Create Indicator Relationships - Threat Intel Management Guide - 6.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

Indicator relationships are used to enrich investigations with information from indicators that are connected in various ways to other indicators. These relationships can help you pivot from what might be a false positive to a full-fledged campaign.

You can create relationships automatically through specific integration feeds.

To enable the automatic creation of relationships, ensure that the Create relationships checkbox is selected in the integration settings.

In addition, you can create relationships manually.

  1. Navigate to the Threat Intel page.

  2. Click on an indicator.

  3. Under Relationships, click +Add.

    A window with all of the indicators in your system appears.

  4. Enter a query by which to search for the relevant indicators. You can optionally limit the time range by which you are searching.

  5. Select the indicator(s) to which you want to create the relationship.

  6. Set the relationship types. By default, the types that are presented are related-to.

    For example, IP address x.x.x.x is related-to IP address y.y.y.y.

  7. Click Save.