Enrichment

Overview

Enriching threat intelligence data helps remove false positives and delivers actionable intelligence for threat investigations and other security operations. ThreatConnect® includes built-in enrichment services that retrieve data from a third-party enrichment service that a System Administrator has enabled on your instance and for a given Indicator type.

The Enrichment tab of an Indicator’s Details screen displays a card for each enrichment service enabled for an Indicator’s type that includes a summary of data retrieved from the enrichment service. Each enrichment service card also provides the ability to display a detailed view of enrichment information for the Indicator and retrieve the most up-to-date information from the enrichment service for the Indicator manually. You may also import select enrichment data into ThreatConnect for further analysis.

In addition to viewing and retrieving enrichment data on the Enrichment tab, you can pivot on third-party enrichment relationships with Threat Graph and enrich an Indicator using the ThreatConnect v3 API.

At this time, the following third-party enrichment services are available in ThreatConnect:

• AbuseIPDB: Available for Address Indicators only.
• DomainTools®: Available for Host Indicators only.
• Farsight Security®: Available for Address and Host Indicators only.
• RiskIQ®: Available for Host Indicators only.
• Shodan®: Available for Address Indicators only.
• urlscan.io: Available for URL Indicators only.
• VirusTotal™: Available for Address, File, Host, and URL Indicators only.

In This Series

• The Enrichment Tab: Learn about the information available on the Enrichment tab on an Indicator’s Details screen and how to retrieve the latest available data from a built-in enrichment service.
• VirusTotal Enrichment: Learn how to enable the VirusTotal built-in enrichment, about the data provided by the enrichment, and how to import Indicators from the enrichment into ThreatConnect.
• Shodan Enrichment: Learn how to enable the Shodan built-in enrichment, about the data provided by the enrichment, and how to import vulnerabilities from the enrichment into ThreatConnect.
• urlscan.io Enrichment: Learn how to enable the urlscan.io built-in enrichment, about the data provided by the enrichment, and how to import Indicators from the enrichment into ThreatConnect.
• Farsight Security Passive DNS Enrichment: Learn how to enable the Farsight Security Passive DNS built-in enrichment, about the data provided by the enrichment, and how to import Indicators from the enrichment into ThreatConnect.
• DomainTools Enrichment: Learn how to enable the DomainTools built-in enrichment, about the data provided by the enrichment, and how to import Indicators from the enrichment into ThreatConnect.
• RiskIQ Enrichment: Learn how to enable the RiskIQ built-in enrichment, about the data provided by the enrichment, and how to import Indicators from the enrichment into ThreatConnect.
• AbuseIPDB Enrichment: Learn how to enable the AbuseIPDB built-in enrichment and about the data provided by the enrichment.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
DomainTools^® and Farsight Security^® are registered trademarks of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ^® is a registered trademark of Microsoft Corporation.
Shodan^® is a registered trademark of Shodan.

20146-01 v.05.A