Automated Correlation
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Automated Correlation
Automated correlation in ServiceNow helps identify and establish relationships between observables, indicators, and threat intelligence objects automatically based on predefined rules. This process enhances threat analysis by linking related data points, providing clearer context and connections within threat intelligence records.
Show less
The correlations created can be either confirmed relationships or potential relationships. Confirmed relationships are definitive links shown in the Related Records section of an object’s detail view, while potential relationships suggest possible connections that require further validation.
Key Features
- Relationships: Link two observables or an observable and a Structured Data Object (SDO) to explain their connection.
- Potential Relationships: Establish possible links between two SDOs, two observables, or an observable and SDO using automated correlation rules. These rules are disabled by default due to the high volume of potential relationships they may generate.
- Predefined Correlation Rules: The base system includes several predefined rules that automatically create relationships or potential relationships between threat intelligence entities based on criteria such as:
| Name | Description | Action | Status |
|---|---|---|---|
| Observables with same file hash | Matches observables or indicators sharing the same hash value. | Creates a Relationship | Enabled |
| URL Observables with same domain | Identifies URLs sharing the same base domain and similar subdirectory structure. | Creates a Potential Relationship | Disabled |
| Observable found as sources in network object | Matches network source attributes with IP or domain observables as traffic sources. | Creates a Relationship | Enabled |
| Observable found as destination in network object | Matches network destination attributes with IP or domain observables as traffic destinations. | Creates a Relationship | Enabled |
| Relate observables based on communication | Links observables that communicate with the same destination or share the same network object source. | Creates a Relationship | Enabled |
| Related Root domain observables to sub domains | Links root domains with their sub-domains for observables. | Creates a Relationship | Enabled |
| Related domains to IPs based on DNS resolutions | Establishes relationships between domains and IPs based on DNS resolution attributes. | Creates a Relationship | Enabled |
| Matching domains with SSL Certificates | Links domains sharing SSL certificate details, indicating common certificate authorities and expiration dates. | Creates a Relationship | Enabled |
| Relate entities based on common observables | Identifies entities sharing the same observable. | Creates a Potential Relationship | Disabled |
| Relate indicators based on common observables | Identifies indicators sharing the same observable. | Creates a Potential Relationship | Disabled |
| Relate indicators with objects based on common observables | Links indicators and objects sharing the same observable. | Creates a Potential Relationship | Disabled |
Practical Considerations
- Potential relationship rules are disabled by default to prevent overwhelming volumes of data; enable them based on your threat intelligence ingestion and analysis needs.
- Confirmed relationships automatically appear in the Related Records section, providing immediate visibility into connected threat entities.
- Understanding and managing these correlation rules enables more effective threat intelligence analysis and streamlined investigation workflows.
Automated correlation helps you identify the relationships between observables, indicators, and objects.
With the correlation process, the application automatically establishes the correlation between threat intelligence records based on the predefined rules. Based on the type of the rule that is applied, the relationship can be a confirmed relationship or potential relationship. If the relationships between the objects are confirmed, those objects are automatically displayed on the details view of that object under the Related Records section.
The following describes the relationships and potential relationships:
- Relationships: Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.
- Potential Relationships: Use the potential relationships to establish potentially possible relationships between two SDOs, two Observables or an observable and SDO by using the automated correlation.
Correlation rules for potential relationships identify potential relationships between threat intelligence entities, indicators, and observables.
Note:The four correlation rules that generate potential relationships are disabled by default (for details, refer the following Correlation rules table). Enabling these rules can result in the creation of large number of potential relationships, depending on the volume of ingested data. Users can enable the rules based on their requirement.
The following are the predefined correlation rules provisioned within the base system:
| Name | Description | Definition | Action | Status |
|---|---|---|---|---|
| Observables with same file hash | The rule compares the observables' hash values of the same type and identifies if they share the same hash. | The rule compares the hash values of the same type of the indicators and identifies if they share the same hash. | Creates a Relationship | Enabled |
| URL Observables with same domain | The rule examines the commonalities in the structure of URLs to identify if they share the same base domain. | The rule examines the commonalities in the structure of URLs. Identifies if they share the same base domain and have a similar sub directory structure. | Creates a Potential Relationship | Disabled |
| Observable found as sources in network object | The rule matches the Network source attribute value with IPV4, IPV6, or domain-name observables in the system and links as the Source of traffic. | The rule matches the Source attribute value with IPV4, IPV6 or domain-name observables in the system and links as Source of traffic. | Creates a Relationship | Enabled |
| Observable found as destination in network object | The rule matches the Network destination attribute value with IPV4, IPV6, or domain-name observables in the system and links as the destination of the traffic. | The rule matches the destination attribute value with IPV4, IPV6 or domain-name observables in the system and links as destination of traffic. | Creates a Relationship | Enabled |
| Relate observables based on communication | Based on network objects, the rule identifies all the observables (IPV4, IPV6, and domain name) that have communicated with the same destination (IPV4, IPV6, or domain name) and establishes a relationship between these
observables. Also, related observables (IPV4, IPV6, and domain name) if they are related to the same network object as the source communicating with the destination. |
Based on network objects, the rule identifies all the indicators that have communicated with the same destination (IPV4, IPV6, mac-addr or domain-name) and establishes a relationship between these indicators as connected to the same C2 infrastructure. | Creates a Relationship | Enabled |
| Related Root domain observables to sub domains | The rule ties together a root domain with sub-domains and vice versa for domain type of observables. | The rule ties together a root domain with sub-domains. | Creates a Relationship | Enabled |
| Related domains to IPs based on DNS resolutions | Using domain-ipv4 or domain-ipv6 attributes of domain observables, the rule establishes relationships between the domains and IPs. | Using the attributes domain-ipv4 or domain-ipv6, the rule identifies all the domains or sub-domains that resolve to the same IP address and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure. | Creates a Relationship | Enabled |
| Matching domains with SSL Certificates | The rule analyzes the SSL certificate information associated with the domain observables and establishes a relation between them. | The rule analyzes the SSL certificate information associated with the indicators and identifies that both certificates are issued by the same certificate authority and share the same expiration date and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure or threat campaign. | Creates a Relationship | Enabled |
| Relate entities based on common observables | The rule compares if the same observable is related to two different entities and relates them to each other. | The rule compares if the same observable is related to two different entities and identifies them as related to each other. | Creates a Potential Relationship | Disabled |
| Relate indicators based on common observables | The rule compares if the same observable is related to two different indicators and relates them to each other. | The rule compares if the same observable is related to two different indicators and identifies them as related to each other. | Creates a Potential Relationship | Disabled |
| Relate indicators with objects based on common observables | The rule compares if the same observable is related to indicators, and objects and relates them to each other. | The rule compares if the same observable is related to indicators and objects and identifies them as related to each other. | Creates a Potential Relationship | Disabled |