---
title: "Pivoting on Enrichment Services in Threat Graph"
slug: "pivoting-on-enrichment-services-in-threat-graph"
description: "This article describes how to pivot on third-party enrichment service relationships for Indicators with the Enrich option in Threat Graph."
tags: ["Enriching Data", "Viewing Data", "Connecting Data"]
updated: 2024-09-18T15:27:47Z
published: 2024-09-18T15:27:47Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Pivoting on Enrichment Services in Threat Graph

## Overview

The Threat Graph feature in ThreatConnect® provides a graph-based interface that you can use to discover, visualize, and contextualize associations and relationships between [Indicators](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicators), [Groups](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#groups), [Cases](https://knowledge.threatconnect.com/docs/workflow-cases), and [Tags](https://knowledge.threatconnect.com/docs/applying-tags). The **Enrich** option in Threat Graph, available for Indicators only, lets you to pivot on relationships available for a given third-party enrichment service and Indicator type. At this time, you can pivot on the following enrichment services in Threat Graph:

- **DomainTools®**: Available for Host Indicators only.
- **RiskIQ®**: Available for Host Indicators only.
- **Shodan®**: Available for Address Indicators only.
- **urlscan.io**: Available for URL Indicators only.
- **VirusTotal™**: Available for Address, File, Host, and URL Indicators only.

ImportantAn Indicator [node’s menu](https://knowledge.threatconnect.com/docs/viewing-an-object-in-threat-graph#threat-graph-node-menu-options) will include the **Enrich**option only if your System Administrator turned on and configured a third-party enrichment service for the Indicator’s type on your ThreatConnect instance.

## Before You Start

### User Roles

- To pivot on enrichment service relationships for Indicators in an Organization in Threat Graph, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles).
- To pivot on enrichment service relationships for Indicators in a Community or Source in Threat Graph, your user account can have any [Community role](https://knowledge.threatconnect.com/docs/community-roles) except Banned for that Community or Source.

### Prerequisites

- To pivot on enrichment service relationships in Threat Graph, turn on and configure one or more of the following third-party enrichment services on your ThreatConnect instance (must be a System Administrator to perform this action): [DomainTools](https://knowledge.threatconnect.com/docs/domaintools-enrichment#enabling-the-domaintools-enrichment), [RiskIQ](https://knowledge.threatconnect.com/docs/riskiq-enrichment#enabling-the-riskiq-enrichment), [Shodan](https://knowledge.threatconnect.com/docs/shodan-enrichment#enabling-the-shodan-enrichment), [urlscan.io](https://knowledge.threatconnect.com/docs/urlscan-io-enrichment#enabling-the-urlscanio-enrichment), and [VirusTotal](https://knowledge.threatconnect.com/docs/virustotal-enrichment#enabling-the-virustotal-enrichment).

## Performing a Pivot

1. [Open Threat Graph](https://knowledge.threatconnect.com/docs/viewing-an-object-in-threat-graph).
2. Select an Indicator node on the graph corresponding to an Indicator type for which an enrichment service is turned on and configured. If no such node is on the graph, pivot in [ThreatConnect](https://knowledge.threatconnect.com/docs/pivoting-in-threatconnect-in-threat-graph) or [CAL](https://knowledge.threatconnect.com/docs/pivoting-with-cal-in-threat-graph) to add one.
3. Select **Enrich**in the [node’s menu](https://knowledge.threatconnect.com/docs/viewing-an-object-in-threat-graph#threat-graph-node-menu-options). Then select an enrichment service on which to pivot in the **Enrich**submenu (Figure 1).

![Figure 1_Pivoting on Enrichment Services_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Pivoting%20on%20Enrichment%20Services_7.7.0.png)
4. Select an [enrichment service relationship](/docs/pivoting-on-enrichment-services-in-threat-graph#available-enrichment-relationships) to pivot on in the enrichment service’s submenu. Alternatively, select **All** (for DomainTools, RiskIQ, urlscan.io, and VirusTotal) or **All Vulnerabilities**(for Shodan) to pivot on all enrichment service relationships available for the Indicator’s type. If the pivot returns related objects, the following items will be added to the graph:
  - One or more related nodes, each of which represents a related object retrieved from the selected enrichment service. Each node will have a node label that displays the corresponding object’s summary.
  - One or more blue arrows, each connecting a related node and the node from which you pivoted.

Figure 2 shows three enrichment service pivots in Threat Graph:

- The first pivot is on the VirusTotal **URLs** relationship from the **zeverco.com**Host Indicator. This pivot returns two URL Indicators that are related to **zeverco.com**and adds them to the graph.
- The second pivot is on the urlscan.io **IP Address**relationship from the**http://zeverco.com/**URL Indicator that was added to the graph via the first pivot. This pivot returns one Address Indicator that is related to **http://zeverco.com/**and adds it to the graph.
- The third pivot is on the VirusTotal **URLs**relationship from the **52.34.198.229**Address Indicator that was added to the graph via the second pivot. This pivot returns 40 URL Indicators that are related to **52.34.198.229**and adds them to the graph.

![Figure 2_Pivoting on Enrichment Services_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Pivoting%20on%20Enrichment%20Services_7.7.0.gif)

NoteFor more information about the different behaviors that may occur when using the **Enrich**option in Threat Graph, see the [“Pivoting Behaviors”](/docs/pivoting-on-enrichment-services-in-threat-graph#pivoting-behaviors) section.

## Available Enrichment Relationships

### DomainTools

See Table 1 for a list of DomainTools relationships available in Threat Graph for Host Indicators.

| Relationship | Starting Indicator Type | Indicator Type Returned from Pivot |
| --- | --- | --- |
| IP Addresses | Host | Address |
| Name Servers | Host | Host |

### RiskIQ

See Table 2 for a list of RiskIQ relationships available in Threat Graph for Host Indicators.

| Relationship | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
| --- | --- | --- |
| DNS | Host | Host |
| IP Resolutions | Host | Address |
| Name Servers | Host | Host |
| Subdomains | Host | Host |

### Shodan

See Table 3 for a list of Shodan relationships available in Threat Graph for Address Indicators.

| Relationship | Starting Indicator Type | Group Type Returned from Pivot |
| --- | --- | --- |
| Unverified Vulnerabilities | Address | Vulnerability |
| Verified Vulnerabilities | Address | Vulnerability |

### urlscan.io

See Table 4 for a list of urlscan.io relationships available in Threat Graph for URL Indicators.

| Relationship | Starting Indicator Type | Indicator Type Returned from Pivot |
| --- | --- | --- |
| IP Address | URL | Address |
| Links to Domains | URL | URL |

### VirusTotal

See Table 5 for a list of VirusTotal relationships available in Threat Graph for Address, File, Host, and URL Indicators.

| Relationship | Starting Indicator Type(s) | Indicator Type Returned from Pivot |
| --- | --- | --- |
| Contacted Domains | File; URL | Host |
| Contacted IPs | File; URL | Address |
| Contacted URLs | File | URL |
| Subdomains | Host | Host |
| URLs | Address; Host | URL |

## Pivoting Behaviors

When using the **Enrich**option in Threat Graph, you may observe the following behaviors as you interact with and add nodes to the graph:

- If a pivot returns more than 500 related objects, only the first 500 related nodes and their respective connections will be added to the graph.
- If you pivot from one node to a second node and then pivot from the second node back to the first node, the arrow connecting the two nodes will change to a bidirectional arrow. For example, in Figure 3, the first pivot is on the VirusTotal **URLs**relationship from the **zeverco.com**Host Indicator. This pivot returns two URL Indicators. The second pivot is on the VirusTotal **Contacted Domains**relationship from the **https://zeverco.com/** URL Indicator that was added to the graph via the first pivot. This pivot returns one related object, which is to the **zeverco.com**Host Indicator already on the graph. As a result, the arrow connecting the **zeverco.com**Host Indicator to the **https://zeverco.com/** URL Indicator changes to a bidirectional arrow to reflect the pivot from **https://zeverco.com/** back to the **zeverco.com**.  
![Figure 3_Pivoting on Enrichment Services_7.7.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Pivoting%20on%20Enrichment%20Services_7.7.0.gif)

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *DomainTools® is a registered trademark of DomainTools, LLC. VirusTotal™ is a trademark of Google, Inc.* *RiskIQ® is a registered trademark of Microsoft Corporation.* *Shodan® is a registered trademark of Shodan.*

20117-10 v.05.A