CVE Enrichment
When you submit a CVE ID to CloudSigma, the pipeline automatically enriches it with data from trusted vulnerability sources before generating detection rules.
How It Works
- NVD Lookup — Fetch the CVE record from the National Vulnerability Database
- Reference Extraction — Identify advisory URLs from the CVE references list
- Content Fetch — Download up to 2 reference URLs (max 500 KB each) from trusted domains
- Merge — Combine NVD metadata, CVSS scores, and advisory content into the pipeline input
Trusted Domains
CVE reference URLs are only fetched from an allowlist of 9 trusted security domains:
nvd.nist.gov— National Vulnerability Databasecve.mitre.org— MITRE CVE recordswww.cisa.gov— CISA advisoriesgithub.com— GitHub Security Advisoriesmsrc.microsoft.com— Microsoft Security Response Centeraccess.redhat.com— Red Hat security advisoriessecurity.googleblog.com— Google security blogaws.amazon.com— AWS security bulletinscloud.google.com— GCP security bulletins
URLs from other domains are skipped to prevent SSRF and reduce noise.
Enrichment Limits
| Limit | Value |
|---|---|
| Maximum references fetched | 2 |
| Maximum content per reference | 500 KB |
| Trusted domains | 9 |
Best-Effort Enrichment
CVE enrichment is best-effort. If reference URLs are unavailable, return errors, or exceed size limits, the pipeline continues with whatever data was successfully fetched. The CVE ID and NVD metadata are always available.
Example
curl -X POST https://cloudsigma.a13e.com/v1/generate \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{"inputType": "cve", "cveId": "CVE-2025-1974"}'The pipeline will:
- Fetch the NVD record for CVE-2025-1974
- Identify references (e.g., a CISA advisory and a GitHub advisory)
- Fetch content from up to 2 references
- Extract TTPs from the combined content
- Generate Sigma rules targeting the relevant platforms
Last updated on