Learn about indicator relationships and how they can help you to investigate alerts.
Indicator relationships are connections between different objects. These relationships can be IP addresses related to one another, domains impersonating legitimate domains, and more. These relationships enable us to enhance investigations with information about indicators and how they might be connected to other alerts or indicators.
For example, if we have a phishing alert with several indicators, one of those indicators might lead to another indicator, which is a malicious threat actor. Once we know who the threat actor is, we can further investigate to see the alerts it was involved in, its known TTPs, and other indicators that might be related to the threat actor. Our initial alert which started off as a phishing investigation becomes a true positive and it is related to a specific malicious entity.
Relationships are created from threat intel feeds and enrichment integrations that support the automatic creation of relationships. Based on the information that exists in the integrations, the relationships are formed.
In addition, you can manually create and modify relationships. This is especially useful when a specific threat report comes out, for example, Unit 42’s SolarStorm report. These reports contain indicators and relationships that might not exist in your system, or you might not be aware of their connection to one another.
If a relationship is no longer relevant, you can revoke it. This might be relevant if a known malicious domain is no longer associated with a specific IP address. Initially when opening an alert although it might have a low severity you should investigate the indicator to see the dbot score and whether it has any relationships. The Relationships tag can reveal more information such as whether it is related to a campaign, etc.