Relationships allow to you create connections between Cortex XSOAR indicators.
Relationships are connections between different Cortex XSOAR objects. These relationships can be IP addresses related to one another, domains impersonating legitimate domains, and more. These relationships enable us to enhance investigations with information about indicators and how they might be connected to other incidents or indicators.
This feature is available only for users with a TIM license.
For example, if you have a phishing incident with several indicators, one of those indicators might lead to another indicator, which is a malicious threat actor. Once you know the threat actor, you can investigate to see the incidents it was involved in, its known TTPs, and other indicators that might be related to the threat actor. The initial incident which started as a phishing investigation immediately becomes a true positive and relates to a specific malicious entity.
To fully benefit from the Indicator Relationships feature, make sure that your Common Types content pack is updated for new fields and layouts to be added and populated.
Relationships are created from threat intel feeds and enrichment integrations that support automatic creation of relationships. Based on the information that exists in the integrations, the relationships are formed.
In addition, you can manually create and modify relationships. This is useful when a specific threat report comes out, for example, Unit 42’s SolarStorm report. These reports contain indicators and relationships that might not exist in your system, or you might not be aware of their connection to one another.
If a relationship is no longer relevant, you can revoke it. This might be relevant for example, if a known malicious domain is no longer associated with a specific IP address.
Using Indicator Relationships in an Investigation
In this example, you can see how to use the relationships feature to further your investigation.
When opening the incident, although you can see that the severity is low, the incident has two indicators.
When you click the file hash indicator, neither the Info nor Relationships tabs have any additional details. This seems to indicate that the file is harmless.
Click on the IP address indicator.
Under the Info tab, you can see that the indicator was ingested from a threat intel feed. This already bears further investigation.
Go to the Relationships tab.
You can see that this indicator is related to a campaign.
What started off as a low severity incident, has become a lot more threatening.