The Enrichment Tab

Updated on 17 Jan 2025
2 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Overview

The Enrichment tab of an Indicator’s Details screen displays cards for all built-in enrichment services available for that Indicator type. If a built-in enrichment has been enabled by a System Administrator, then the card will display data returned by the service. Enrichment data may be retrieved and updated automatically if the service has been configured for automatic data retrieval. You can also retrieve enrichment data manually on an enabled enrichment service’s card.

Before You Start

User Roles

To view the Enrichment tab of an Indicator’s Details screen, your user account can have any Organization role.
To retrieve data manually from an enabled enrichment service, your user account can have any Organization role.

Prerequisites

To view data for a built-in enrichment service, enable the service and enter a valid API key for the service on the Indicators tab of the System Settings screen (must be a System Administrator to perform this action).

Viewing Enrichment Data

If an enrichment service is available for a given Indicator type, the Enrichment tab of the Details screen will be available for Indicators of that type, regardless of whether a System Administrator enabled the enrichment service.

Figure 1 shows the Enrichment tab of the Details screen for the 193.161.193.99 Address Indicator, where FarSight Passive DNS, VirusTotal, Shodan, and AbuseIPDB cards are displayed because the Farsight Security®, VirusTotal™, Shodan®, and AbuseIPDB enrichment services are available for Address Indicators. In this example, all four enrichment services are enabled on the ThreatConnect instance and for Address Indicators, so each card displays data retrieved from the respective enrichment service for the 193.161.193.99 Address Indicator.

Figure 1_The Enrichment Tab_7.8.0

Note

If data cannot be retrieved from the enrichment service, an error message will be displayed on the enrichment service’s card. For example, if your API key for the enrichment service has exceeded the quota limit or no data are available for the Indicator, an error message stating so will be displayed on the enrichment service’s card.

To collapse or expand all cards on the Enrichment tab, click the Collapse All or Expand All button, respectively. By default, all cards are expanded.

Retrieving Data Manually

When you click on an Indicator’s Enrichment tab for the first time, data will be retrieved from each enabled enrichment service automatically if your System Administrator has enabled automatic data retrieval for the service. Otherwise, a message stating that “Automatic Data Retrieval has been disabled by the System Administrator” will be displayed on the card, and you will need to click the Retrieve Data button to populate the card with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s Enrichment tab, the cached data will be displayed until this period of time has passed.

To retrieve the latest data from an enrichment service, click the Retrieve Data button on the enrichment service’s card.

Note

The API key your System Administrator entered when configuring the enrichment service on the System Settings screen will be used each time data are retrieved for the Indicator.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
DomainTools^® and Farsight Security^® are registered trademarks of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
Shodan^® is a registered trademark of Shodan.

20146-02 v.05.A

Was this article helpful?

What's Next

VirusTotal Enrichment

Table of contents

Overview
Before You Start
Viewing Enrichment Data
Retrieving Data Manually