Indicator Relationships
Relationships allow to you create connections between
Cortex XSOAR indicators.
Relationships are connections between
different Cortex XSOAR objects. These relationships can be IP addresses
related to one another, domains impersonating legitimate domains,
and more. These relationships enable us to enhance investigations
with information about indicators and how they might be connected
to other incidents or indicators. Within an incident, the Canvas
enables you to see if there are any relationships between indicators
in the incident and other indicators in the system.
This feature is available only for users with a TIM license.
For example, if we have a phishing incident with
several indicators, one of those indicators might lead to another
indicator, which is a malicious threat actor. Once we know who the
threat actor is, we can further investigate to see the incidents
it was involved in, its known TTPs, and other indicators that might
be related to the threat actor. Our initial incident which started
off as a phishing investigation immediately becomes a true positive
and it is related to a specific malicious entity.
To fully benefit from the Indicator Relationships feature,
make sure that your
Common Types
content
pack is updated for new fields and layouts to be added and populated.Relationships are created from threat intel feeds and enrichment
integrations that support automatic creation of relationships. Based
on the information that exists in the integrations, the relationships
are formed.
In addition, you can manually create and modify relationships.
This is especially useful when a specific threat report comes out,
for example, Unit 42’s SolarStorm report. These reports contain
indicators and relationships that might not exist in your system,
or you might not be aware of their connection to one another.
If a relationship is no longer relevant, you can revoke it. This
might be relevant for example, if a known malicious domain is no
longer associated with a specific IP address.
Example
In this example, we will walk through a basic incident that has
some indicators. We will see how you can use the relationships feature
to further your investigation.
- When opening our incident, we see that the severity is low, however the incident has two indicators.
- When we click the file hash indicator, neither theInfonorRelationshipstabs have any additional details. This would seem to indicate that the file is harmless.
- When we click on the IP address indicator, we immediately see under theInfotab that the indicator was ingested from a threat intel feed. This already bears further investigation.
- When we navigate to theRelationshipstab, we see that this indicator is related to a campaign.
What started off as a low severity incident, has become a lot more threatening. - We navigate to theCanvastab of our incident to see what else we can learn about these indicators.
- Under theIndicatorstab in theAdd entity to canvaspane, we drag our IP indicator onto the canvas.
- By hovering over the IP indicator, we can select the indicator menu, and clickExpand.
The indicator for the campaign we saw earlier is now added to the canvas. - We hover over the campaign indicator we found and once again clickExpand.The canvas is now populated with all of the indicators related to this campaign.
We can now further research our incident by learning more about the threat actor behind the campaign, its techniques and possible targets, and more.By leveraging the relationships and canvas, we were able to get a more complete picture of our incident within a few clicks.
