We wonder what the identity, Asset, File and URL Extraction fields are in the Notable set-up of the correlation search.
Hi @danielbb
File and URL | These correspond to the artifact creation flow on the investigation workbench. Instead of creating a file or URL artifact on the workbench by hand, you can specify which fields should be used to create artifacts automatically when you add a notable to the investigation workbench. |
More details here:
If the Identity and Asset extraction features pull their information from the assets/identities lookup tables where does the File and URL extraction features pull their information from?
Those fields are where you tell the Notable where to find fields of each type. That is, the fields it should use for Identity information are 'src_user', and 'user'; the fields containing Asset information are 'src', 'dest', 'dvc', and 'orig_host'; and so on.