Enricher - ThreatCrowd
This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.
|
|
Specifications |
|
Enricher name |
ThreatCrowd |
|
Input |
Domain, email, hash-md5, hash-sha1, hash-sha256, hash-sha512, host, ipv4, ipv6, and malware. |
|
Output |
Enriches supported observable types with suspicious and potentially malicious domains, IP addresses, email addresses, file hashes, and antivirus detections. |
|
API endpoint |
https://www.threatcrowd.org/{Input} |
|
Description |
The ThreatCrowd enricher returns suspicious and potentially malicious domains, IP addresses, email addresses, file hashes, and antivirus detections, so that you can explore relationships between events, actors, and targets. |
Configure the enricher parameters
Edit the enricher.
From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the ThreatCrowd enricher.
The API URL field is automatically filled in with the default domain for the endpoint.
You can add a proxy or set up ports according to your needs.
Default value: https://www.threatcrowd.org.In the Time last seen field, enter an integer to set a starting point in the past to retrieve matches from.
The number indicates the number of days in the past from the current time.
Default value: 365 days (Each time the enricher runs, it looks for matches up to one year old).To store your changes, click Save; to discard them, click Cancel.