How to use and create indicator relationships in Cortex XSOAR and how it benefits an investigation.
Indicator relationships are connections between different indicators. These relationships can be IP addresses related to one another, domains impersonating legitimate domains, etc. These relationships enable you to enhance investigations with information about indicators and how they might be connected to other incidents or indicators. For example, if you have a phishing incident with several indicators, one of those indicators might lead to another indicator, which is a malicious threat actor. Once you know the threat actor, you can investigate to see the incidents it was involved in, its known TTPs (tactics, techniques, and procedures), and other indicators that might be related to the threat actor. The initial incident which started as a phishing investigation immediately becomes a true positive and relates to a specific malicious entity.
Relationships are created from threat intel feeds and enrichment integrations that support the automatic creation of relationships, such as AlienVault OTX v2 and URLhaus, by selecting Create relationships in the integration settings. Based on the information that exists in the integrations, the relationships are formed.
You can view indicator relationships by clicking on the indicator from an incident, and then from the Quick View window click the Relationships tab.
Note
To manage indicator relationships including how to create them, you need a TIM license. For more information, see Manage indicator relationships.