What is the best way to store a newly-found IOC when investigating?

The choice of clicking the "Add Artifact" button is the best approach for storing a newly-found IOC during an investigation because it integrates seamlessly into the Splunk Enterprise Security framework. This button is designed to create a structured entry for the indicator of compromise (IOC) within the context of the investigation, ensuring that it is indexed and retrievable within the system.

Utilizing the "Add Artifact" feature allows investigators to thorough documentation of the IOC, which can include details such as the type of IOC, its significance, and any related notes or context. This structured format facilitates better organization, tracking, and retrieval of data over time, enabling the security team to correlate this information with other findings.

On the other hand, pasting it into Notepad or adding it in a text note would lack the integration and organization that the "Add Artifact" function provides, making it less effective for long-term investigation management. While clicking the "Add IOC" button may seem relevant, it typically pertains to a more general function that is not specifically tagged as part of the investigative artifacts related to an ongoing case. This makes using the artifact feature more strategic for the task at hand.