IBM Security QRadar SOAR

Hi Everyone,
The Artifacts team is considering some changes to the Artifacts widget functionality.  Specifically, we wondering if anyone uses the "Relate?" feature in this Artifacts widget.  If you do, could you tell us how you use it?  Does the behavior of the feature confuse you?  How would you like this to work?  Please share your feedback!



------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Hi Chuck,
Actually, we do use it - although it is mostly in the "position Relate", there are some cases where we just don't want to link one incident to another, despite them having the same artefacts. 
The "Relate" is fantastic:  it links incidents that have the same artifacts and allows us to quickly spot similarities, trends, ...
We even use it with a self defined artifact type "Relate Incident Nr" to be able to manually link cases that have no other artifacts in common.

------------------------------
Guido Janssens
------------------------------

Original Message:
Sent: Fri October 30, 2020 04:07 PM
From: Chuck Schauber
Subject: Artifacts "Relate?" feature

Hi Everyone,
The Artifacts team is considering some changes to the Artifacts widget functionality.  Specifically, we wondering if anyone uses the "Relate?" feature in this Artifacts widget.  If you do, could you tell us how you use it?  Does the behavior of the feature confuse you?  How would you like this to work?  Please share your feedback!

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Hi Guido, 
Thanks for the feedback.  I have a couple follow-up questions.  Is it clear that the "Relate" field only affects the current Incident?  That is when you configure it to "Do Not Relate" is it clear that it only filters relationships looking outwards from this Incident.  And that all other Incident can will still relate back to this Incident Artifact?

Is there a desired use case to actually disable relationship to and from this specific artifact entirely?

Also, do you use the "As specified in the artifact type settings" option?

Thanks for all your help.
Chuck Schauber

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Original Message:
Sent: Tue November 10, 2020 12:32 PM
From: Guido Janssens
Subject: Artifacts "Relate?" feature

Hi Chuck,
Actually, we do use it - although it is mostly in the "position Relate", there are some cases where we just don't want to link one incident to another, despite them having the same artefacts. 
The "Relate" is fantastic:  it links incidents that have the same artifacts and allows us to quickly spot similarities, trends, ...
We even use it with a self defined artifact type "Relate Incident Nr" to be able to manually link cases that have no other artifacts in common.

------------------------------
Guido Janssens

Original Message:
Sent: Fri October 30, 2020 04:07 PM
From: Chuck Schauber
Subject: Artifacts "Relate?" feature

Hi Everyone,
The Artifacts team is considering some changes to the Artifacts widget functionality.  Specifically, we wondering if anyone uses the "Relate?" feature in this Artifacts widget.  If you do, could you tell us how you use it?  Does the behavior of the feature confuse you?  How would you like this to work?  Please share your feedback!

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Hey @Chuck Schauber

We definitely use artifact relations to relate incidents, but we rarely have to modify them manually (but I do like it being an option). We tuned the artifact types​ in our instance to (by-default) relate the artifact types that would generally be unique to related incidents only (like sender emails for phishing reports, for example). "As specified in the artifact type settings" is what we leave them on 99% of the time, unless it's clear that we want to stop relating an incident for some reason or want to start relating an incident with something else (where we'd change it across multiple then).

Analysts then look at the "Related Incidents" to see if another analyst has worked on a similar incident recently and what the outcome / status of them are

Related incidents are the best/quickest way to emulate a desired parent-child incident relationship. If we get hit with a phishing campaign (I'll keep to the phishing examples), and we get a bunch of reports on them, we'll use the lowest related incident ID (first report from the phish campaign) as the "master" (parent) incident, and then all other related incidents get addressed (closed with notes directing to the the master).

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Fri October 30, 2020 04:07 PM
From: Chuck Schauber
Subject: Artifacts "Relate?" feature

Hi Everyone,
The Artifacts team is considering some changes to the Artifacts widget functionality.  Specifically, we wondering if anyone uses the "Relate?" feature in this Artifacts widget.  If you do, could you tell us how you use it?  Does the behavior of the feature confuse you?  How would you like this to work?  Please share your feedback!

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Jared & Edwin
Thank you so much for your feedback.  This has been very helpful.
-Chuck

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Original Message:
Sent: Thu November 12, 2020 10:33 PM
From: Jared Fagel
Subject: Artifacts "Relate?" feature

Hey @Chuck Schauber

We definitely use artifact relations to relate incidents, but we rarely have to modify them manually (but I do like it being an option). We tuned the artifact types​ in our instance to (by-default) relate the artifact types that would generally be unique to related incidents only (like sender emails for phishing reports, for example). "As specified in the artifact type settings" is what we leave them on 99% of the time, unless it's clear that we want to stop relating an incident for some reason or want to start relating an incident with something else (where we'd change it across multiple then).

Analysts then look at the "Related Incidents" to see if another analyst has worked on a similar incident recently and what the outcome / status of them are

Related incidents are the best/quickest way to emulate a desired parent-child incident relationship. If we get hit with a phishing campaign (I'll keep to the phishing examples), and we get a bunch of reports on them, we'll use the lowest related incident ID (first report from the phish campaign) as the "master" (parent) incident, and then all other related incidents get addressed (closed with notes directing to the the master).

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility

Original Message:
Sent: Fri October 30, 2020 04:07 PM
From: Chuck Schauber
Subject: Artifacts "Relate?" feature

Hi Everyone,
The Artifacts team is considering some changes to the Artifacts widget functionality.  Specifically, we wondering if anyone uses the "Relate?" feature in this Artifacts widget.  If you do, could you tell us how you use it?  Does the behavior of the feature confuse you?  How would you like this to work?  Please share your feedback!

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------

Hi, Chuck - As others have said, the basic functionality of Incident relations is very valuable to us.  The default value of Relate is good for 99+% of Artifacts, and we turn it off for artifact types where the value of relations is very low - specifically, Port - where it would be very misleading to allow Resilient to make connections.

We also plan to make more use of Artifacts and their interrelations with new and better Hit data coming through from our ThreatConnect server, which will in effect be a threat data concentrator. I have written a custom threat feed for this, if anyone is interested.

We are also experimenting with synthetic/custom Artifacts that will enable us to use the Relate function to make connections programatically between Incidents and this should provide an input to a future SOAR module that will support highly automated triaging operations.

There are a number of improvements to the Hit and threat feed logic (such as 'last updated' timestamps even when Hit data does not change) and to the flexibility of Hit display that would be good - and have been suggested through the IBM Aha! site.

But returning to Artifact/Relate - this is very valuable and has been set to work the way it is now, so please make any changes fully backward-compatible!

I'm happy to take any additional questions direct or via this thread.

Best regards - Edwin Bolton

------------------------------
Edwin Bolton
------------------------------

Original Message:
Sent: Fri October 30, 2020 04:07 PM
From: Chuck Schauber
Subject: Artifacts "Relate?" feature

Hi Everyone,
The Artifacts team is considering some changes to the Artifacts widget functionality.  Specifically, we wondering if anyone uses the "Relate?" feature in this Artifacts widget.  If you do, could you tell us how you use it?  Does the behavior of the feature confuse you?  How would you like this to work?  Please share your feedback!

------------------------------
Chuck Schauber
Product Management
IBM Resilient
Cambridge MA
------------------------------