Enricher - ThreatCrowd

Caution

ThreatCrowd API may no longer be available. See AlienVault instead.

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

	Specifications
Enricher name	ThreatCrowd
Input	Domain, email, hash-md5, hash-sha1, hash-sha256, hash-sha512, host, ipv4, ipv6, and malware.
Output	Enriches supported observable types with suspicious and potentially malicious domains, IP addresses, email addresses, file hashes, and antivirus detections.
API endpoint	https://www.threatcrowd.org/{Input}
Description	The ThreatCrowd enricher returns suspicious and potentially malicious domains, IP addresses, email addresses, file hashes, and antivirus detections, so that you can explore relationships between events, actors, and targets.

Configure the enricher parameters

1. Edit the enricher.

2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the ThreatCrowd enricher.

3. The API URL field is automatically filled in with the default domain for the endpoint.
   You can add a proxy or set up ports according to your needs.
   Default value: https://www.threatcrowd.org.

4. In the Time last seen field, enter an integer to set a starting point in the past to retrieve matches from.
   The number indicates the number of days in the past from the current time.
   Default value: 365 days (Each time the enricher runs, it looks for matches up to one year old).

5. To store your changes, click Save; to discard them, click Cancel.