Relationships are connections between different Cortex XSOAR objects. These relationships can be IP addresses related to one another, domains impersonating legitimate domains, and more. These relationships enable us to enhance investigations with information about indicators and how they might be connected to other incidents or indicators. Within an incident, the Canvas enables you to see if there are any relationships between indicators in the incident and other indicators in the system.
This feature is available only for users with a TIM license.
For example, if we have a phishing incident with several indicators, one of those indicators might lead to another indicator, which is a malicious threat actor. Once we know who the threat actor is, we can further investigate to see the incidents it was involved in, its known TTPs, and other indicators that might be related to the threat actor. Our initial incident which started off as a phishing investigation immediately becomes a true positive and it is related to a specific malicious entity.
To fully benefit from the Indicator Relationships feature, make sure that your Common Types content pack is updated for new fields and layouts to be added and populated.
Relationships are created from threat intel feeds and enrichment integrations that support automatic creation of relationships. Based on the information that exists in the integrations, the relationships are formed.
In addition, you can manually create and modify relationships. This is especially useful when a specific threat report comes out, for example, Unit 42’s SolarStorm report. These reports contain indicators and relationships that might not exist in your system, or you might not be aware of their connection to one another.
If a relationship is no longer relevant, you can revoke it. This might be relevant for example, if a known malicious domain is no longer associated with a specific IP address.
In this example, we will walk through a basic incident that has some indicators. We will see how you can use the relationships feature to further your investigation.
When opening our incident, we see that the severity is low, however the incident has two indicators.
When we click the file hash indicator, neither the Info nor Relationships tabs have any additional details. This would seem to indicate that the file is harmless.
When we click on the IP address indicator, we immediately see under the Info tab that the indicator was ingested from a threat intel feed. This already bears further investigation.
When we navigate to the Relationships tab, we see that this indicator is related to a campaign.
What started off as a low severity incident, has become a lot more threatening.
We navigate to the Canvas tab of our incident to see what else we can learn about these indicators.
Under the Indicators tab in the Add entity to canvas pane, we drag our IP indicator onto the canvas.
By hovering over the IP indicator, we can select the indicator menu, and click Expand.
The indicator for the campaign we saw earlier is now added to the canvas.
We hover over the campaign indicator we found and once again click Expand.
The canvas is now populated with all of the indicators related to this campaign.
We can now further research our incident by learning more about the threat actor behind the campaign, its techniques and possible targets, and more.
By leveraging the relationships and canvas, we were able to get a more complete picture of our incident within a few clicks.