How to use and create indicator relationships in Cortex XSOAR and how it benefits an investigation.
Indicator relationships are connections between different indicators. These relationships can be IP addresses related to one another, domains impersonating legitimate domains, etc. These relationships enable you to enhance investigations with information about indicators and how they might be connected to other incidents or indicators. For example, if you have a phishing incident with several indicators, one of those indicators might lead to another indicator, which is a malicious threat actor. Once you know the threat actor, you can investigate to see the incidents it was involved in, its known TTPs (tactics, techniques, and procedures), and other indicators that might be related to the threat actor. The initial incident which started as a phishing investigation immediately becomes a true positive and relates to a specific malicious entity.
Relationships are created from threat intel feeds and enrichment integrations that support the automatic creation of relationships, such as AlienVault OTX v2 and URLhaus, by selecting Create relationships in the integration settings. Based on the information that exists in the integrations, the relationships are formed.
You can view indicator relationships by clicking on the indicator from an incident, and then from the Quick View window click the Relationships tab.
The Threat Intel Management system in Cortex XSOAR includes a feed that brings in a collection of threat intel objects as indicators. These indicators are stored in the Cortex XSOAR threat intel library and include Malware, Attack Patterns, Campaigns, and Threat Actors. When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database between the relevant threat intel object and the new, or updated, indicator.
Create indicator relationships
You can also manually create and modify relationships, which is useful when a specific threat report comes out. For example, Unit 42’s SolarStorm report contains indicators and relationships that might not exist in your system, or you might not be aware of their connection.
If a relationship is no longer relevant, you can revoke it. This might be relevant, for example, if a known malicious domain is no longer associated with a specific IP address.
Note
To create and modify indicator relationships, you must have the TIM license.
When you create a relationship, you can set the relationship type such as whether the indicator is related, attached, applied, etc. For example, a file is attached-to
an email. The email communicated-with
the file.
You can create relationships by adding them in a playbook, in the CLI using the CreateIndicatorRelationship
command, or when investigating an indicator in the Threat Intel tab.
Open an indicator and in the RELATIONSHIPS section add a relationship.
In the New Relationships window, in Step 1, add a query by which to search for the relevant indicators.
You can optionally limit the time range for the search.
Select the indicators you want to create a relationship to.
In Step 2 set the relationship type.
By default, the relationship is related-to. For example, IP address x.x.x.x is
related-to
IP address y.y.y.y.Save the relationship.
Note
You can also add an indicator relationship from the Quick View when selecting an indicator from an incident.
Investigate an indicator using indicator relationships
In this example, you can see how to use the relationships feature to further your investigation.
When opening the incident, although you can see that the severity is low, the incident has two indicators.
When you click the file hash indicator, neither the Info nor Relationships tabs have any additional details. This seems to indicate that the file is harmless.
Click on the IP address indicator.
Under the Info tab, you can see that the indicator was ingested from a threat intel feed. This already bears further investigation.
Go to the Relationships tab.
You can see that this indicator is related to a campaign.
What started as a low severity incident, has become a lot more threatening.