Pivoting on Enrichment Services

Overview

When you click on an Indicator node, an Enrich option will be displayed in the node’s contextual menu if your System Administrator enabled and configured a third-party enrichment service on your ThreatConnect instance and for the Indicator’s type. The Enrich option allows you to pivot on third-party enrichment relationships available for the selected enrichment service and the Indicator’s type. At this time, the following third-party enrichment services are available in ThreatConnect:

• Shodan^®: Available for Address Indicators only.
• VirusTotal™: Available for Address, File, Host, and URL Indicators only.

Performing a Pivot

1. On an object’s graph, click on an Indicator node for which an enrichment service is enabled.
2. Select Enrich from the node’s contextual menu. A list of enrichment services on which you can pivot will be displayed (Figure 1).

   

    

3. Select an enrichment service on which to pivot (Pivot on Shodan in this example). A list of available relationships on which you can pivot for the Indicator based on its Indicator type and the selected enrichment service will be displayed (Figure 2).

   

    

4. Select a relationship(Unverified Vulnerabilities in this example) on which to pivot, or select All (for VirusTotal) or All Vulnerabilities (for Shodan) to pivot on all available relationships. The following items will be displayed on the graph (Figure 3):
   • One or more related nodes, each of which represents a related object retrieved from the enrichment service. Each node will include a node label that displays the corresponding object’s summary.
   • A connection between each related node and the node from which you pivoted. For pivots made on an enrichment service, this connection is blue and does not include a label.

Repeat this process for nodes corresponding to an Indicator type for which an enrichment service is enabled. If you click on a node representing an object returned from a pivot on an enrichment service, some or all of the following options will be displayed in its contextual menu:

• Pivot in ThreatConnect: This option will be displayed for Indicators and Groups of any type returned from an enrichment service pivot. To use this feature, the Indicator or Group must exist in ThreatConnect.
• Pivot with CAL: This option will be displayed for Indicators and Groups of any type returned from an enrichment service pivot. To use the Pivot with CAL option, CAL™ must be enabled on your ThreatConnect instance and in your Organization, and data for the Indicator or Group must exist in CAL.
• Enrich: This option will be displayed for Indicators returned from an enrichment service pivot if your System Administrator enabled and configured an enrichment service on your ThreatConnect instance and for the Indicator’s type.
• Run Playbook…: This option will be displayed only for Indicators returned from an enrichment service pivot that also exist in ThreatConnect.
• View Details: This option will be displayed only for Indicators and Groups returned from an enrichment service pivot that also exist in ThreatConnect.
  Important

  The View Details option will not be displayed in the contextual menu for a node representing a URL Indicator returned from a pivot on the VirusTotal enrichment service that also exists in ThreatConnect.

VirusTotal Relationships

See Table 1 for a list of VirusTotal relationships available for Address, File, Host, and URL Indicators.

Shodan Relationships

See Table 2 for a list of Shodan relationships available for Address Indicators.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.
Shodan^® is a registered trademark of Shodan.

20117-10 v.02.A