Using Artifacts in Workflows

If the first thing you think of when you hear the word “artifact” is Indiana Jones, don’t worry! Soon you’ll understand why Artifacts are the holy grail when it comes to viewing important information in an InsightConnect Workflow.

indy

Just like an archeological artifact, workflow artifacts are tangible objects that provide information about something that’s happened in the past. In this case, they provide specific information or details from the greater range of data associated with a workflow. And just like an ancient craftsmen (last reference, I promise!) you can use tools, like markdown format and input templating, to create artifact cards that show exactly what you need to see, how you want to see it.

Workflows can be complex and produce massive amounts of data, which you can’t (and don’t want to) try to parse through on your own. That’s the point of automation, right?! But there might be some data points generated by your workflow that you want to keep an eye on, or something you have to present to management on a regular basis. Or perhaps you just want a quick snapshot to look at if needed. Artifacts are the perfect tool for this.


Before we go into more detail, a quick TL;DR:

:point_right: Artifacts are customizable templates that create cards displaying selected bits of data from a workflow.
:point_right: Artifact templates are created using markdown and input templating.
:point_right: Artifacts are saved and can be viewed under Job Details after a workflow runs.


Usage in an Actual Workflow:

To see how this works with a real workflow, I’ve imported the Lookup Vulnerability with Rapid7 Vulnerability Database workflow template. This is what it looks like in the builder:
discuss2

:eyes: You can see that each path in the decision tree ends with an artifact. :eyes:

For the No Matching Vulnerabilities path, the artifact is pretty simple; it just tells you nothing was found. Here’s how it’s configured:
discuss3

You can see how, by clicking the plus button (this guy: discuss4) you’re able to populate the markdown card with query strings that will pull in data from the workflow. You don’t even have to worry about the syntax of the query language (aka handlebars), just select what you want to see!

If a vulnerability is found, this is where the artifact step really shines. :star2:
discuss5

As you can see, this one has a lot of detail. If you are creating or editing a markdown card with lot of detail, you can expand the input area by clicking the crossed arrows discuss6 and open up the markdown editor modal.

discuss7

But what does it all mean? :person_shrugging:
The Lookup Vulnerability with Rapid7 Vulnerability Database workflow is triggered when it receives the name of a potential vulnerability. This could be something that shows up in your environment and automatically triggers this workflow, or you could run it manually if there’s something you want to look up. Either way, the workflow will search our Rapid7 Vulnerability Database for the vulnerability name that’s been input, and if it’s found, return information about it.

The key pieces of information on the artifact card include the identifier and alternate Identifiers of the vulnerability, its title, when it was published, the severity level, and a list of potential solutions for remediating the vulnerability. All of this can be viewed quickly and easily in the artifact card, so that you know what, if anything you need to do!

Ok, but what else would I use Artifacts for? :thinking:
Here are some other excellent use cases for artifacts!
:bulb: You have a workflow that processes phishing emails, and you want an easy way to see the address of the sender you blocked.
:bulb: Your workflow can automate the quarantining of endpoints or devices via slack and you want to see what’s been quarantined or unquarantined and why.
:bulb: You have blocked a host via a workflow and want to view information about the blocked host.
:bulb: And many more!

:woman_superhero: Markdown is Super!
Remember that you can use the power of markdown language to format your artifact cards. If you’re not familiar with markdown, or need some brushing up, here’s a great resource to help you unleash the full potential! https://markdown-it.github.io/

Viewing your Artifacts
Ok, so you’ve got a workflow with a step or steps that generate artifacts. Now what!? Whenever your workflow is triggered, you’ll be able to see the status and results of running that job under the Jobs tab. If you click on an individual job in the list, you’ll get a preview of your artifacts in the space to the right:
discuss8

You can see how this reflects the markdown template that was created above. Now it contains actual values in place of the query strings. Awesome! :star_struck:

You can also click “View Full Job” and see your artifact(s) this way:
discuss9

Now that you have the basics of creating workflow artifacts, we look forward to seeing what you create!

3 Likes