Automated Correlation

  • Release version: Yokohama
  • Updated January 30, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automated Correlation

    Automated correlation in ServiceNow helps you identify and establish relationships between observables, indicators, and objects in threat intelligence data. The system uses predefined correlation rules to automatically create confirmed or potential relationships, enhancing your ability to analyze and understand threat connections efficiently.

    Show full answer Show less

    Key Features

    • Confirmed Relationships: These are definitive links between two observables or between an observable and a Structured Data Object (SDO), shown under the Related Records section for easy reference.
    • Potential Relationships: These indicate possible connections identified through correlation rules between two SDOs, two observables, or an observable and an SDO. Potential relationships are initially disabled due to potentially high volume but can be enabled as needed.
    • Predefined Correlation Rules: The system includes several built-in rules that automate relationship identification, such as matching file hashes, domains, network sources and destinations, communication patterns, DNS resolutions, SSL certificates, and common observables.

    Correlation Rules and Their Impact

    The predefined rules fall into two categories based on the type of relationship they create:

    • Enabled Rules Creating Confirmed Relationships: These rules actively link observables and indicators based on exact matches (e.g., same file hash, network source/destination, domain-IP resolutions, SSL certificate details, and communication links), providing reliable and actionable threat intelligence connections.
    • Disabled Rules Creating Potential Relationships: Rules that suggest possible but unconfirmed relationships (e.g., shared domains or common observables) are disabled by default to avoid excessive data volume but can be enabled selectively to uncover broader threat context.

    Practical Benefits for ServiceNow Customers

    • Automatically uncover hidden or explicit relationships among threat intelligence data, improving investigation speed and accuracy.
    • Visualize confirmed relationships directly in object details, facilitating easier threat analysis and response.
    • Control over enabling potential relationship rules allows customization based on data volume and investigative needs.
    • Leverage out-of-the-box correlation rules to reduce manual analysis workload and enhance threat insights immediately.

    Next Steps

    ServiceNow customers can manage correlation rules to balance performance and insight, confirm potential relationships from related records, and use related resources such as the Data Model, TISC Library, and downstream action guides to maximize the value of automated correlation in their threat intelligence workflows.

    Automated correlation helps you to identify the relationships between observables, indicators, and objects.

    With the correlation process, the application automatically establishes the correlation between threat intelligence records based on the predefined rules. Based on the type of the rule that is applied, the relationship can be a confirmed relationship or potential relationship. If the relationships between the objects are confirmed, those objects are automatically displayed on the details view of that object under the Related Records section.

    The following describes the relationships and potential relationships:
    • Relationships: Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.
    • Potential Relationships: Use the potential relationships to establish potentially possible relationships between two SDOs, two Observables or an observable and SDO by using the automated correlation.

      Correlation rules for potential relationships identify potential relationships between threat intelligence entities, indicators, and observables.

      Note:
      The four correlation rules that generate potential relationships are disabled by default (for details, refer the following Correlation rules table). Enabling these rules can result in the creation of large number of potential relationships, depending on the volume of ingested data. Users can enable the rules based on their requirement.
    The following are the predefined correlation rules provisioned within the base system:
    Table 1. Correlation rules
    Name Description Definition Action Status
    Observables with same file hash The rule compares the observables' hash values of the same type and identifies if they share the same hash. The rule compares the hash values of the same type of the indicators and identifies if they share the same hash. Creates a Relationship Enabled
    URL Observables with same domain The rule examines the commonalities in the structure of URLs to identify if they share the same base domain. The rule examines the commonalities in the structure of URLs. Identifies if they share the same base domain and have a similar sub directory structure. Creates a Potential Relationship Disabled
    Observable found as sources in network object The rule matches the Network source attribute value with IPV4, IPV6, or domain-name observables in the system and links as the Source of traffic. The rule matches the Source attribute value with IPV4, IPV6 or domain-name observables in the system and links as Source of traffic. Creates a Relationship Enabled
    Observable found as destination in network object The rule matches the Network destination attribute value with IPV4, IPV6, or domain-name observables in the system and links as the destination of the traffic. The rule matches the destination attribute value with IPV4, IPV6 or domain-name observables in the system and links as destination of traffic. Creates a Relationship Enabled
    Relate observables based on communication Based on network objects, the rule identifies all the observables (IPV4, IPV6, and domain name) that have communicated with the same destination (IPV4, IPV6, or domain name) and establishes a relationship between these observables.

    Also, related observables (IPV4, IPV6, and domain name) if they are related to the same network object as the source communicating with the destination.

    		 Based on network objects, the rule identifies all the indicators that have communicated with the same destination (IPV4, IPV6, mac-addr or domain-name) and establishes a relationship between these indicators as connected to the same C2 infrastructure. Creates a Relationship Enabled
    Related Root domain observables to sub domains The rule ties together a root domain with sub-domains and vice versa for domain type of observables. The rule ties together a root domain with sub-domains. Creates a Relationship Enabled
    Related domains to IPs based on DNS resolutions Using domain-ipv4 or domain-ipv6 attributes of domain observables, the rule establishes relationships between the domains and IPs. Using the attributes domain-ipv4 or domain-ipv6, the rule identifies all the domains or sub-domains that resolve to the same IP address and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure. Creates a Relationship Enabled
    Matching domains with SSL Certificates The rule analyzes the SSL certificate information associated with the domain observables and establishes a relation between them. The rule analyzes the SSL certificate information associated with the indicators and identifies that both certificates are issued by the same certificate authority and share the same expiration date and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure or threat campaign. Creates a Relationship Enabled
    Relate entities based on common observables The rule compares if the same observable is related to two different entities and relates them to each other. The rule compares if the same observable is related to two different entities and identifies them as related to each other. Creates a Potential Relationship Disabled
    Relate indicators based on common observables The rule compares if the same observable is related to two different indicators and relates them to each other. The rule compares if the same observable is related to two different indicators and identifies them as related to each other. Creates a Potential Relationship Disabled
    Relate indicators with objects based on common observables The rule compares if the same observable is related to indicators, and objects and relates them to each other. The rule compares if the same observable is related to indicators and objects and identifies them as related to each other. Creates a Potential Relationship Disabled