can use global artifacts to store lists of key indicators, such as malicious URLs, trusted IP addresses, or user profile information, that can be referenced by multiple workflows.
Maintain a central repository of trusted information
With global artifacts, you can maintain a single list of trusted information (such as IP addresses, email addresses, or domain names) that any workflow performing a check on those identifiers can reference. You can add or remove an IP address from your global artifact, and it is automatically updated across all workflows.
Maintain a list of blocked information
You can maintain a single list of blocked information (for example, malicious URLs) that your workflows can reference when an alert comes in. Having a central repository of blocked information can help improve the efficiency of your team by reducing the time they spend analyzing alerts generated from the same source. And if an alert comes in from a source that is not on your blocked list, you can configure your workflow to automatically add it to your global artifact.
Store lists of high profile users
Another way you can use a global artifact is to maintain a list of your organization’s high profile users. For example, you can create a High Profile User global artifact that stores the email addresses of executives in your organization and configure your workflow to look up users listed in that global artifact each time an alert is triggered. In this case, a global artifact could help you more quickly identify when a high profile account has been compromised, improving your overall response time and reducing potential damage to your organization’s data.
Reduce analysis time and understand the scope of an incident
When responding to certain types of incidents, you may find that your security team is performing redundant and time-consuming enrichment tasks when a single identifier produces multiple alerts.
You can use a global artifact to increase the efficiency of your team’s response time and better understand the true scope of an incident. Say for example, you have a phishing workflow that creates a new Jira ticket every time a phishing email is received. If you use a global artifact to store a list of indicators, when a new phishing alert is triggered, your workflow can determine whether the new email matches the stored indicators. If you receive 1,000 reports of phishing attempts, a global artifact can help you quickly determine whether all of those emails are coming from the same source. If the workflow returns a match, you can skip the enrichment analysis and focus on remediation.
Set Up a Global Artifact
As part of the process to set up your global artifact, you must first create the global artifact and then add entries for the workflow to reference.
Task 1: Create a Global Artifact
To create your global artifact, configure the schema for the type of data you will be adding to the global artifact, and provide an easily identifiable name and description. All global artifacts are types of arrays.
- From the left hand side menu, select Workflows, and select the Global Artifacts tab.
- Click Add New Global Artifact. You will see the Create Global Artifact wizard appear.
- On the “Configure Schema” page, configure the schema to structure the type of data you are adding to the global artifact.
- Select the Array Type you want to use to configure the global artifact schema. Your selection here defines the format of the data you can add to the global artifact. Once you create your global artifact, you cannot edit the schema.
- Click Next.
- On the “Configure Details” page, do the following:
- Provide a unique name and description for your global artifact. The name will be available for selection when you use the Lookup action in a Helper step.
- Select the tags you want associated with your artifact.
- Click Create.
Congratulations! You can now add entries to your global artifact.
Task 2: Manually Add an Entry to a Global Artifact
Once you create your global artifact, you can add entries for the workflow to reference. For example, you can add malicious URLs where each malicious URL is a single entry. You can add as many entries as you’d like to a global artifact, however workflows can only reference the 1,000 most recent entries.
Automatically Add an Entry
You can use a Helper step to configure your workflow to automatically add entries to the global artifact when it runs.
To add an entry:
- Go to the global artifact to which you want to add an entry.
- Do one of the following:
- If your global artifact has no existing entries, Click Add Entry.
- If you want to add to your list of entries, click +.
- In the Add Value field, enter the value associated with the entry. If this global artifact is storing malicious URLs, you would enter a URL. For example, “badurl.com”. The values you can enter depend on the array type you selected when you created a global artifact.
- To add an additional entry to your global artifact, click Add Global Artifact Item.
Global Artifact Entry Limits
Workflows only references the 1,000 most recent entries. If you have 1,001 entries in a global artifact, you can delete an entry to make the last entry visible to the workflow.
- Click Save. Now that your global artifact has at least 1 entry, it can be added to a workflow.
Maintain your Global Artifacts
You can edit your global artifact details or update global artifact entries from the “Global Artifacts” page. You can also delete a global artifact or remove an entry from a global artifact as needed.
Edit a Global Artifact
You can update your global artifact name and description, and add or remove tags from your global artifact. The schema of a global artifact is not editable. If the schema of your global artifact doesn’t support the structure of the data you want to add, create a new global artifact and define a new schema.
To edit a global artifact:
- Go to Workflows.
- Select Global Artifacts.
- Find the global artifact you want to update, and expand the menu by clicking on the three dots next to the global artifact name. Select View, then click Edit Details in the top right corner. The details section will expand.
- Update the name, description, or tags, and click Save.
Delete a Global Artifact Entry
You can delete global artifact entries that are no longer needed. Deleting an entry moves all the other entries behind it up by a single value. For example, if you remove entry 1,000 from your global artifact, item 1,001 becomes 1,000, and can then be referenced by the workflow.
To delete an entry:
- Go to Workflows and select Global Artifacts.
- Open the global artifact you want to update.
- Select the entry you want to delete, and click the Trashcan icon.
Delete a Global Artifact
Before you delete a global artifact, make sure it is not being referenced by any active workflows.
Unlink a Global Artifact
To unlink a global artifact from a workflow, just open the Helper step associated with that global artifact and select a different global artifact.
To delete a global artifact:
- Go to Workflows and select Global Artifacts.
- Find the global artifact you want to delete, click the ellipses next to the artifact, and click Delete. Your global artifact is permanently deleted.