Mission Control: Artifacts Table

This article is a part of a series describing key features of the Phantom Security Automation and Orchestration platform.

Introduction

Phantom 3.0 was designed with a goal of simplifying an analyst’s workflow, thereby improving their efficiency when navigating and processing a security event. Another goal of the enhancements is to have a positive and direct impact on the Mean Time To Resolution (MTTR) metric. Mission Control™, a part of the Phantom Platform’s alert management capability, is where many of the enhancements in Phantom 3.0 can be experienced. In particular, the enhanced artifacts table within Mission Control is a great example of how Phantom helps analysts work smarter, respond faster, and strengthen their organization’s defenses.

When analysts are working to understand, investigate, decide, and act on a security event, they need a view where all collected evidence for the event is easily accessible. The artifact table in Mission Control provides this view for Phantom users. The artifacts table makes data extremely quick and easy to access and operate on for an analyst.

The Artifacts Table

First, a quick refresher on what an artifact is. As events are ingested into the Phantom platform, the evidence associated with an event are stored as artifacts. Artifacts might contain IP addresses, domains, URLs, file hashes, or many other Common Event Format (CEF) fields which contain data relating to the event. The Phantom automation engine can operate on these artifacts via automation playbooks, and analysts can manually study and operate on these artifacts via the artifact table in Mission Control.

The design of the artifact table in Mission Control can have a direct impact on reducing MTTR in several ways. Here are some examples:

Default View of the Artifacts Table
The Artifacts Table Within Phantom Mission Control

Artifacts Table View—Artifact details can be viewed as a table where the data types serve as column headers in the table (e.g. sourceAddress, requestURL, fileHash, fileName, destinationDnsDomain, etc). This allows an analyst to view technical details of multiple artifacts simultaneously, making it very easy to compare data between artifacts while processing an event. In contrast, viewing a single artifact at a time makes it difficult to maintain context between artifacts. Phantom Mission Control eliminates the context swap problem by displaying artifacts details at the same time using the artifacts table view.

Configuring Columns to Display in the Artifacts Table
Column Configuration in the Artifacts Table

Configurable Columns—Within the artifacts table view, analysts can select the columns to display in the view, as well as order the columns. More specifically, analysts can select which CEF fields and artifact metadata fields should be present in the view. This allows the Analyst to optimize the table view based on the characteristics of the event or based on their personal preferences.

Artifact Row Expanded
Artifact Row Expanded for Full Details Without Changing Context

Expand/Collapse Single Artifact Rows—Any information not displayed at the table level is still accessible by expanding an artifact row to get a full view of all metadata and CEF field information available. The expansion of an artifact is done inline on the table, meaning the pre-existing table view is not lost. Minor enhancements like this can have a big impact. It is enormously helpful to an analyst in that he/she can keep the context of adjacent artifacts in view while expanding the detailed view of a particular artifact of interest.

Sorting Artifacts by Column
Dynamic Sorting of Artifacts by Column aid in Identifying Patterns of Activity

Sorting Artifacts—The default ordering of artifacts in the table is based on artifact ID number, which is sequentially assigned as new artifacts arrive. Therefore, the default ordering is based on time. The new table view, however, allows analysts to sort the table based on any of the fields present as a column header. This is helpful for creating groupings of artifacts and identifying patterns based on similar data points that become apparent through sorting.

Table Capacity—By default, the table will show 5 artifacts, presented as 5 rows. An analyst can expand the table view by displaying 5, 10, 25, or 50 artifact rows shown at once. Naturally, expanding the row count consumes more User Interface (UI) real estate. At the same time, it gives an analyst more control over what he/she would see most in the UI, based on viewing preference.

Contextual ActionsLast but not least is the contextual action drop-down menu available on each indicator in the artifact. Data can be acted on directly in the table view. Analysts can launch actions using their configured SOC tools immediately from the artifacts table. This drastically simplifies analyst workflow by consolidating data and tools into a single view. We will discuss this topic in more detail in a future installment of this series.

Conclusion and Next Steps

As mentioned earlier, the artifact table and other enhancements make it convenient for an analyst to view and operate on event data. Mouse clicks, browser tabs, searching, copy/pasting, and other interface tactics have an impact on processing time and MTTR. Mission Control drastically simplifies the analyst workflow and tool interaction throughout the life of an event by consolidating data, tools, and playbook automation into a single view. The result is that security event data is easier to understand, investigate, decide, and act upon.

There are several other enhancements in Mission Control that have a positive impact on analyst efficiency and contribute to improved MTTR statistics. We will examine more of them in future entries of this series. If you haven’t experienced the Phantom Platform yet, we invite you to join the Phantom Community to gain access to the free the free Community Edition.

Other articles in this series can be found here.