Pivoting on Enrichment Services
- 18 Jan 2023
- 2 Minutes to read
-
Print
-
DarkLight
Pivoting on Enrichment Services
- Updated on 18 Jan 2023
- 2 Minutes to read
-
Print
-
DarkLight
If a third-party enrichment service is enabled on your ThreatConnect instance and for an Indicator’s type, an Enrich option will be displayed on the Indicator node’s contextual menu when you click on it. You can use this option to pivot on third-party enrichment relationships available for the selected enrichment service and the Indicator’s type. At this time, VirusTotal™ is the only third-party enrichment service available in ThreatConnect, and it can be enabled for Address, File, Host, and URL Indicators only.
If you click on an Indicator node and an enrichment service is enabled for the Indicator’s type, an Enrich option will be displayed in the node’s contextual menu. Selecting Enrich will display a list of enrichment services on which to pivot (Figure 1).
After selecting an enrichment service on which to pivot (Pivot on VirusTotal in this example), a list of available relationships on which you can pivot for the Indicator based on its Indicator type and the selected enrichment service will be displayed (Figure 2).
Select a relationship (Subdomains in this example) on which to pivot, or select All to pivot on all available relationships. The following objects will be displayed on the graph (Figure 3):
- One or more related nodes, each of which represents a related Indicator retrieved from the enrichment service. Each node will include a node label that displays the corresponding object’s summary.
- A connection between each related node and the node on which you pivoted. For pivots made on an enrichment service, this connection is blue and does not include a label.
If no related Indicators are returned from the enrichment service for the selected relationship, a message stating so will be displayed at the lower-left corner of the screen.
Important
If you pivot on a relationship that includes more than 500 related objects, only the first 500 related nodes and their respective connections will be displayed on the graph.
Repeat this process for nodes corresponding to an Indicator type for which an enrichment service is enabled. Clicking on a node representing an Indicator returned from a pivot on an enrichment service will display a contextual menu with the following options: Pivot in ThreatConnect, Pivot with CAL, and Enrich. If the Indicator returned from a pivot on an enrichment service also exists in ThreatConnect, the View Details option will also be displayed in the node’s contextual menu.
Note
If you select Pivot in ThreatConnect or Pivot with CAL for an Indicator node and the Indicator does not exist in ThreatConnect or CAL, respectively, a message stating so will be displayed in the node’s contextual menu.
Important
The View Details option will not be displayed in the contextual menu for a node representing a URL Indicator returned from a pivot on the VirusTotal enrichment service that also exists in ThreatConnect.
VirusTotal Relationships
See Table 1 for a list of VirusTotal relationships available for Address, File, Host, and URL Indicators.
| VirusTotal Relationship | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
|---|---|---|
| Contacted Domains | File; URL | Host |
| Contacted IPs | File; URL | Address |
| Contacted URLs | File | URL |
| Subdomains | Host | Host |
| URLs | Address; Host | URL |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.
20117-10 v.01.A
Was this article helpful?
