Automated Correlation

  • Release version: Australia
  • Updated April 6, 2026
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Automated Correlation

    Automated correlation in ServiceNow helps identify and establish relationships between observables, indicators, and objects within threat intelligence data. This process uses predefined correlation rules to automatically link related threat intelligence records, enabling faster and more accurate analysis.

    Show full answer Show less

    Relationships established by the system can be either confirmed relationships or potential relationships. Confirmed relationships are displayed directly in the Related Records section of an object's detail view, helping analysts quickly understand connections. Potential relationships indicate possible links that require further validation.

    Key Features

    • Confirmed Relationships: Automatically link two observables or an observable and Structured Data Object (SDO) to show confirmed connections.
    • Potential Relationships: Identify possible connections between two SDOs, two observables, or an observable and an SDO through automated correlation rules. These are disabled by default due to potential high volume but can be enabled as needed.
    • Predefined Correlation Rules: The system provides multiple rules to detect relationships based on various attributes such as file hashes, domain names, network sources and destinations, communication patterns, DNS resolutions, SSL certificate details, and shared observables.

    Practical Use of Correlation Rules

    Correlation rules automate the linking of threat intelligence entities by examining attributes like:

    • Matching file hashes between observables and indicators.
    • Common base domains or subdomain relationships in URLs.
    • Network object source and destination IPs, domains, and MAC addresses.
    • Communication between observables to identify shared command and control (C2) infrastructure.
    • Shared SSL certificate characteristics indicating common certificate authorities or expiration dates.
    • Common observables linked to different entities or indicators, which may indicate potential relationships (disabled by default).

    Enabling potential relationship rules can generate a large number of links depending on data volume, so customers should activate them based on their analytical needs.

    Benefits for ServiceNow Customers

    • Automates complex threat intelligence correlation to accelerate investigation and response.
    • Improves visibility into confirmed and potential threats by linking related data points.
    • Reduces manual effort in identifying relationships among observables, indicators, and network objects.
    • Provides flexibility to enable or disable specific correlation rules to manage data volume and relevance.

    Automated correlation helps you identify the relationships between observables, indicators, and objects.

    With the correlation process, the application automatically establishes the correlation between threat intelligence records based on the predefined rules. Based on the type of the rule that is applied, the relationship can be a confirmed relationship or potential relationship. If the relationships between the objects are confirmed, those objects are automatically displayed on the details view of that object under the Related Records section.

    The following describes the relationships and potential relationships:
    • Relationships: Use the relationships objects to link together two observables or an observable and SDO to explain how they relate to each other.
    • Potential Relationships: Use the potential relationships to establish potentially possible relationships between two SDOs, two Observables or an observable and SDO by using the automated correlation.

      Correlation rules for potential relationships identify potential relationships between threat intelligence entities, indicators, and observables.

      Note:
      The four correlation rules that generate potential relationships are disabled by default (for details, refer the following Correlation rules table). Enabling these rules can result in the creation of large number of potential relationships, depending on the volume of ingested data. Users can enable the rules based on their requirement.
    The following are the predefined correlation rules provisioned within the base system:
    Table 1. Correlation rules
    Name Description Definition Action Status
    Observables with same file hash The rule compares the observables' hash values of the same type and identifies if they share the same hash. The rule compares the hash values of the same type of the indicators and identifies if they share the same hash. Creates a Relationship Enabled
    URL Observables with same domain The rule examines the commonalities in the structure of URLs to identify if they share the same base domain. The rule examines the commonalities in the structure of URLs. Identifies if they share the same base domain and have a similar sub directory structure. Creates a Potential Relationship Disabled
    Observable found as sources in network object The rule matches the Network source attribute value with IPV4, IPV6, or domain-name observables in the system and links as the Source of traffic. The rule matches the Source attribute value with IPV4, IPV6 or domain-name observables in the system and links as Source of traffic. Creates a Relationship Enabled
    Observable found as destination in network object The rule matches the Network destination attribute value with IPV4, IPV6, or domain-name observables in the system and links as the destination of the traffic. The rule matches the destination attribute value with IPV4, IPV6 or domain-name observables in the system and links as destination of traffic. Creates a Relationship Enabled
    Relate observables based on communication Based on network objects, the rule identifies all the observables (IPV4, IPV6, and domain name) that have communicated with the same destination (IPV4, IPV6, or domain name) and establishes a relationship between these observables.

    Also, related observables (IPV4, IPV6, and domain name) if they are related to the same network object as the source communicating with the destination.

    		 Based on network objects, the rule identifies all the indicators that have communicated with the same destination (IPV4, IPV6, mac-addr or domain-name) and establishes a relationship between these indicators as connected to the same C2 infrastructure. Creates a Relationship Enabled
    Related Root domain observables to sub domains The rule ties together a root domain with sub-domains and vice versa for domain type of observables. The rule ties together a root domain with sub-domains. Creates a Relationship Enabled
    Related domains to IPs based on DNS resolutions Using domain-ipv4 or domain-ipv6 attributes of domain observables, the rule establishes relationships between the domains and IPs. Using the attributes domain-ipv4 or domain-ipv6, the rule identifies all the domains or sub-domains that resolve to the same IP address and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure. Creates a Relationship Enabled
    Matching domains with SSL Certificates The rule analyzes the SSL certificate information associated with the domain observables and establishes a relation between them. The rule analyzes the SSL certificate information associated with the indicators and identifies that both certificates are issued by the same certificate authority and share the same expiration date and establishes relationships between the indicators, indicating their connection to the same C2 infrastructure or threat campaign. Creates a Relationship Enabled
    Relate entities based on common observables The rule compares if the same observable is related to two different entities and relates them to each other. The rule compares if the same observable is related to two different entities and identifies them as related to each other. Creates a Potential Relationship Disabled
    Relate indicators based on common observables The rule compares if the same observable is related to two different indicators and relates them to each other. The rule compares if the same observable is related to two different indicators and identifies them as related to each other. Creates a Potential Relationship Disabled
    Relate indicators with objects based on common observables The rule compares if the same observable is related to indicators, and objects and relates them to each other. The rule compares if the same observable is related to indicators and objects and identifies them as related to each other. Creates a Potential Relationship Disabled