Pivoting on Enrichment Services
  • 12 Apr 2023
  • 3 Minutes to read
  • Dark
    Light

Pivoting on Enrichment Services

  • Dark
    Light

Article Summary

Overview

When you click on an Indicator node, an Enrich option will be displayed in the node’s contextual menu if your System Administrator enabled and configured a third-party enrichment service on your ThreatConnect instance and for the Indicator’s type. The Enrich option allows you to pivot on third-party enrichment relationships available for the selected enrichment service and the Indicator’s type. At this time, the following third-party enrichment services are available in ThreatConnect:

  • Shodan®: Available for Address Indicators only.
  • VirusTotal™: Available for Address, File, Host, and URL Indicators only.

Performing a Pivot

  1. On an object’s graph, click on an Indicator node for which an enrichment service is enabled.
  2. Select Enrich from the node’s contextual menu. A list of enrichment services on which you can pivot will be displayed (Figure 1).

    Chart, scatter chart  Description automatically generated

     

  3. Select an enrichment service on which to pivot (Pivot on Shodan in this example). A list of available relationships on which you can pivot for the Indicator based on its Indicator type and the selected enrichment service will be displayed (Figure 2).

    Application  Description automatically generated

     

  4. Select a relationship(Unverified Vulnerabilities in this example) on which to pivot, or select All (for VirusTotal) or All Vulnerabilities (for Shodan) to pivot on all available relationships. The following items will be displayed on the graph (Figure 3):
    • One or more related nodes, each of which represents a related object retrieved from the enrichment service. Each node will include a node label that displays the corresponding object’s summary.
    • A connection between each related node and the node from which you pivoted. For pivots made on an enrichment service, this connection is blue and does not include a label.

 

Important
If you pivot on a relationship that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed on the graph.
Note
If no related objects are returned from the enrichment service for the selected relationship, a message stating so will be displayed at the lower-left corner of the screen.

Repeat this process for nodes corresponding to an Indicator type for which an enrichment service is enabled. If you click on a node representing an object returned from a pivot on an enrichment service, some or all of the following options will be displayed in its contextual menu:

  • Pivot in ThreatConnect: This option will be displayed for Indicators and Groups of any type returned from an enrichment service pivot. To use this feature, the Indicator or Group must exist in ThreatConnect.
  • Pivot with CAL: This option will be displayed for Indicators and Groups of any type returned from an enrichment service pivot. To use the Pivot with CAL option, CAL™ must be enabled on your ThreatConnect instance and in your Organization, and data for the Indicator or Group must exist in CAL.
  • Enrich: This option will be displayed for Indicators returned from an enrichment service pivot if your System Administrator enabled and configured an enrichment service on your ThreatConnect instance and for the Indicator’s type.
  • Run Playbook…: This option will be displayed only for Indicators returned from an enrichment service pivot that also exist in ThreatConnect.
  • View Details: This option will be displayed only for Indicators and Groups returned from an enrichment service pivot that also exist in ThreatConnect.
    Important
    The View Details option will not be displayed in the contextual menu for a node representing a URL Indicator returned from a pivot on the VirusTotal enrichment service that also exists in ThreatConnect.

VirusTotal Relationships

See Table 1 for a list of VirusTotal relationships available for Address, File, Host, and URL Indicators.

 

VirusTotal RelationshipStarting Indicator Type(s)Indicator Type Returned from Pivot
Contacted DomainsFile; URLHost
Contacted IPsFile; URLAddress
Contacted URLsFileURL
SubdomainsHostHost
URLsAddress; HostURL

Shodan Relationships

See Table 2 for a list of Shodan relationships available for Address Indicators.

 

Shodan RelationshipStarting Indicator Type(s)Indicator Type Returned from Pivot
Unverified Vulnerabilities
AddressVulnerability
Verified Vulnerabilities
Address
Vulnerability

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.

Shodan® is a registered trademark of Shodan.

20117-10 v.02.A


Was this article helpful?