---
title: "RiskIQ Enrichment | ThreatConnect"
slug: "riskiq-enrichment"
description: "This article describes how to enable the RiskIQ enrichment service in ThreatConnect, view data retrieved from RiskIQ on the Enrichment tab of an Indicator’s Details screen, and import Indicators from RiskIQ into ThreatConnect."
tags: ["Enriching Data", "Viewing Data"]
updated: 2024-01-10T18:29:24Z
published: 2024-01-10T18:29:24Z
deprecated: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# RiskIQ Enrichment

> **Deprecated.** As of ThreatConnect 7.8.1, the RiskIQ built-in enrichment service is no longer available, because Microsoft® has discontinued the RiskIQ Community Edition.

## Enabling the RiskIQ Enrichment

Before you can retrieve data from RiskIQ® for Host Indicators, a System Administrator must first enable and configure the RiskIQ enrichment in ThreatConnect.

1. Log into ThreatConnect with a System Administrator account.
2. On the top navigation bar, hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**and select **System Settings**. The **System Settings**screen will be displayed with the **Settings**tab selected.
3. Select the **Indicators**tab. The **Indicators**screen will be displayed.
4. Click **Enrichment Tools** in the menu on the left side of the **Indicators**screen. The **Enrichment Tools** screen will be displayed.
5. Click **Edit![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)**in the **Options**column for **RiskIQ**. The **Edit Vendor**window will be displayed (Figure 1). ![Figure 1_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_RiskIQ%20Enrichment_7.4.0.png)
  - **Enable Vendor**: Select this checkbox to enable RiskIQ.
  - **Enable Automatic Retrieval**: Select this checkbox to enable automatic data retrieval for RiskIQ. If automatic data retrieval is enabled, RiskIQ data will automatically populate when a user clicks on an Indicator’s **Enrichment** tab for the first time. This checkbox is selected by default.
  - **RiskIQ User Name**: Enter the username associated with the account that will be used to retrieve data from RiskIQ.
  - **API Key**: Enter the API key that will be used to retrieve data from RiskIQ.
  - **VALIDATE**: After entering the RiskIQ username and API key, click this****button to validate them. If the username and API key are accepted, the **VALIDATE**button’s label will change to **VALID**, indicating that a valid username and API key have been entered. If the username or API key is not accepted, a message stating “User Name or API Key is invalid.” will be displayed at the top of the **Edit Vendor**window.
  - **Lookup/Retrieve**: Select the Indicator type(s) for which to retrieve data from RiskIQ. The only available Indicator type is Host.
  - Click the **SAVE**button.

When RiskIQ is enabled, a value of **true** will be displayed in the **Enabled** column for its entry on the **Enrichment Tools** screen.

## Data Overview

The **Overview**section of the **RiskIQ**card (Figure 2) provides a summary of data retrieved from RiskIQ for a Host Indicator and the date and time the data were last retrieved.

![Figure 2_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_RiskIQ%20Enrichment_7.4.0.png)

- **Reputation Score**: The reputation score for the Host.
- **Classification**: The classification level associated with the reputation score.
- **Rule Link**: A link to the rule with the highest severity that was used to determine the reputation score.
- **Rule Severity**: The severity of the rule listed in the **Rule Link**field.
- **Whois Server**: The server set up by the Host’s registrar to acquire up-to-date information about the Host.
- **Expires At**: The date when the registration will expire.
- **Registered On**: The date when the Host was registered.
- **Registrar**: The registrar for the Host’s registration.
- **Registrant Country**: The country in which the Host’s registrar resides.
- **Organization**: The organization that registered the Host.
- **Domain Status**: The current status of the Host.

## RiskIQ Detailed View

Click the **Open Detailed View**link on the **RiskIQ**card to display the **RiskIQ Detailed View**drawer (Figure 3). This drawer displays cards with additional data retrieved from RiskIQ.

![Figure 3_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_RiskIQ%20Enrichment_7.4.0.png)

The cards displayed on the **RiskIQ Detailed View** drawer are collapsed by default. Click on a card to expand it and view its data. To collapse or expand all cards, click the **Collapse All**or **Expand All**button, respectively, at the top right of the drawer. Figure 4 shows the **RiskIQ Detailed View**drawer in Figure 3 with all available cards expanded.

![Figure 4_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_RiskIQ%20Enrichment_7.4.0.png)

See Table 1 for a list of cards that may be displayed on the **RiskIQ Detailed View**drawer for a Host Indicator.

NoteIf a card is not displayed on the **RiskIQ Detailed View**drawer for a Host Indicator, then no data of that kind were returned from RiskIQ.

| Card Name | Description |
| --- | --- |
| Articles | This card displays details about RiskIQ articles related to the Host. |
| Components1 | This card displays information about the web components associated with the Host, including the component’s type, version, and first- and last-seen dates. |
| IP Resolutions1 | This card displays IP address resolutions for the Host and the dates when each resolution was first and last seen. |
| Name Server Details | This card displays name servers associated with the Host. |
| Passive DNS Details1 | This card displays DNS records associated with the Host and each record’s type and first- and last-seen dates. |
| SSL Certificates1 | This card displays details about the SSL certificates associated with the Host, including the certificate’s SHA1 algorithm hash, the certificate’s Common Name (CN), and the dates when the certificate was issued and will expire. |
| Subdomains | This card displays subdomains associated with the Host. |

1 The maximum number of results that may be displayed on this card is 20.

## Importing Indicators From RiskIQ Into ThreatConnect

You may import all or a subset of the Indicators displayed on the **IP Resolutions**, **Name Server Details**, **Passive DNS Details**, and **Subdomains** cards into ThreatConnect and associate them to a new or existing Group. You may also import Indicators displayed on the **IP Resolutions**card into ThreatConnect and associate them directly to the enriched Indicator (i.e., the Host Indicator whose **Details** screen you are viewing) via a custom association.

1. On the **RiskIQ Detailed View**drawer, expand one of the following cards to display a table containing Indicators retrieved from RiskIQ that are related to the enriched Host Indicator (Figure 4):
  - **IP Resolutions**: The Indicators on this card will be imported as Address Indicators.
  - **Name Server Details**: The Indicators on this card will be imported as Host Indicators.
  - **Passive DNS Details**: The Indicators on this card will be imported as Host Indicators.
  - **Subdomains**: The Indicators on this card will be imported as Host Indicators.
2. On the expanded card, select the checkbox for each Indicator you want to import into ThreatConnect. To select all Indicators displayed on the current page in the table, select the checkbox in the table’s header.ImportantIf a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the import.
3. Click the **Import**dropdown at the top left of the expanded card and select one of the following import options (Figure 5). Further instruction on each import option is available in the following subsections.![Figure 5_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_RiskIQ%20Enrichment_7.4.0.png)
  - **To New Group**: Select this option to import the selected Indicators and associate them to a new Group created during the import.
  - **To Existing Group**: Select this option to import the selected Indicators and associate them to an existing Group.
  - **As an Indicator**: Select this option to import the selected Indicators and associate them directly to the enriched Indicator via a custom association.

NoteIf associating the Indicators selected for import to a new or existing Group, the Group will also be associated to the enriched Host Indicator, thus creating a second-level (i.e., indirect) association between the Indicators imported from RiskIQ and the enriched Host Indicator.

### Importing Indicators Into a New Group

1. Follow Steps 1–3 in the [“Importing Indicators From RiskIQ Into ThreatConnect”](/docs/riskiq-enrichment#importing-indicators-from-riskiq-into-threatconnect) section and select **To New Group**from the **Import**dropdown. The **Details**section of the **Create**screen will be displayed (Figure 6). ![Figure 6_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_RiskIQ%20Enrichment_7.4.0.png)
  - **Type**: By default, **Event**is selected. If desired, select another [Group type](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model) from the dropdown.
  - Fill out all remaining fields on the **Details**section. For descriptions of each field available on this screen, see the [“Creating a Group” section of *Create*](https://knowledge.threatconnect.com/v1/docs/create#creating-a-group).NoteBy default, a **RiskIQ Enrichment** Tag will be applied in the **Tags** field. You can remove this Tag, if desired.ImportantIf you select the **Apply Tags to Associations** checkbox, it is recommended that you remove the **RiskIQ Enrichment** Tag so that this Tag does not get applied to the enriched Indicator (that is, the Indicator whose **Enrichment** tab from which you are importing RiskIQ data), as the enriched Indicator will be added as an association to the new Group. Alternatively, if you want the **RiskIQ Enrichment** Tag to be applied to all associations except the enriched Indicator, you can select the **Apply Tags to Associations** checkbox, retain the **RiskIQ Enrichment Tag**, and then, after completing the import, navigate to the **Overview** tab of the **Details** screen for the enriched Indicator and [remove the Tag manually](https://knowledge.threatconnect.com/docs/applying-tags#removing-a-tag-from-an-object).
  - Click the **Next**button.NoteThe **Save**button is available only on the **Associations**and **Attachments**sections.
2. The **Associations**section will be displayed (Figure 7). ![Figure 7_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_RiskIQ%20Enrichment_7.4.0.png)

NoteA checkmark in the **Known**column indicates that the corresponding Indicator exists in at least one owner to which you have access.
  - **Associations**: The selected Indicator(s), as well as the enriched Host Indicator, will be displayed in the **Associations**card. In this card, you can complete the following actions:
    - **Private**: To mark an Indicator as [private](https://knowledge.threatconnect.com/v1/docs/private-indicators), select the corresponding checkbox in the **Private** column. This column will be displayed only if your System Administrator has enabled private Indicators.
    - **Actions**: To remove an Indicator from the list of Indicators being imported, click **Delete**![Trash icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Trash%20icon_Black.png).
  - **Association Details**: In the **Associations Details**card, you can fill out the following information, which will be applied to all Indicators being associated to the Group:ImportantAll information added in this section will be applied to the enriched Indicator (that is, the Indicator whose **Enrichment** tab from which you are importing RiskIQ data), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the **RiskIQ Detailed View** (Figure 5). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags.
    - **Description**: Enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Indicator(s).
    - **Tags**: Enter one or more [Tags](https://knowledge.threatconnect.com/v1/docs/applying-tags) to apply to the Indicator(s).
    - **Threat Rating**: Use the skull icons to set the [Threat Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicator(s).
    - **Confidence Rating**: Use the slider to set the [Confidence Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicator(s).
  - Click the **Next**button.
3. The **Attachments** section will be displayed (Figure 8). **Attachments**is an optional section where you can attach related files to the Group.

![Figure 8_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%208_RiskIQ%20Enrichment_7.4.0.png)
  - Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled **Add to Malware Vault**. Leave this checkbox cleared unless you are [uploading a malware file](https://knowledge.threatconnect.com/docs/uploading-malware).
  - Click the **Save** button.

The selected Indicator(s) will be imported into ThreatConnect and associated to the newly created Group, and the Group’s [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen) will be displayed. These Indicators will be displayed on the [**Indicators**card](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators) of the Group’s [**Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab). You may also view these associations on the [**Associations** card](https://knowledge.threatconnect.com/v1/docs/the-associations-card) of the Group’s [legacy **Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), under the [**Associated Indicators** section](https://knowledge.threatconnect.com/v1/docs/table-view-associated-indicators) when the card is in table view.

### Importing Indicators Into an Existing Group

1. Follow Steps 1–3 in the [“Importing Indicators From RiskIQ Into ThreatConnect”](/docs/riskiq-enrichment#importing-indicators-from-riskiq-into-threatconnect) section and select **To Existing Group**from the **Import**dropdown. The **Select Group** section of the **Import to Existing Group**screen will be displayed (Figure 9).

![Figure 9_DomainTools Enrichment_7.2.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%209_RiskIQ%20Enrichment_7.4.0.png)
  - Select the Group to which the selected Indicator(s), as well as the enriched Host Indicator, will be associated. To search for a Group, enter its name in the search bar above the table containing all Groups.
  - To view a Group’s [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen) , click the **Open in New Tab**![Open in New Tab icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Open%20in%20New%20Tab%20icon.png)icon to the right of the **Owner**column.
  - Click the **Next** button.
2. The **Associations**section will be displayed (Figure 10).

![Figure 10_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%2010_RiskIQ%20Enrichment_7.4.0.png)

NoteA checkmark in the **Known**column indicates that the corresponding Indicator exists in at least one owner to which you have access.
  - **Associations**: The selected Indicator(s), as well as the enriched Host Indicator, will be displayed in the **Associations**card. In this card, you can complete the following actions:
    - **Private**: To mark an Indicator as [private](https://knowledge.threatconnect.com/v1/docs/private-indicators), select the corresponding checkbox in the **Private** column. This column will be displayed only if your System Administrator has enabled private Indicators.
    - **Actions**: To remove an Indicator from the list of Indicators being imported, click **Delete**![Trash icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Trash%20icon_Black.png).
  - **Association Details**: In the **Associations Details**card, you can fill out the following information, which will be applied to all Indicators being associated to the Group:ImportantAll information added in this section will be applied to the enriched Indicator (that is, the Indicator whose **Enrichment** tab from which you are importing RiskIQ data), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the **RiskIQ Detailed View** (Figure 5). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags.
    - **Description**: Enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Indicator(s).
    - **Tags**: Enter one or more [Tags](https://knowledge.threatconnect.com/v1/docs/applying-tags) to apply applied to the Indicator(s).
    - **Threat Rating**: Use the skull icons to set the [Threat Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicator(s).
    - **Confidence Rating**: Use the slider to set the [Confidence Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicator(s).
  - Click the **Save**button.

The selected Indicator(s) will be imported into ThreatConnect and associated to the existing Group, and the Group’s [**Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen) will be displayed. These Indicators will be displayed on the [**Indicators**card](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators) of the Group’s [**Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab). You may also view these associations on the [**Associations** card](https://knowledge.threatconnect.com/v1/docs/the-associations-card) of the Group’s [legacy **Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), under the [**Associated Indicators** section](https://knowledge.threatconnect.com/v1/docs/table-view-associated-indicators) when the card is in table view.

### Importing Indicators as Indicators

Follow Steps 1–3 in the [“Importing Indicators From RiskIQ Into ThreatConnect”](/docs/riskiq-enrichment#importing-indicators-from-riskiq-into-threatconnect) section and select **As an Indicator**from the **Import**dropdown. The **Import Indicators**window will be displayed (Figure 11).

ImportantThe **As an Indicator**option is *not available* for Indicators displayed on the **Name Server Details**, **Passive DNS Details**, and **Subdomains******cards.

![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%2011_RiskIQ%20Enrichment_7.4.0.png)

- **New Indicators to be Imported & Associated**: This section displays the Indicators that will be imported into ThreatConnect and associated directly to the enriched Indicator. To remove an Indicator from this list, click **Delete![Delete button_Details screen](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Delete%20button_Details%20screen.png)**.
- Click the **Import Indicators**button.

The selected Indicator(s) will be imported into ThreatConnect and associated to the enriched Indicator, and the [**Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab) of the enriched Indicator’s **Details**screen will be displayed. The associated Indicators will be displayed on the **[](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators)**[](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators)[**Indicators**card](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators)[](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators)**[](https://knowledge.threatconnect.com/docs/the-associations-tab#indicators)** of this tab. You may also view these associations on the [**Associations** card](https://knowledge.threatconnect.com/v1/docs/the-associations-card) of the enriched Indicator’s [legacy **Details** screen](https://knowledge.threatconnect.com/docs/the-details-screen-legacy), under the [**Associated Indicators** section](https://knowledge.threatconnect.com/v1/docs/table-view-associated-indicators) when the card is in table view.

## Retrieving Data Manually

When you click on a Host Indicator’s **Enrichment**tab for the first time, data will be retrieved from RiskIQ automatically if your System Administrator has enabled automatic data retrieval for RiskIQ. Otherwise, a message stating that “Automatic Data Retrieval has been disabled by the System Administrator” will be displayed on the card, and you will need to click the **Retrieve Data** button to populate the card with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s **Enrichment**tab, the cached RiskIQ data will be displayed until this period of time has passed.

To retrieve the latest RiskIQ data for the Indicator manually, click the **Retrieve Data** button on the **RiskIQ**card (Figure 2).

NoteThe username and API key your System Administrator entered when configuring RiskIQ on the **System Settings**screen will be used each time data are retrieved for the Indicator.

## Enriching Indicators Using the ThreatConnect API

You can also use the ThreatConnect v3 API to enrich Host Indicators with data from RiskIQ. For instructions on using the ThreatConnect v3 API to enrich Indicators, see [*Indicator Enrichment Overview*](https://threatconnect.readme.io/reference/indicator-enrichment-overview).

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *RiskIQ® is a registered trademark of Microsoft Corporation.*

20146-08 v.01.A