Skip to content

Indicator Enrichment

Every indicator extracted from a report is automatically enriched against multiple external sources. Enrichment runs asynchronously after ingestion and is stored in the database — so you always see fresh data on the indicator detail page.

Sources by indicator type

TypeSourcesData points
ipv4 / ipv6IPInfo, AbuseIPDB, ThreatFox, Shodan InternetDB, GreyNoise Community, VirusTotalASN, country, hosting provider, abuse confidence score and report count, malware family associations, open ports, exposed CVEs, background noise classification, VT detection count
domainRDAP, WHOIS (optional), DNS, VirusTotal, URLhaus, ThreatFoxRegistrar, registration and expiry dates, nameservers, resolved IPs, VT detection ratio, malicious URL count, malware family
hashVirusTotal, MalwareBazaar, ThreatFox, CIRCLDetection ratio, file type, malware family, tags, known-good (NSRL) lookup
urlVirusTotal, URLhaus, ThreatFoxDetection ratio, live status, malware delivered, confidence
emailDNS (MX lookup), ThreatFoxDomain classification (free provider, disposable), MX records, malware family associations

Companion hashes and threat classification

For hash indicators, VirusTotal returns all three hash forms in a single API call. Babel stores whichever forms were not already known — so submitting a SHA-256 will also populate the SHA-1 and MD5 values for that file, and vice versa. MalwareBazaar is used as a fallback source for companion hashes when the VirusTotal result does not include them.

VirusTotal also returns a threat classification for each file: a human-readable threat label (e.g. trojan.emotet/nanocore) and a threat category (e.g. trojan). Both are stored and exposed in the indicator API response.

Enrichment respects rate limits and runs with delays between requests to avoid overloading external APIs. Indicators with enrichment_status: done will not be re-enriched unless manually reset.

CVE enrichment

CVEs referenced in intelligence reports are enriched automatically against the NVD API v2.0. The following fields are populated:

FieldDescription
cvss_scoreCVSS base score (v3.1 preferred, v3.0 fallback, v2 fallback)
cvss_severitySeverity label: LOW, MEDIUM, HIGH, or CRITICAL
cvss_vectorFull CVSS vector string (e.g. CVSS:3.1/AV:N/AC:L/...)
nvd_published_dateDate the CVE was published to NVD (YYYY-MM-DD)
nvd_descriptionEnglish-language description from the NVD record
cisa_kev_urlURL to the CISA KEV entry, if the CVE appears in the Known Exploited Vulnerabilities catalogue

cisa_kev_url is populated from the NVD record's reference list — if NVD links to a cisa.gov/known-exploited-vulnerabilities URL, it is stored. If the CVE is not in CISA KEV, the field is null.

Babel is free for individual researchers, defenders, and analysts.