You can create indicator relationships in Cortex XSOAR through two primary methods: programmatically via integrations and manually within the Cortex XSOAR user interface. These methods cater to different operational needs, from automated large-scale ingestion to specific manual refinements.
1. Programmatic Creation via Integrations
This method is ideal for automating the ingestion and linking of indicators from various threat intelligence feeds, security tools, or internal systems. It ensures consistency and efficiency when dealing with a high volume of data.
- How it Works: When developing or extending an integration in Cortex XSOAR, you can define and create indicator relationships directly within the code.
- Key Components:
demisto.createIndicatorsmethod: To create indicator relationships from within an integration, you will need to use thecreateIndicatorsmethod of thedemistoclass.EntityRelationshipclass: As when using theCommandResults, you will need to define the indicator relationship in an instance of theEntityRelationshipclass. This class helps structure the relationship details, such as the source entity, target entity, relationship type, and direction.
- Use Cases:
- Automatically linking an IP address to a malicious domain seen in a threat intelligence feed.
- Connecting malware hashes to specific campaigns identified by an external threat research platform.
- Building a graph of related attack infrastructure components as they are ingested from automated sources.
- Benefits: Automation, scalability, reduced manual effort, and consistency across indicator data, making it efficient for large-scale data processing.
2. Manual Creation via the Cortex XSOAR UI
The user interface provides a flexible way for security analysts to manually establish or adjust relationships between indicators. This is particularly useful for ad-hoc investigations, refining existing data, or incorporating human intelligence.
- How it Works: Analysts can directly interact with the indicator details page within the Cortex XSOAR platform to define connections between indicators.
- Steps (General):
- Navigate to the Indicators section in Cortex XSOAR.
- Select an existing indicator to view its details, or create a new one.
- Within the indicator's details page, locate the Relationships section (or a similarly named tab or field).
- Add or modify relationships by searching for other existing indicators and specifying the type of relationship (e.g., "indicates", "uses", "targets", "communicates with").
- Use Cases:
- Manually linking a newly discovered phishing email's sender to a known malicious URL during an investigation.
- Connecting an observed malware sample to a previously identified Command and Control (C2) server based on analyst findings.
- Refining automatically generated relationships based on further human analysis and context.
- Benefits: Flexibility, human oversight, immediate adjustments, and robust support for investigative workflows, allowing analysts to quickly build connections as new information surfaces.
Comparison of Methods
| Feature | Programmatic Creation (Integrations) | Manual Creation (UI) |
|---|---|---|
| Automation Level | High (code-driven, automatic) | Low (human-driven, manual) |
| Scalability | Excellent for large volumes of data and recurring tasks | Limited, suitable for individual adjustments and refinements |
| Consistency | High (defined by code logic and standardized processes) | Depends on analyst adherence to established standards |
| Primary Users | Developers, automation engineers | Security analysts, incident responders |
| Use Case Focus | Threat intelligence ingestion, automated data enrichment | Ad-hoc investigations, data refinement, human intelligence input |
| Required Skills | Python programming, XSOAR integration development | Familiarity with XSOAR UI, analytical skills |
By leveraging both programmatic and manual approaches, organizations can maintain a comprehensive and up-to-date threat intelligence graph within Cortex XSOAR, enhancing their ability to detect, investigate, and respond to threats effectively.
