Pivoting on Enrichment Services
- 10 Jan 2024
- 3 Minutes to read
-
Print
-
DarkLight
Pivoting on Enrichment Services
- Updated on 10 Jan 2024
- 3 Minutes to read
-
Print
-
DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
Overview
When you click on an Indicator node in Threat Graph, an Enrich option will be displayed in the node’s contextual menu if your System Administrator enabled and configured a third-party enrichment service on your ThreatConnect instance and for the Indicator’s type. The Enrich option allows you to pivot on third-party enrichment relationships available for the selected enrichment service and the Indicator’s type. At this time, you can pivot on the following third-party enrichment services:
- DomainTools®: Available for Host Indicators only.
- RiskIQ®: Available for Host Indicators only.
- Shodan®: Available for Address Indicators only.
- urlscan.io: Available for URL Indicators only.
- VirusTotal™: Available for Address, File, Host, and URL Indicators only.
Performing a Pivot
- In Threat Graph, click on an Indicator node for which an enrichment service is enabled.
- Select Enrich from the node’s contextual menu. A list of enrichment services on which you can pivot will be displayed (Figure 1).
- Select an enrichment service on which to pivot (Pivot on Shodan in this example). A list of available relationships on which you can pivot for the Indicator based on its Indicator type and the selected enrichment service will be displayed (Figure 2).
- Select a relationship (Unverified Vulnerabilities in this example) on which to pivot, or select All (for DomainTools, RiskIQ, urlscan.io, and VirusTotal) or All Vulnerabilities (for Shodan) to pivot on all available relationships. The following items will be displayed in Threat Graph (Figure 3):
- One or more related nodes, each of which represents a related object retrieved from the enrichment service. Each node will include a node label that displays the corresponding object’s summary.
- A connection between each related node and the node from which you pivoted. For pivots made on an enrichment service, this connection is blue and does not include a label.
Important
If you pivot on a relationship that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed in Threat Graph.
Note
If no related objects are returned from the enrichment service for the selected relationship, a message stating so will be displayed at the lower-left corner of the screen.
Repeat this process for nodes corresponding to an Indicator type for which an enrichment service is enabled. If you click on a node representing an object returned from a pivot on an enrichment service, some or all of the following options will be displayed in its contextual menu:
- Pivot in ThreatConnect: This option will be displayed for Indicators and Groups of any type returned from an enrichment service pivot. To use this feature, the Indicator or Group must exist in one of your ThreatConnect owners.
- Pivot with CAL: This option will be displayed for Indicators and Groups of any type returned from an enrichment service pivot. To use the Pivot with CAL option, CAL™ must be enabled on your ThreatConnect instance and in your Organization, and data for the Indicator or Group must exist in CAL.
- Enrich: This option will be displayed for Indicators returned from an enrichment service pivot if your System Administrator enabled and configured an enrichment service on your ThreatConnect instance and for the Indicator’s type.
- Run Playbook…: This option will be displayed only for Indicators returned from an enrichment service pivot that also exist in ThreatConnect.
- View Details: This option will be displayed only for Indicators and Groups returned from an enrichment service pivot that also exist in ThreatConnect.
Available Enrichment Relationships
DomainTools
See Table 1 for a list of DomainTools relationships available in Threat Graph for Host Indicators.
| Relationship | Starting Indicator Type | Indicator Type Returned from Pivot |
|---|---|---|
| IP Addresses | Host | Address |
| Name Servers | Host | Host |
RiskIQ
See Table 2 for a list of RiskIQ relationships available in Threat Graph for Host Indicators.
| Relationship | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
|---|---|---|
| DNS | Host | Host |
| IP Resolutions | Host | Address |
| Name Servers | Host | Host |
| Subdomains | Host | Host |
Shodan
See Table 3 for a list of Shodan relationships available in Threat Graph for Address Indicators.
| Relationship | Starting Indicator Type | Group Type Returned from Pivot |
|---|---|---|
| Unverified Vulnerabilities | Address | Vulnerability |
| Verified Vulnerabilities | Address | Vulnerability |
urlscan.io
See Table 4 for a list of urlscan.io relationships available in Threat Graph for URL Indicators.
| Relationship | Starting Indicator Type | Indicator Type Returned from Pivot |
|---|---|---|
| IP Address | URL | Address |
| Links to Domains | URL | URL |
VirusTotal
See Table 5 for a list of VirusTotal relationships available in Threat Graph for Address, File, Host, and URL Indicators.
| Relationship | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
|---|---|---|
| Contacted Domains | File; URL | Host |
| Contacted IPs | File; URL | Address |
| Contacted URLs | File | URL |
| Subdomains | Host | Host |
| URLs | Address; Host | URL |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
DomainTools® is a registered trademark of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ® is a registered trademark of Microsoft Corporation.
Shodan® is a registered trademark of Shodan.
20117-10 v.04.A
Was this article helpful?
