The Enrichment Tab
- 18 Jan 2023
- 5 Minutes to read
-
Print
-
DarkLight
The Enrichment Tab
- Updated on 18 Jan 2023
- 5 Minutes to read
-
Print
-
DarkLight
Overview
Enriching threat intelligence data helps remove false positives and delivers actionable intelligence for threat investigations and other security operations. ThreatConnect® includes built-in enrichment services that retrieve data from a third-party enrichment service that a System Administrator has enabled on your instance and for a given Indicator type and then display that data on the Enrichment tab of the Indicator’s Details screen.
The Enrichment tab displays a card for each enrichment service enabled for the Indicator’s type that includes a summary of data retrieved from the enrichment service. Each enrichment service card also provides the ability to display a detailed view of enrichment information for the Indicator and retrieve the most up-to-date information from the enrichment service for the Indicator manually.
At this time, VirusTotal™ is the only third-party enrichment service available in ThreatConnect, and it can be enabled for Address, File, Host, and URL Indicators only.
Important
The Enrichment tab is not available on the legacy Details screen.
Before You Start
| Minimum Role(s) | Organization role of Read Only User |
|---|---|
| Prerequisites | An enrichment service enabled and a valid API key for that enrichment service entered by a System Administrator on the System Settings screen (See the “Enrichment Tools” section of ThreatConnect System Administration Guide for more information) |
The Enrichment Tab
If an enrichment service is available for a given Indicator type, the Enrichment tab of the Details screen will be available for Indicators of that type, regardless of whether a System Administrator enabled the enrichment service.
Figure 1 shows the Enrichment tab of the Details screen for the badguy.com Host Indicator, where a VirusTotal card is displayed because the VirusTotal enrichment service is available for Host Indicators. In this example, the VirusTotal enrichment service is also enabled on the ThreatConnect instance and for Host Indicators, so the VirusTotal card displays data retrieved from VirusTotal for the badguy.com Host Indicator.
Note
If data cannot be retrieved from the enrichment service for some reason, an error message will be displayed on the enrichment’s card. For example, if your API key for the enrichment service has exceeded the quota limit or no data are available for the Indicator, an error message stating so will be displayed on the enrichment service’s card on the Enrichment tab.
To collapse or expand all cards on the Enrichment tab, click the Collapse All or Expand All button, respectively. By default, all cards are expanded.
VirusTotal Enrichment
Data Overview
The Overview section of the VirusTotal card (Figure 1) provides a summary of data retrieved from VirusTotal for the Indicator and the date and time the data were last retrieved.
The information displayed in the Overview section of this card varies based on the Indicator’s type. See Table 1 for a list of data fields that may be displayed on the Overview section of the VirusTotal card and the Indicator type(s) to which each field applies.
| Field Name | Description | Applicable Indicator Types |
|---|---|---|
| ASN | The autonomous system (AS) number to which the Address belongs. | Address |
| Country | The country where the Address is placed. | Address |
| Domain Name | The domain name corresponding to the Address. | Address |
| File Size | The File’s size in kilobytes (KB). | File |
| File Type | The File’s type. | File |
| Final URL | The final URL to which the original URL redirects. | URL |
| First Seen/Referenced | The date and time when the object was first seen or referenced. | Address; File; Host; URL |
| Imphash | The File’s import hash. | File |
| Last DNS Record | The Host’s DNS record on its last VirusTotal scan. | Host |
| Last Seen/Referenced | The date and time when the object was last seen or referenced. | Address; File; Host; URL |
| MD5 | The File’s MD5 file hash. | File |
| Registrar | The company that registered the Host. | Host |
| Score | The Indicator’s VirusTotal Score (i.e., the total number of VirusTotal partners who consider the Indicator harmful out of the total number of partners who reviewed the Indicator). Note When constructing a TQL query, you can use the vtMaliciousCount parameter to query for Indicators based on their VirusTotal Score. | Address; File; Host; URL |
| Serving IP | The IP address from which the URL is being served. | URL |
| SHA-1 | The File’s SHA1 file hash. | File |
| SHA-256 | The File’s SHA256 file hash. | File |
| Status | The HTTP status code corresponding to the URL. | URL |
| Tags | A list of tags applied to the Indicator in VirusTotal. | Address; File; Host; URL |
VirusTotal Detailed View
Click the Open Detailed View link on the VirusTotal card to display the VirusTotal Detailed View drawer (Figure 2). This drawer displays cards with additional information retrieved from VirusTotal for the Indicator.
The cards displayed on an Indicator’s VirusTotal Detailed View drawer are collapsed by default and vary based on the Indicator’s type. Click on a card to expand it and view its data. Figure 3 shows the VirusTotal Detailed View drawer in Figure 2 with all available cards expanded.
See Table 2 for a list of cards that may be displayed on the VirusTotal Detailed View drawer based on an Indicator’s type.
Note
If a card is not displayed on the VirusTotal Detailed View drawer for an Indicator type (e.g., the Contacted IPs card is not displayed for a File Indicator), that means that no data of that kind were returned from VirusTotal for the Indicator.
| Indicator Type | Card Name | Description |
|---|---|---|
| Address | Last HTTPS Certificate | This card displays certificate details observed when attempting a standard HTTPS connection to the Address. |
| Passive DNS Replication | This card displays a list of related domains to which the Address resolves. | |
| URLs | This card displays a list of related URLs to which the Address resolves. | |
| File | Contacted Domains | This card displays a list of related domains contacted by the File. |
| Contacted IPs | This card displays a list of related IP addresses contacted by the File. | |
| Contacted URLs | This card displays a list of related URLs contacted by the File. | |
| Host | Passive DNS Replication | This card displays a list of related IP addresses to which the Host resolves. |
| URLs | This card displays a list of related URLs to which the Host resolves. | |
| URL | Categories | This card displays a list of categories provided by URL sandboxing engines to which the URL or domain content belongs. |
| Contacted Domains | This card displays a list of related domains from which the URL loads some type of resource. | |
| Contacted IPs | This card displays a list of related IP addresses from which the URL loads some type of resource. |
Retrieving Data Manually
When you click on an Indicator’s Enrichment tab for the first time, data are retrieved from VirusTotal and then cached for a period of time that your System Administrator configured. Each time you revisit that Indicator’s Enrichment tab, the cached VirusTotal data will be displayed until this period of time has passed.
To retrieve the latest VirusTotal data for the Indicator manually, click the Retrieve Data button.
Note
The API key your System Administrator entered when enabling and configuring the VirusTotal enrichment service will be used to retrieve data manually.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.
20146-01 v.01.A
Was this article helpful?
