Pivoting on Enrichment Services
  • 18 Jan 2023
  • 2 Minutes to read
  • Dark
    Light

Pivoting on Enrichment Services

  • Dark
    Light

If a third-party enrichment service is enabled on your ThreatConnect instance and for an Indicator’s type, an Enrich option will be displayed on the Indicator node’s contextual menu when you click on it. You can use this option to pivot on third-party enrichment relationships available for the selected enrichment service and the Indicator’s type. At this time, VirusTotal™ is the only third-party enrichment service available in ThreatConnect, and it can be enabled for Address, File, Host, and URL Indicators only.

If you click on an Indicator node and an enrichment service is enabled for the Indicator’s type, an Enrich option will be displayed in the node’s contextual menu. Selecting Enrich will display a list of enrichment services on which to pivot (Figure 1).

Chart, scatter chart  Description automatically generated

 

After selecting an enrichment service on which to pivot (Pivot on VirusTotal in this example), a list of available relationships on which you can pivot for the Indicator based on its Indicator type and the selected enrichment service will be displayed (Figure 2).

Application  Description automatically generated

 

Select a relationship (Subdomains in this example) on which to pivot, or select All to pivot on all available relationships. The following objects will be displayed on the graph (Figure 3):

  • One or more related nodes, each of which represents a related Indicator retrieved from the enrichment service. Each node will include a node label that displays the corresponding object’s summary.
  • A connection between each related node and the node on which you pivoted. For pivots made on an enrichment service, this connection is blue and does not include a label.

If no related Indicators are returned from the enrichment service for the selected relationship, a message stating so will be displayed at the lower-left corner of the screen.

 

Important
If you pivot on a relationship that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed on the graph.

Repeat this process for nodes corresponding to an Indicator type for which an enrichment service is enabled. Clicking on a node representing an Indicator returned from a pivot on an enrichment service will display a contextual menu with the following options: Pivot in ThreatConnect, Pivot with CAL, and Enrich. If the Indicator returned from a pivot on an enrichment service also exists in ThreatConnect, the View Details option will also be displayed in the node’s contextual menu.

Note
If you select Pivot in ThreatConnect or Pivot with CAL for an Indicator node and the Indicator does not exist in ThreatConnect or CAL, respectively, a message stating so will be displayed in the node’s contextual menu.
Important
The View Details option will not be displayed in the contextual menu for a node representing a URL Indicator returned from a pivot on the VirusTotal enrichment service that also exists in ThreatConnect.

VirusTotal Relationships

See Table 1 for a list of VirusTotal relationships available for Address, File, Host, and URL Indicators.

 

VirusTotal RelationshipStarting Indicator Type(s)Indicator Type Returned from Pivot
Contacted DomainsFile; URLHost
Contacted IPsFile; URLAddress
Contacted URLsFileURL
SubdomainsHostHost
URLsAddress; HostURL

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.

20117-10 v.01.A


Was this article helpful?