Indicator Enrichment
Every indicator extracted from a report is automatically enriched against multiple external sources. Enrichment runs asynchronously after ingestion and is stored in the database — so you always see fresh data on the indicator detail page.
Sources by indicator type
| Type | Sources | Data points |
|---|---|---|
| ipv4 / ipv6 | IPInfo, AbuseIPDB, ThreatFox, Shodan InternetDB, GreyNoise Community, VirusTotal | ASN, country, hosting provider, abuse confidence score and report count, malware family associations, open ports, exposed CVEs, background noise classification, VT detection count |
| domain | RDAP, WHOIS (optional), DNS, VirusTotal, URLhaus, ThreatFox | Registrar, registration and expiry dates, nameservers, resolved IPs, VT detection ratio, malicious URL count, malware family |
| hash | VirusTotal, MalwareBazaar, ThreatFox, CIRCL | Detection ratio, file type, malware family, tags, known-good (NSRL) lookup |
| url | VirusTotal, URLhaus, ThreatFox | Detection ratio, live status, malware delivered, confidence |
| DNS (MX lookup), ThreatFox | Domain classification (free provider, disposable), MX records, malware family associations |
Companion hashes and threat classification
For hash indicators, VirusTotal returns all three hash forms in a single API call. Babel stores whichever forms were not already known — so submitting a SHA-256 will also populate the SHA-1 and MD5 values for that file, and vice versa. MalwareBazaar is used as a fallback source for companion hashes when the VirusTotal result does not include them.
VirusTotal also returns a threat classification for each file: a human-readable threat label (e.g. trojan.emotet/nanocore) and a threat category (e.g. trojan). Both are stored and exposed in the indicator API response.
Enrichment respects rate limits and runs with delays between requests to avoid overloading external APIs. Indicators with enrichment_status: done will not be re-enriched unless manually reset.
CVE enrichment
CVEs referenced in intelligence reports are enriched automatically against the NVD API v2.0. The following fields are populated:
| Field | Description |
|---|---|
cvss_score | CVSS base score (v3.1 preferred, v3.0 fallback, v2 fallback) |
cvss_severity | Severity label: LOW, MEDIUM, HIGH, or CRITICAL |
cvss_vector | Full CVSS vector string (e.g. CVSS:3.1/AV:N/AC:L/...) |
nvd_published_date | Date the CVE was published to NVD (YYYY-MM-DD) |
nvd_description | English-language description from the NVD record |
cisa_kev_url | URL to the CISA KEV entry, if the CVE appears in the Known Exploited Vulnerabilities catalogue |
cisa_kev_url is populated from the NVD record's reference list — if NVD links to a cisa.gov/known-exploited-vulnerabilities URL, it is stored. If the CVE is not in CISA KEV, the field is null.
