Create Indicator Relationships - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-22
Category
Threat Intel Management Guide
Abstract

Create relationships between indicators to enhance your investigations.

Indicator relationships are used to enrich investigations with information from indicators that are connected in various ways to other indicators. These relationships can help you pivot from what might be a false positive to a full-fledged campaign.

You can create relationships automatically through specific integration feeds.

To enable the automatic creation of relationships, ensure that the Create relationships checkbox is selected in the integration settings.

In addition, you can create relationships manually.

  1. Navigate to the Threat Intel page.

  2. Click on an indicator.

  3. Under Relationships, click +Add.

    A window with all of the indicators in your system appears.

  4. Enter a query by which to search for the relevant indicators. You can optionally limit the time range by which you are searching.

  5. Select the indicator(s) to which you want to create the relationship.

  6. Set the relationship types. By default, the types that are presented are related-to.

    For example, IP address x.x.x.x is related-to IP address y.y.y.y.

  7. Click Save.