Explore artifact data in Splunk Mission Control
Artifacts are pieces of machine data that indicate risk. They add context to Splunk Mission Control incidents to help you progress incident investigations and identify potential security threats. An artifact can be a risk object, threat object, observable, asset, identity, or indicator. If an incident has a respective notable event in Splunk Enterprise Security, meaning you didn't create the incident directly from Splunk Mission Control, then Splunk Mission Control automatically ingests the associated artifacts from Splunk Enterprise Security.
You can find artifacts in the Overview tab of your incident investigation along with other summary fields. Artifacts are the fields denoted by the down arrow icon ( ) in the Summary section. Only certain summary fields in Splunk Mission Control are considered artifacts.
Splunk Mission Control observes the following fields from Splunk Enterprise Security as artifacts:
- orig_host
- dvc
- src
- dest
- src_user
- user
To add or edit summary fields, including artifacts, see Edit field values for an incident.
View risk-based alerting scores for artifacts
You can view the risk-based alerting (RBA) scores for certain artifacts in the Overview tab. This information can help you understand the likelihood that an artifact is a potential threat.
Splunk Mission Control ingests the RBA score and color from Splunk Enterprise Security. The RBA score determines the color of the badge next to the artifact. The following list explains the range of scores for each color:
- Yellow: 0-25
- Orange: 26-50
- Light red: 51-75
- Dark red: 76 and higher
mc_artifacts index to your role. See Manage indexes for roles in Splunk Mission Control.