Create Indicator Relationships

Create relationships between indicators to enhance your investigations.
Indicator relationships are used to enrich investigations with information from indicators that are connected in various ways to other indicators. These relationships can help you pivot from what might be a false positive to a full-fledged campaign.
You can create relationships automatically through specific integration feeds.
To enable the automatic creation of relationships, ensure that the
Create relationships
checkbox is selected in the integration settings.
In addition, you can create relationships manually.
  1. Navigate to the
    Threat Intel
    page.
  2. Click on an indicator.
  3. Under
    Relationships
    , click
    +Add
    .
    A window with all of the indicators in your system appears.
  4. Enter a query by which to search for the relevant indicators. You can optionally limit the time range by which you are searching.
  5. Select the indicator(s) to which you want to create the relationship.
  6. Set the relationship types. By default, the types that are presented are
    related-to
    .
    For example, IP address
    x.x.x.x
    is related-to IP address
    y.y.y.y
    .
  7. Click
    Save
    .

Recommended For You