Create Indicator Relationships - Threat Intel Management Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.5
Creation date
2022-09-29
Last date published
2023-12-12
End_of_Life
EoL
Category
Threat Intel Management Guide

Indicator relationships are used to enrich investigations with information from indicators that are connected in various ways to other indicators. These relationships can help you pivot from what might be a false positive to a full-fledged campaign.

You can create relationships automatically through specific integration feeds.

To enable the automatic creation of relationships, ensure that the Create relationships checkbox is selected in the integration settings.

In addition, you can create relationships manually.

  1. Navigate to the Threat Intel page.

  2. Click on an indicator.

  3. Under Relationships, click +Add.

    A window with all of the indicators in your system appears.

  4. Enter a query by which to search for the relevant indicators. You can optionally limit the time range by which you are searching.

  5. Select the indicator(s) to which you want to create the relationship.

  6. Set the relationship types. By default, the types that are presented are related-to.

    For example, IP address x.x.x.x is related-to IP address y.y.y.y.

  7. Click Save.