Enrichment Overview

Overview

Enriching threat intelligence data helps remove false positives and delivers actionable intelligence for threat investigations and other security operations. ThreatConnect^® includes built-in enrichment services that retrieve data from a third-party enrichment service that a System Administrator has enabled on your instance and for a given Indicator type.

The Enrichment tab of an Indicator’s Details screen displays a card for each enrichment service enabled for an Indicator’s type that includes a summary of data retrieved from the enrichment service. Each enrichment service card also provides the ability to display a detailed view of enrichment information for the Indicator and retrieve the most up-to-date information from the enrichment service for the Indicator manually. You may also be able to import select enrichment data into ThreatConnect for further analysis.

In addition to viewing and retrieving enrichment data on the Enrichment tab, you can pivot on third-party enrichment relationships with Threat Graph and enrich an Indicator using the ThreatConnect v3 API.

At this time, the following third-party enrichment services are available in ThreatConnect:

• DomainTools^®: Available for Host Indicators only.
• Farsight Security^®: Available for Address and Host Indicators only.
• RiskIQ^®: Available for Host Indicators only.
• Shodan^®: Available for Address Indicators only.
• urlscan.io: Available for URL Indicators only.
• VirusTotal™: Available for Address, File, Host, and URL Indicators only.

Before You Start

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
DomainTools^® and Farsight Security^® are registered trademarks of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ^® is a registered trademark of Microsoft Corporation.
Shodan^® is a registered trademark of Shodan.

20146-01 v.04.A