Automated Correlation
Automated correlation helps you to identify the relationships between observables, indicators, and objects.
With the correlation process, the application will automatically establish the correlation between threat intelligence records based on the predefined rules. Based on the type of the rule that was applied, the relationship could be a confirmed relationship or a potential relationship. If the relationships between the objects is confirmed then those objects are automatically displayed on the details view of that object under Related Records section.
The following describes the relationships and potential relationships:
- Relationships: Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.
- Potential Relationships: Use the potential relationships to establish potentially possible relationships between two SDOs, two Observables or an observable and SDO by using the automated correlation.
Following are the predefined correlation rules provisioned within the base system:
| Rule Name | Rule Description | Rule Definition | Rule Action |
|---|---|---|---|
| Observables with same file hash | The rule compares the observables' hash values (of the same type) and identifies if they share the same hash. | The rule compares the hash values (of the same type) of the indicators and identifies if they share the same hash. | Creates a Relationship |
| URL Observables with same domain | The rule examines the commonalities in the structure of URLs to identify if they share the same base domain. | The rule examines the commonalities in the structure of URLs - Identifies if they share the same base domain and have a similar subdirectory structure. | Creates a Potential Relationship |
| Observable found as sources in network object | The rule matches the Network source attribute value with IPV4, IPV6, or domain-name observables in the system and links as the Source of traffic. | The rule matches the Source attribute value with IPV4, IPV6 or domain-name observables in the system and links as Source of traffic. | Creates a Relationship |
| Observable found as destination in network object | The rule matches the Network destination attribute value with IPV4, IPV6, or domain-name observables in the system and links as the destination of the traffic. | The rule matches the Source attribute value with IPV4, IPV6 or domain-name observables in the system and links as destination of traffic. | Creates a Relationship |
| Relate observables based on communication | On the basis of network objects, the rule identifies all the observables(IPV4, IPV6, and domain name) that have communicated with the same destination (IPV4, IPV6, or domain name) and establishes a relationship between these
observables. Also, related observables(IPV4, IPV6, and domain name) if they are related to the same network object as the source communicating with the destination. |
On the bassis of network objects, the rule identifies all the indicators that have communicated with the same destination (IPV4, IPV6, mac-addr or domain-name) and establishes a relationship between these indicators as connected to the same C2 infrastructure. | Creates a Relationship |
| Related Root domain observables to sub domains | The rule ties together a root domain with sub-domains and vice versa for domain type of observables. | The rule ties together a root domain with sub-domains. | Creates a Relationship |
| Related domains to IPs based on DNS resolutions | Using domain-ipv4 or domain-ipv6 attributes of domain observables, the rule establishes relationships between the domains and IPs. | Use the attributes domain-ipv4 or domain-ipv6, The rule identifies all the domains or sub-domains that resolve to the same IP address and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure. | Creates a Relationship |
| Matching domains with SSL Certificates | The rule analyzes the SSL certificate information associated with the domain observables and establishes a relation between them. | The rule analyzes the SSL certificate information associated with the indicators and identifies that both certificates are issued by the same certificate authority and share the same expiration date and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure or threat campaign. | Creates a Relationship |
| Relate entities based on common observables | The rule compares if the same observable is related to two different entities and relates them to each other. | The rule compares if the same observable is related to two different entities and identifies them as related to each other. | Creates a Potential Relationship |
| Relate indicators based on common observables | The rule compares if the same observable is related to two different indicators and relates them to each other. | The rule compares if the same observable is related to two different indicators and identifies them as related to each other. | Creates a Potential Relationship |
| Relate indicators with objects based on common observables | The rule compares if the same observable is related to indicators, and objects and relates them to each other. | The rule compares if the same observable is related to two different indicators, and objects and identifies them as related to each other. | Creates a Potential Relationship |