Enrichment Overview
  • 10 Jan 2024
  • 1 Minute to read
  • Dark
    Light

Enrichment Overview

  • Dark
    Light

Article Summary

Overview

Enriching threat intelligence data helps remove false positives and delivers actionable intelligence for threat investigations and other security operations. ThreatConnect® includes built-in enrichment services that retrieve data from a third-party enrichment service that a System Administrator has enabled on your instance and for a given Indicator type.

The Enrichment tab of an Indicator’s Details screen displays a card for each enrichment service enabled for an Indicator’s type that includes a summary of data retrieved from the enrichment service. Each enrichment service card also provides the ability to display a detailed view of enrichment information for the Indicator and retrieve the most up-to-date information from the enrichment service for the Indicator manually. You may also be able to import select enrichment data into ThreatConnect for further analysis.

In addition to viewing and retrieving enrichment data on the Enrichment tab, you can pivot on third-party enrichment relationships with Threat Graph and enrich an Indicator using the ThreatConnect v3 API.

At this time, the following third-party enrichment services are available in ThreatConnect:

  • DomainTools®: Available for Host Indicators only.
  • Farsight Security®: Available for Address and Host Indicators only.
  • RiskIQ®: Available for Host Indicators only.
  • Shodan®: Available for Address Indicators only.
  • urlscan.io: Available for URL Indicators only.
  • VirusTotal™: Available for Address, File, Host, and URL Indicators only.
Important
The Enrichment tab is not available on the legacy Details screen.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for viewing enrichment data on the Enrichment tab of an Indicator’s Details screen and retrieving data from an enrichment service)
  • Organization role of Standard User (for importing data from an enrichment service into ThreatConnect)
PrerequisitesAn enrichment service enabled and a valid API key for that enrichment service entered by a System Administrator on the Indicators tab of the System Settings screen

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
DomainTools® and Farsight Security® are registered trademarks of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.

RiskIQ® is a registered trademark of Microsoft Corporation.
Shodan® is a registered trademark of Shodan.

20146-01 v.04.A


Was this article helpful?