Leverage Relationships in the Canvas - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Cortex XSOAR
Creation date
Last date published
Threat Intel Management Guide

Relationships are used to enrich your investigation based on information from other indicators.

Within an incident, you can use the Canvas to further explore and see if any of the indicator relationships provide more information.

  1. Within an incident, navigate to the Canvas tab.

  2. On the Canvas, click your incident.

    The Quick View window is displayed.

  3. Navigate to the Indicators tab.

    The indicators for this incident are displayed with their current verdict. For example, benign indicators have a green background, malicious indicators have a red background, and unknown indicators have a grey background.

  4. Drag the indicators you want to further investigate on to the canvas.

  5. Hover over an indicator on the canvas and click the blue arrow icon.

    A menu with several options appears.

  6. To view the indicator’s relationships, click Expand.

    If the indicator has additional relationships, those relationships are added to the canvas.

  7. Click the indicator to view additional information about it and any possible relationships that might exist.