Enricher - NSFocus Intelligence

This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.


Enricher name

NSFocus Intelligence


Domain, cve, hash-md5, ipv4, and uri.


Details on geolocation, ASN, registrar, whois, running ports and protocols, domain names, and file hashes.

API endpoint



The NSFocus Intelligence enricher augments input observables with a wide range of contextual information such as geolocation, ASN, whois, registrar, domain name, file hash, and so on.


Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials to access the API endpoint exposing the service.

Configure the enricher parameters

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the NSFocus Intelligence enricher.

  3. Select the Enabled checkbox.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://nti.nsfocusglobal.com.

  5. In the API key field, enter your API key.
    The authorization key is a 64-bit string of characters generated by the intelligence service provider.

  6. The SSL verification checkbox is automatically selected.

  7. In the Path to SSL certificate field, enter the path to your PEM file.

  8. To store your changes, click Save; to discard them, click Cancel.

Additional information

Based on the input observables, the enricher searches the source NSFocus Intelligence database for matches.

Retrieved matches are stored in the platform as enrichment observables related to the corresponding input observables, indicators, malware variant TTPs, exploit targets, and reports.
Any retrieved tags are mapped to the resulting enrichment entities and observables.

Matching hits are automatically tagged with the following metadata:

  • enrichment_extracts.meta.classification: bad.To set this value, go to the top navigation bar, click Data configuration > Rules > Observable > > Action > Mark as malicious.

  • enrichment_extracts.meta.confidence: low .
    To set this value, go to the top navigation bar, click Data configuration > Rules > Observable > > Confidence > Malicious — Low confidence, Malicious — Medium confidence, or Malicious — High confidence.
    If no NSFocus confidence level is available, or if it is not possible to retrieve an applicable NSFocus confidence level, matching hits confidence value is automatically set to Malicious — High confidence.

When the retrieved enrichment data include details on NSFocus security events such as security breaches or nation-state threat actors, this information is processed and ingested as:

  • Indicators, if the observable the enrichment task targets is a file hash (hash-md5).
    These indicators are related to a top-level malware variant TTP entity produced with the enrichment task.

  • Reports, if the observable the enrichment task targets is an IP address (ipv4), a domain name (domain), or a file hash (hash-md5).
    These reports are related to the observables they mention and describe, or to the malware variant TTP when the enrichment target is a file hash.

See also