Indicator Enrichment

Enriching threat intelligence data helps remove false positives and delivers actionable intelligence for threat investigations and other security operations. ThreatConnect includes built-in enrichment services that you can use to retrieve data from a third-party enrichment service that a System Administrator has enabled on your instance and for a given Indicator type.

Note

You must include the following Content-Type HTTP header in your request in order to enrich an Indicator: Content-Type: application/json

Available Enrichment Services

You can use the v3 API to enrich Indicators with data retrieved from the following third-party enrichment services:

  • AbuseIPDB

  • DomainTools®

  • Farsight Security®

  • Shodan®

  • urlscan.io

  • VirusTotal™

Attention

As of ThreatConnect 7.8.1,the RiskIQ® built-in enrichment service is no longer available, because Microsoft® has discontinued the RiskIQ Community Edition.

Enriching Indicators

The following section describes how to use the v3 API to enrich Indicators with data retrieved from any of the enrichment services that a System Administrator enabled and configured on your ThreatConnect instance. For more information on enabling enrichment services, see Enrichment in the ThreatConnect knowledge base.

Attention

If the API key your System Administrator entered for an enrichment service exceeds the quota limit set by the enrichment vendor, an error message stating so will be returned by the API.

Note

If you enrich an Indicator that exists in multiple owners, each copy of the Indicator will be enriched. However, only a single API request will be sent to the specified enrichment service.

Query Parameters

When using the v3 API to enrich Indicators, use the type query parameter to specify one or more enrichment services to use. See the following table for a list of acceptable values for the type query parameter.

Attention

The acceptable values for the type query parameter are case sensitive.

Value Name

Enrichment Service

Notes

AbuseIPDB

AbuseIPDB

Available for Address Indicators only

DomainTools

DomainTools

Available for Host Indicators only

Farsight

Farsight Security

Available for Address and Host Indicators only

Shodan

Shodan

Available for Address Indicators only

URLScan

urlscan.io

Available for URL Indicators only

VirusTotalV3

VirusTotal

Available for Address, File, Host, and URL Indicators only

Enrich a Specific Indicator

Send a request in the following format to enrich a specific Indicator with data retrieved from one or more enrichment services:

POST /v3/indicators/{indicatorId or indicatorSummary}/enrich?type={enrichmentService}
Content-Type: application/json

Note

If using an Indicator’s summary in the request URI and that Indicator exists in multiple owners, use the owner query parameter to specify which copy of the Indicator to return data for in the response.

AbuseIPDB

The following request will enrich an Address Indicator in the API user’s Organization with data retrieved from AbuseIPDB:

POST /v3/indicators/218.92.0.227/enrich?type=AbuseIPDB
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 11175668,
        "dateAdded": "2024-12-10T15:00:22Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/11175668",
        "type": "Address",
        "lastModified": "2024-12-10T15:00:22Z",
        "summary": "218.92.0.227",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "ip": "218.92.0.227",
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=218.92.0.227&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "AbuseIPDB",
                    "confidenceScore": 100,
                    "reportedCount": 26716,
                    "reportedCountDistinct": 420,
                    "lastReported": "2024-12-10T15:00:21Z",
                    "isp": "CHINANET jiangsu province network",
                    "usageType": "Fixed Line ISP",
                    "domainName": "chinatelecom.cn",
                    "country": "China"
                }
            ]
        }
    },
    "status": "Success"
}

Note

The amount of report data retrieved from AbuseIPDB will depend on the value your System Administrator entered for the Maximum Age of Results (days) setting when they configured the AbuseIPDB enrichment service in ThreatConnect.

DomainTools

The following request will enrich a Host Indicator in the API user’s Organization with data retrieved from DomainTools:

POST /v3/indicators/telecomcredits.us/enrich?type=DomainTools
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 10629739,
        "dateAdded": "2024-02-15T19:34:02Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/10629739",
        "type": "Host",
        "lastModified": "2025-04-24T01:19:20Z",
        "summary": "telecomcredits.us",
        "privateFlag": false,
        "active": false,
        "activeLocked": false,
        "hostName": "telecomcredits.us",
        "dnsActive": false,
        "whoisActive": false,
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=telecomcredits.us&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "DomainTools",
                    "overallRiskScore": 51,
                    "malwareRiskScore": 13,
                    "phishingRiskScore": 34,
                    "spamRiskScore": 51,
                    "active": true,
                    "registrantOrg": {
                        "value": "Redacted for Privacy Purposes",
                        "count": 1041870
                    },
                    "registrar": {
                        "value": "NAMECHEAP INC",
                        "count": 27890668
                    },
                    "ipList": [
                        {
                            "address": {
                                "value": "85.121.14.124",
                                "count": 4
                            },
                            "asn": [
                                {
                                    "value": "12310",
                                    "count": 5614
                                }
                            ],
                            "countryCode": {
                                "value": "ro",
                                "count": 582253
                            },
                            "isp": {
                                "value": "Byte Cont Srl",
                                "count": 567
                            }
                        }
                    ]
                }
            ]
        }
    },
    "status": "Success"
}

Farsight Security

The following request will enrich a Host Indicator in the API user’s Organization with data retrieved from Farsight Security:

POST /v3/indicators/zayla.co/enrich?type=Farsight
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 9962300,
        "dateAdded": "2023-06-26T15:23:28Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/9962300",
        "type": "Host",
        "lastModified": "2023-09-25T13:40:12Z",
        "confidence": 0,
        "source": "Imported from FarSight Passive DNS",
        "summary": "zayla.co",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "hostName": "zayla.co",
        "dnsActive": false,
        "whoisActive": false,
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=zayla.co&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "Farsight",
                    "results": [
                        {
                            "hostname": "zayla.co",
                            "ips": [
                                "13.56.33.8"
                            ],
                            "count": 3,
                            "firstSeen": "2020-06-20T04:35:27Z",
                            "lastSeen": "2020-06-20T04:40:32Z"
                        },
                        {
                            "hostname": "zayla.co",
                            "ips": [
                                "34.102.136.180"
                            ],
                            "count": 3,
                            "firstSeen": "2023-07-24T05:35:43Z",
                            "lastSeen": "2023-07-25T02:06:09Z"
                        },
                        {
                            "hostname": "zayla.co",
                            "ips": [
                                "107.180.48.66"
                            ],
                            "count": 5900,
                            "firstSeen": "2020-06-20T21:40:16Z",
                            "lastSeen": "2025-05-07T09:58:22Z"
                        },
                        {
                            "hostname": "zayla.co",
                            "ips": [
                                "107.180.51.202"
                            ],
                            "count": 105,
                            "firstSeen": "2019-07-08T08:10:43Z",
                            "lastSeen": "2020-06-13T18:45:36Z"
                        },
                        {
                            "hostname": "zayla.co",
                            "ips": [
                                "184.168.221.32"
                            ],
                            "count": 4,
                            "firstSeen": "2019-01-16T10:19:40Z",
                            "lastSeen": "2019-02-08T22:02:54Z"
                        },
                        {
                            "hostname": "mail.zayla.co",
                            "ips": [
                                "107.180.48.66"
                            ],
                            "count": 30,
                            "firstSeen": "2023-10-19T10:50:01Z",
                            "lastSeen": "2024-12-27T05:06:20Z"
                        }
                    ],
                    "msg": "succeeded"
                }
            ]
        }
    },
    "status": "Success"
}

Shodan

The following request will enrich an Address Indicator in the API user’s Organization with data retrieved from Shodan:

POST /v3/indicators/71.6.135.131/enrich?type=Shodan
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 15,
        "dateAdded": "2022-09-22T11:47:56Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/15/overview",
        "type": "Address",
        "lastModified": "2022-09-22T11:47:56Z",
        "summary": "71.6.135.131",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "ip": "71.6.135.131",
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=71.6.135.131&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "Shodan",
                    "hostNames": [
                        "soda.census.224.151.228.245",
                        "soda.census.224.64.23.67"
                    ],
                    "domains": [
                        "67.",
                        "245."
                    ],
                    "country": "United States",
                    "city": "San Diego",
                    "isp": "CariNet, Inc.",
                    "asn": "AS10439",
                    "org": "CariNet, Inc.",
                    "openPorts": [
                        {
                            "transport": "tcp",
                            "port": 22,
                            "product": "OpenSSH",
                            "data": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQCjl6EMm/rwCVDPD0bpSJc5HUfbWxgddKI6L+23g3h+kSNK\nAj4qh+RwT5InvQA6Rqkdc7e0fs+tm1MejA6vkV+7ZX7iKnG00tEi+uM7aEmRZl5CU6O2GNfSYgq9\nzOmhY1ZhRi3OaInZnkDBaYFo1KkGIyzc+ulkW8uch2/WwXuCCC7Yp2IzUdv/pgZgssPqJR0e2Nn/\nub87QA3ayw5V5rEQDq2ESpkEiCUhp8RN4wJAUyEsJMWMV80gOb7obykIc/mtkzjsjh6hvVuPhBGZ\n4govHkmFNNx1hDJ/lRajU006SnJmVZiLwN7yLOmw6F6bqo1qd/REngHRyLvgeuXyfkiN\nFingerprint: 89:8e:ba:1c:71:45:32:41:b4:8a:fe:91:85:3b:16:07\n\nKex Algorithms:\n\tcurve25519-sha256\n\[email protected]\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\[email protected]\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\[email protected]\n\[email protected]\n\nMAC Algorithms:\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\[email protected]\n"
                        },
                        {
                            "transport": "tcp",
                            "port": 9002,
                            "data": "\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x7f"
                        }
                    ]
                }
            ]
        }
    },
    "status": "Success"
}

urlscan.io

The following request will enrich the URL Indicator whose ID is 20 with data retrieved from urlscan.io:

POST /v3/indicators/20/enrich?type=URLScan
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 20,
        "dateAdded": "2023-05-31T14:35:51Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/20/overview",
        "type": "URL",
        "lastModified": "2023-05-31T14:35:58Z",
        "summary": "http://nemesis.com",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "text": "http://nemesis.com",
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/url.xhtml?orgid=1&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "URLScan",
                    "malicious": false,
                    "maliciousScore": 0,
                    "domain": "www.brandbucket.com",
                    "ip": {
                        "ip": "2606:4700:10::6816:6d8",
                        "country": "US"
                    },
                    "submittedUrl": "http://nemesis.com/",
                    "effectiveUrl": "https://www.brandbucket.com/names/nemesis?source=ext",
                    "contactSummary": {
                        "ipCount": 1,
                        "countryCount": 1,
                        "domainCount": 7,
                        "httpCount": 110
                    }
                }
            ]
        }
    },
    "status": "Success"
}

VirusTotal

The following request will enrich a File Indicator in the API user’s Organization with data retrieved from VirusTotal:

POST /v3/indicators/45356A9DD616ED7161A3B9192E2F318D0AB5AD10/enrich?type=VirusTotalV3
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 9962385,
        "dateAdded": "2023-07-28T14:06:49Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/9962385",
        "type": "File",
        "lastModified": "2023-07-28T14:06:49Z",
        "summary": "45356A9DD616ED7161A3B9192E2F318D0AB5AD10",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "sha1": "45356A9DD616ED7161A3B9192E2F318D0AB5AD10",
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/file.xhtml?file=45356A9DD616ED7161A3B9192E2F318D0AB5AD10&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "VirusTotal",
                    "vtMaliciousCount": 65
                }
            ]
        }
    },
    "status": "Success"
}

Multiple Enrichment Services

When enriching a specific Indicator, you can specify multiple enrichment services from which to retrieve data. In this scenario, each enrichment service must support the type of Indicator you want to enrich.

The following request will enrich a Host Indicator in the API user’s Organization with data retrieved from DomainTools and VirusTotal:

POST /v3/indicators/zeverco.com/enrich?type=DomainTools&type=VirusTotalV3
Content-Type: application/json

JSON Response

{
    "data": {
        "id": 26,
        "dateAdded": "2023-02-14T17:19:59Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/26/overview",
        "type": "Host",
        "lastModified": "2023-02-14T17:19:59Z",
        "summary": "zeverco.com",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "hostName": "zeverco.com",
        "dnsActive": true,
        "whoisActive": true,
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/host.xhtml?host=zeverco.com&owner=Demo+Organization ",
        "enrichment": {
            "data": [
                {
                    "type": "DomainTools",
                    "overallRiskScore": 100,
                    "malwareRiskScore": 58,
                    "phishingRiskScore": 74,
                    "spamRiskScore": 15,
                    "active": false,
                    "registrantOrg": {
                        "value": "Zeverco.com",
                        "count": 1
                    },
                    "registrar": {
                        "value": "ALIBABA.COM SINGAPORE E-COMMERCE PRIVATE LIMITED",
                        "count": 4148634
                    },
                    "ipList": [
                        {
                            "address": {
                                "value": "47.91.170.222",
                                "count": 28939535
                            },
                            "asn": [
                                {
                                    "value": "45102",
                                    "count": 41325718
                                }
                            ],
                            "countryCode": {
                                "value": "hk",
                                "count": 33985940
                            },
                            "isp": {
                                "value": "Alicloud-hk",
                                "count": 9022568
                            }
                        }
                    ]
                },
                {
                    "type": "VirusTotal",
                    "vtMaliciousCount": 12
                }
            ]
        }
    },
    "status": "Success"
}

If an enrichment service is not available for the type of Indicator you are trying to enrich, an error message indicating that the enrichment service does not support that Indicator type will be returned. For example, the following request attempts to enrich a Host Indicator with data retrieved from Shodan and VirusTotal. Because Shodan supports only Address Indicators, an error message stating that the Host Indicator cannot be enriched with Shodan is returned. The Indicator is also not enriched with data from VirusTotal.

POST /v3/indicators/zeverco.com/enrich?type=Shodan&type=VirusTotalV3
Content-Type: application/json

JSON Response

{
    "errCode": "0x1001",
    "message": "The Host zeverco.com cannot be enriched with Shodan because the indicator type isn't supported.",
    "status": "Error"
}

Enrich Multiple Indicators

Send a request in the following format to enrich multiple Indicators with data retrieved from the specified enrichment services. The specified enrichment services must support each type of Indicator defined in the request body.

POST /v3/indicators/enrich?type={enrichmentService}
Content-Type: application/json

{
    "data": [
        {
            "id": 0
        },
        {
            "type": "<string>",
            "summary": "<string>",
            "ownerName": "<string>"
        }
    ]
}

Note

When defining an Indicator by its type and summary instead of its ID, you must define the owner field in the request body if the Indicator exists in a Community or Source.

Attention

By default, the maximum number of Indicators that can be enriched in a single request is 500. To adjust this limit, contact your System Administrator.

Single Enrichment Service

The following request will enrich the Indicator whose ID is 15 (an Address Indicator), as well as a Host Indicator in one of the API user’s Communities, with data retrieved from VirusTotal:

POST /v3/indicators/enrich?type=VirusTotalV3
Content-Type: application/json

{
    "data": [
        {
            "id": 15
        },
        {
            "type": "Host",
            "summary": "evil.com",
            "ownerName": "Demo Community"
        }
    ]
}

JSON Response

{
    "data": [
        {
            "id": 15,
            "dateAdded": "2022-09-22T11:47:56Z",
            "ownerId": 1,
            "ownerName": "Demo Organization",
            "webLink": "https://app.threatconnect.com/#/details/indicators/15/overview",
            "type": "Address",
            "lastModified": "2022-09-22T11:47:56Z",
            "summary": "71.6.135.131",
            "privateFlag": false,
            "active": true,
            "activeLocked": false,
            "ip": "71.6.135.131",
            "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=71.6.135.131&owner=Demo+Organization",
            "enrichment": {
                "data": [
                    {
                        "type": "VirusTotal",
                        "vtMaliciousCount": 14
                    }
                ]
            }
        },
        {
            "id": 22,
            "dateAdded": "2023-03-20T14:40:04Z",
            "ownerId": 2,
            "ownerName": "Demo Community",
            "webLink": "https://app.threatconnect.com/#/details/indicators/22/overview",
            "type": "Host",
            "lastModified": "2023-03-20T14:40:04Z",
            "summary": "evil.com",
            "privateFlag": false,
            "active": true,
            "activeLocked": false,
            "hostName": "evil.com",
            "dnsActive": false,
            "whoisActive": false,
            "legacyLink": "https://app.threatconnect.comauth/indicators/details/host.xhtml?host=evil.com&owner=Demo+Community",
            "enrichment": {
                "data": [
                    {
                        "type": "VirusTotal",
                        "vtMaliciousCount": 4
                    }
                ]
            }
        }
    ],
    "enriched": 2,
    "status": "Success"
}

Multiple Enrichment Services

When enriching multiple Indicators, you can specify multiple enrichment services from which to retrieve data. In this scenario, each enrichment service must support the types of Indicators you want to enrich.

The following request will enrich two Address Indicators in the API user’s Organization with data retrieved from Shodan and VirusTotal:

POST /v3/indicators/enrich?type=Shodan&type=VirusTotalV3
Content-Type: application/json

{
    "data": [
        {
            "type": "Address",
            "summary": "71.6.135.131"
        },
        {
            "type": "Address",
            "summary": "13.56.33.8"
        }
    ]
}

JSON Response

{
    "data": [
        {
            "id": 15,
            "dateAdded": "2022-09-22T11:47:56Z",
            "ownerId": 1,
            "ownerName": "Demo Organization",
            "webLink": "https://app.threatconnect.com/#/details/indicators/15/overview",
            "type": "Address",
            "lastModified": "2022-09-22T11:47:56Z",
            "summary": "71.6.135.131",
            "privateFlag": false,
            "active": true,
            "activeLocked": false,
            "ip": "71.6.135.131",
            "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=71.6.135.131&owner=Demo+Organization",
            "enrichment": {
                "data": [
                    {
                        "type": "Shodan",
                        "hostNames": [
                            "soda.census.224.151.228.245",
                            "soda.census.224.64.23.67"
                        ],
                        "domains": [
                            "67.",
                            "245."
                        ],
                        "country": "United States",
                        "city": "San Diego",
                        "isp": "CariNet, Inc.",
                        "asn": "AS10439",
                        "org": "CariNet, Inc.",
                        "openPorts": [
                            {
                                "transport": "tcp",
                                "port": 22,
                                "product": "OpenSSH",
                                "data": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQCjl6EMm/rwCVDPD0bpSJc5HUfbWxgddKI6L+23g3h+kSNK\nAj4qh+RwT5InvQA6Rqkdc7e0fs+tm1MejA6vkV+7ZX7iKnG00tEi+uM7aEmRZl5CU6O2GNfSYgq9\nzOmhY1ZhRi3OaInZnkDBaYFo1KkGIyzc+ulkW8uch2/WwXuCCC7Yp2IzUdv/pgZgssPqJR0e2Nn/\nub87QA3ayw5V5rEQDq2ESpkEiCUhp8RN4wJAUyEsJMWMV80gOb7obykIc/mtkzjsjh6hvVuPhBGZ\n4govHkmFNNx1hDJ/lRajU006SnJmVZiLwN7yLOmw6F6bqo1qd/REngHRyLvgeuXyfkiN\nFingerprint: 89:8e:ba:1c:71:45:32:41:b4:8a:fe:91:85:3b:16:07\n\nKex Algorithms:\n\tcurve25519-sha256\n\[email protected]\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\[email protected]\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\[email protected]\n\[email protected]\n\nMAC Algorithms:\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\[email protected]\n"
                            },
                            {
                                "transport": "tcp",
                                "port": 9002,
                                "data": "\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x7f"
                            }
                        ]
                    },
                    {
                        "type": "VirusTotal",
                        "vtMaliciousCount": 14
                    }
                ]
            }
        },
        {
            "id": 28,
            "dateAdded": "2023-03-16T16:07:29Z",
            "ownerId": 1,
            "ownerName": "Demo Organization",
            "webLink": "https://app.threatconnect.com/#/details/indicators/28/overview",
            "type": "Address",
            "lastModified": "2023-06-27T15:38:38Z",
            "confidence": 0,
            "source": "Imported from FarSight Passive DNS",
            "summary": "13.56.33.8",
            "privateFlag": false,
            "active": true,
            "activeLocked": false,
            "ip": "13.56.33.8",
            "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=13.56.33.8&owner=Demo+Organization",
            "enrichment": {
                "data": [
                    {
                        "type": "Shodan",
                        "hostNames": [
                            "ec2-13-56-33-8.us-west-1.compute.amazonaws.com"
                        ],
                        "domains": [
                            "amazonaws.com"
                        ],
                        "tags": [
                            "self-signed",
                            "cloud"
                        ],
                        "cloudProvider": "Amazon",
                        "cloudRegion": "us-west-1",
                        "country": "United States",
                        "city": "San Jose",
                        "isp": "Amazon.com, Inc.",
                        "asn": "AS16509",
                        "org": "Amazon Technologies Inc.",
                        "openPorts": [
                            {
                                "transport": "tcp",
                                "port": 22,
                                "product": "OpenSSH",
                                "data": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQDe8kN0qMLv5lPmvNqbDDrhGRPRau3q8Cl9WmmHRsO0fpk+\nqUu4TbZOAA94e8BW7ye/rwQ/2wSpUwtT83bM1EYxacQZ6v1za1R1H5qFC63Ln3X0oflKl8gFXRXl\n+Tyw8X8sqFgPrfvHCdEpB2W4VmXugHtfhnd9KXQB55hLFFf579XRcu4T29d1ndtEshwNS6u/3rMi\nMaDdRRW/8QZC+Qv83QyLhOkx1ru2KZn6ozli0nxBgXKPUSLRQt6pXiYy4p5IRhOIzmDVdllhsNaG\nxgIBMO9abCZhhzNUeNha0MxLwLAS6+2x0bq1N1ri3CFhmANfDNbz3G6qA5dTEy3Hd9ED\nFingerprint: bc:e8:25:20:c7:93:7b:0a:1d:cc:54:92:26:17:e8:f4\n\nKex Algorithms:\n\tcurve25519-sha256\n\[email protected]\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\[email protected]\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\[email protected]\n\[email protected]\n\nMAC Algorithms:\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\[email protected]\n"
                            },
                            {
                                "transport": "tcp",
                                "port": 80,
                                "product": "OpenResty",
                                "data": "HTTP/1.1 301 Moved Permanently\r\nServer: openresty/1.15.8.2\r\nDate: Fri, 22 Sep 2023 02:25:08 GMT\r\nContent-Type: text/html\r\nContent-Length: 175\r\nConnection: keep-alive\r\nReferrer-Policy: no-referrer\r\nLocation: https://www.brandbucket.com/names/veraseek?source=ext\r\n\r\n"
                            },
                            {
                                "transport": "tcp",
                                "port": 443,
                                "product": "OpenResty",
                                "data": "HTTP/1.1 301 Moved Permanently\r\nServer: openresty/1.15.8.2\r\nDate: Fri, 22 Sep 2023 13:19:52 GMT\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nLocation: https://www.\r\nRedirect-loc: 0\r\n\r\n",
                                "ssl": {
                                    "issuer": "sni-support-required-for-valid-ssl",
                                    "subject": "sni-support-required-for-valid-ssl",
                                    "issued": "2019-12-04T08:12:36Z",
                                    "expires": "2029-12-01T08:12:36Z"
                                }
                            }
                        ]
                    },
                    {
                        "type": "VirusTotal",
                        "vtMaliciousCount": 0
                    }
                ]
            }
        }
    ],
    "enriched": 2,
    "status": "Success"
}

If an enrichment service does not support one of the Indicator types defined in the request body, the request will enrich the types of Indicators that the enrichment service supports and return a message indicating which Indicators cannot be enriched with the enrichment service. For example, the following request attempts to enrich an Address and Host Indicator in the API user’s Organization with data retrieved from Shodan and VirusTotal. Because Shodan supports only Address Indicators, the API response includes a message stating that the Host Indicator cannot be enriched with Shodan.

POST /v3/indicators/enrich?type=Shodan&type=VirusTotalV3
Content-Type: application/json

{
    "data": [
        {
            "type": "Address",
            "summary": "71.6.135.131"
        },
        {
            "type": "Host",
            "summary": "nemesis.com"
        }
    ]
}

JSON Response

{
    "data": [
        {
            "id": 15,
            "dateAdded": "2022-09-22T11:47:56Z",
            "ownerId": 1,
            "ownerName": "Demo Organization",
            "webLink": "https://app.threatconnect.com/#/details/indicators/15/overview",
            "type": "Address",
            "lastModified": "2022-09-22T11:47:56Z",
            "summary": "71.6.135.131",
            "privateFlag": false,
            "active": true,
            "activeLocked": false,
            "ip": "71.6.135.131",
            "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=71.6.135.131&owner=Demo+Organization",
            "enrichment": {
                "data": [
                    {
                        "type": "Shodan",
                        "hostNames": [
                            "soda.census.224.151.228.245",
                            "soda.census.224.64.23.67"
                        ],
                        "domains": [
                            "67.",
                            "245."
                        ],
                        "country": "United States",
                        "city": "San Diego",
                        "isp": "CariNet, Inc.",
                        "asn": "AS10439",
                        "org": "CariNet, Inc.",
                        "openPorts": [
                            {
                                "transport": "tcp",
                                "port": 22,
                                "product": "OpenSSH",
                                "data": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQCjl6EMm/rwCVDPD0bpSJc5HUfbWxgddKI6L+23g3h+kSNK\nAj4qh+RwT5InvQA6Rqkdc7e0fs+tm1MejA6vkV+7ZX7iKnG00tEi+uM7aEmRZl5CU6O2GNfSYgq9\nzOmhY1ZhRi3OaInZnkDBaYFo1KkGIyzc+ulkW8uch2/WwXuCCC7Yp2IzUdv/pgZgssPqJR0e2Nn/\nub87QA3ayw5V5rEQDq2ESpkEiCUhp8RN4wJAUyEsJMWMV80gOb7obykIc/mtkzjsjh6hvVuPhBGZ\n4govHkmFNNx1hDJ/lRajU006SnJmVZiLwN7yLOmw6F6bqo1qd/REngHRyLvgeuXyfkiN\nFingerprint: 89:8e:ba:1c:71:45:32:41:b4:8a:fe:91:85:3b:16:07\n\nKex Algorithms:\n\tcurve25519-sha256\n\[email protected]\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\[email protected]\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\[email protected]\n\[email protected]\n\nMAC Algorithms:\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\[email protected]\n"
                            },
                            {
                                "transport": "tcp",
                                "port": 9002,
                                "data": "\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x7f"
                            }
                        ]
                    },
                    {
                        "type": "VirusTotal",
                        "vtMaliciousCount": 14
                    }
                ]
            }
        }
    ],
    "enriched": 1,
    "unableEnrich": 1,
    "messages": [
        "[idx=1] nemesis.com: The Host nemesis.com cannot be enriched with Shodan because the indicator type isn't supported."
    ],
    "status": "Success"
}

Include Enrichment Data in API Responses

When using the /v3/indicators endpoint to create, retrieve, or update Indicators, you can use the fields query parameter to include the enrichment field in API responses.

Send a request in the following format to retrieve data for all Indicators or a specific one and include enrichment data for the Indicator(s) in the API response:

Request (All Indicators)

GET /v3/indicators?fields=enrichment

Request (Specific Indicator)

GET /v3/indicators/{indicatorId or indicatorSummary}?fields=enrichment

Attention

You must first enrich an Indicator with a supported enrichment service for data to be populated in the enrichment field included in the API response.

For example, the following request will retrieve data for an Address Indicator in the API user’s Organization and include enrichment data for the Indicator in the API response:

GET /v3/indicators/71.6.135.131?fields=enrichment

JSON Response

{
    "data": {
        "id": 15,
        "dateAdded": "2022-09-22T11:47:56Z",
        "ownerId": 1,
        "ownerName": "Demo Organization",
        "webLink": "https://app.threatconnect.com/#/details/indicators/15/overview",
        "type": "Address",
        "lastModified": "2022-09-22T11:47:56Z",
        "summary": "71.6.135.131",
        "privateFlag": false,
        "active": true,
        "activeLocked": false,
        "ip": "71.6.135.131",
        "legacyLink": "https://app.threatconnect.com/auth/indicators/details/address.xhtml?address=71.6.135.131&owner=Demo+Organization",
        "enrichment": {
            "data": [
                {
                    "type": "VirusTotal",
                    "vtMaliciousCount": 14
                },
                {
                    "type": "Shodan",
                    "hostNames": [
                        "soda.census.224.151.228.245",
                        "soda.census.224.64.23.67"
                    ],
                    "domains": [
                        "67.",
                        "245."
                    ],
                    "country": "United States",
                    "city": "San Diego",
                    "isp": "CariNet, Inc.",
                    "asn": "AS10439",
                    "org": "CariNet, Inc.",
                    "openPorts": [
                        {
                            "transport": "tcp",
                            "port": 22,
                            "product": "OpenSSH",
                            "data": "SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.5\nKey type: ssh-rsa\nKey: AAAAB3NzaC1yc2EAAAADAQABAAABAQCjl6EMm/rwCVDPD0bpSJc5HUfbWxgddKI6L+23g3h+kSNK\nAj4qh+RwT5InvQA6Rqkdc7e0fs+tm1MejA6vkV+7ZX7iKnG00tEi+uM7aEmRZl5CU6O2GNfSYgq9\nzOmhY1ZhRi3OaInZnkDBaYFo1KkGIyzc+ulkW8uch2/WwXuCCC7Yp2IzUdv/pgZgssPqJR0e2Nn/\nub87QA3ayw5V5rEQDq2ESpkEiCUhp8RN4wJAUyEsJMWMV80gOb7obykIc/mtkzjsjh6hvVuPhBGZ\n4govHkmFNNx1hDJ/lRajU006SnJmVZiLwN7yLOmw6F6bqo1qd/REngHRyLvgeuXyfkiN\nFingerprint: 89:8e:ba:1c:71:45:32:41:b4:8a:fe:91:85:3b:16:07\n\nKex Algorithms:\n\tcurve25519-sha256\n\[email protected]\n\tecdh-sha2-nistp256\n\tecdh-sha2-nistp384\n\tecdh-sha2-nistp521\n\tdiffie-hellman-group-exchange-sha256\n\tdiffie-hellman-group16-sha512\n\tdiffie-hellman-group18-sha512\n\tdiffie-hellman-group14-sha256\n\tdiffie-hellman-group14-sha1\n\nServer Host Key Algorithms:\n\tssh-rsa\n\trsa-sha2-512\n\trsa-sha2-256\n\tecdsa-sha2-nistp256\n\tssh-ed25519\n\nEncryption Algorithms:\n\[email protected]\n\taes128-ctr\n\taes192-ctr\n\taes256-ctr\n\[email protected]\n\[email protected]\n\nMAC Algorithms:\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\[email protected]\n\thmac-sha2-256\n\thmac-sha2-512\n\thmac-sha1\n\nCompression Algorithms:\n\tnone\n\[email protected]\n"
                        },
                        {
                            "transport": "tcp",
                            "port": 9002,
                            "data": "\\xff\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x7f"
                        }
                    ]
                }
            ]
        }
    },
    "status": "Success"
}