Relationships are connections between
different Cortex XSOAR objects. These relationships can be IP addresses
related to one another, domains impersonating legitimate domains,
and more. These relationships enable us to enhance investigations
with information about indicators and how they might be connected
to other incidents or indicators. Within an incident, the Canvas
enables you to see if there are any relationships between indicators
in the incident and other indicators in the system.
This feature is available only for users with a TIM license.
For example, if we have a phishing incident with
several indicators, one of those indicators might lead to another
indicator, which is a malicious threat actor. Once we know who the
threat actor is, we can further investigate to see the incidents
it was involved in, its known TTPs, and other indicators that might
be related to the threat actor. Our initial incident which started
off as a phishing investigation immediately becomes a true positive
and it is related to a specific malicious entity.
Relationships are created from threat intel feeds and enrichment
integrations that support automatic creation of relationships. Based
on the information that exists in the integrations, the relationships
In addition, you can manually create and modify relationships.
This is especially useful when a specific threat report comes out,
for example, Unit 42’s SolarStorm report. These reports contain
indicators and relationships that might not exist in your system,
or you might not be aware of their connection to one another.
If a relationship is no longer relevant, you can revoke it. This
might be relevant for example, if a known malicious domain is no
longer associated with a specific IP address.
In this example, we will walk through a basic incident that has
some indicators. We will see how you can use the relationships feature
to further your investigation.
When opening our incident, we see that the severity is
low, however the incident has two indicators.
When we click the file hash indicator, neither the
have any additional details. This would seem to indicate that the
file is harmless.
When we click on the IP address indicator, we immediately see
tab that the indicator was
ingest from a threat intel feed. This already bears further investigation.
When we navigate to the
we see that this indicator is related to a campaign.
started off as a low severity incident, has become a lot more threatening.
We navigate to the
tab of our
incident to see what else we can learn about these indicators.
tab in the
pane, we drag our IP indicator onto the canvas.
By hovering over the IP indicator, we can select the indicator
menu, and click
indicator for the campaign we saw earlier is now added to the canvas.
We hover over the campaign indicator we found and once again
The canvas is now populated
with all of the indicators related to this campaign.
can now further research our incident by learning more about the threat
actor behind the campaign, its techniques and possible targets,
By leveraging the relationships and canvas, we were
able to get a more complete picture of our incident within a few clicks.