Cyberint Integration Guide

Overview

The Cyberint integration allows your NINA workflows to connect with Cyberint's external attack surface management and digital risk protection platform. This integration enables automated alert management, threat intelligence enrichment, and asset discovery directly from your workflows.

Status

The integration currently supports 8 operations across 3 resources:

Alert Management: List, retrieve, and update the status of security alerts; download alert attachments and analysis reports
Threat Intelligence: Look up indicators of compromise (IOCs) and retrieve daily IOC feeds by type and date
Asset Discovery: Extract and enumerate unique assets (IOCs and target assets) aggregated from alert data

Advanced features include:

Flexible Alert Filtering: Filter alerts by severity, status, date range, environment, and alert type
Bulk Status Updates: Update multiple alerts in a single operation with optional closure reasons
Binary File Downloads: Retrieve alert attachments and analysis reports as base64-encoded payloads
IOC Feed Access: Pull daily threat intelligence feeds for IPs, domains, URLs, and file hashes
Asset Extraction: Derive a deduplicated list of exposed assets from your current alert landscape

Credential Configuration

Before using the Cyberint integration in your workflows, you need to configure credentials for authentication. The integration uses API key authentication with a per-tenant environment URL.

Authentication Method

Field	Description	Example
Environment	Your Cyberint tenant URL	`https://yourcompany.cyberint.io`
Access Token	Your Cyberint API access token	`eyJhbGci...`

How to obtain your credentials:

Log in to your Cyberint portal at https://yourcompany.cyberint.io
Navigate to Settings → API (or contact your Cyberint account manager)
Generate or copy your Access Token
Note your tenant URL — this is the base URL of your Cyberint portal (e.g., https://acme.cyberint.io)

Important Notes:

The environment URL is tenant-specific. Each customer has a unique subdomain
Access tokens may have expiration policies configured by your organization. Rotate the credential in NINA if you regenerate the token
All API communication uses HTTPS. HTTP URLs will be automatically upgraded
Trailing slashes in the environment URL are automatically stripped

Creating a Cyberint Credential

Navigate to the Credentials section in NINA
Click Add New Credential
Fill in the credential details:
- Name: A descriptive name (e.g., "Cyberint Production")
- Description: Optional details about the credential's purpose
- Integration Service: Select "Cyberint"
- Environment: Your tenant URL (e.g., https://yourcompany.cyberint.io)
- Access Token: Paste your Cyberint access token
Click Test Connection to verify credentials
Click Save to store the credential

Supported Resources and Operations

Alert

Operation	Name	Description
list	List Alerts	Retrieve a paginated list of alerts with optional filters for status, severity, date range, environment, and type
get	Get Alert	Retrieve full details for a specific alert by its reference ID
updateStatus	Update Alert Status	Update the status of one or more alerts; supports bulk updates with optional closure reason
getAttachment	Get Alert Attachment	Download a file attachment associated with an alert (returned as base64)
getAnalysisReport	Get Analysis Report	Download the analysis report PDF for an alert (returned as base64)

Threat Intelligence

Operation	Name	Description
lookupIoc	Lookup IOC	Retrieve threat intelligence data for a specific IOC type on a given date, with optional activity filter
dailyFeed	Daily IOC Feed	Retrieve the full daily IOC feed for a specific date and IOC type

Asset

Operation	Name	Description
listFromAlerts	List Assets from Alerts	Collect and deduplicate assets (IOCs and target assets) extracted from your current alert data

Parameters Reference

Alert — List

Parameter	Type	Required	Description
page	number	No	Page number, 1-based (default: 1)
size	number	No	Results per page (default: 10)
createdDateFrom	string	No	Filter by creation date from — YYYY-MM-DD
createdDateTo	string	No	Filter by creation date to — YYYY-MM-DD
updatedDateFrom	string	No	Filter by last update date from — YYYY-MM-DD
updatedDateTo	string	No	Filter by last update date to — YYYY-MM-DD
environments	string	No	Comma-separated list of environments to filter by
statuses	string	No	Comma-separated statuses: `open`, `acknowledged`, `closed`
severities	string	No	Comma-separated severities: `low`, `medium`, `high`, `very_high`
types	string	No	Comma-separated alert types (e.g., `phishing_website,leaked_credentials`)

Alert — Update Status

Parameter	Type	Required	Description
alertRefIds	string	Yes	Comma-separated list of alert reference IDs to update
status	string	Yes	New status: `open`, `acknowledged`, `closed`
closureReason	string	No	Required when closing: `resolved`, `no_longer_a_threat`, `irrelevant`, `false_positive`, `other`
closureReasonDescription	string	No	Free-text description for the closure reason

Threat Intelligence — Lookup IOC / Daily Feed

Parameter	Type	Required	Description
date	string	Yes	Date to query in YYYY-MM-DD format
iocType	string	Yes	IOC type: `ipv4`, `domain`, `url`, `sha256`, `md5`, `sha1`
detectedActivity	string	No	Activity filter (e.g., `cnc_server`, `phishing`) — `lookupIoc` only

Examples

Listing Open High-Severity Alerts

{
  "resource": "alert",
  "operation": "list",
  "parameters": {
    "page": 1,
    "size": 25,
    "statuses": "open",
    "severities": "high,very_high"
  }
}

This returns up to 25 open alerts with high or very high severity, ordered by most recent first.

Listing Alerts by Date Range

{
  "resource": "alert",
  "operation": "list",
  "parameters": {
    "page": 1,
    "size": 50,
    "createdDateFrom": "2026-04-01",
    "createdDateTo": "2026-04-16",
    "environments": "prod"
  }
}

This retrieves all alerts created in the production environment during the specified date range.

Getting a Specific Alert

{
  "resource": "alert",
  "operation": "get",
  "parameters": {
    "alertRefId": "ARG-12345"
  }
}

This returns the full details of the alert, including IOCs, affected assets, timeline, and any attached evidence.

Acknowledging Multiple Alerts

{
  "resource": "alert",
  "operation": "updateStatus",
  "parameters": {
    "alertRefIds": "ARG-12345,ARG-12346,ARG-12347",
    "status": "acknowledged"
  }
}

This updates three alerts to acknowledged status in a single API call.

Closing an Alert with a Closure Reason

{
  "resource": "alert",
  "operation": "updateStatus",
  "parameters": {
    "alertRefIds": "ARG-12345",
    "status": "closed",
    "closureReason": "false_positive",
    "closureReasonDescription": "Domain belongs to our third-party vendor — confirmed safe after review"
  }
}

This closes the alert and records the rationale for the closure decision.

Downloading an Alert Attachment

{
  "resource": "alert",
  "operation": "getAttachment",
  "parameters": {
    "alertRefId": "ARG-12345",
    "attachmentId": "att_9f3a21bc",
    "attachmentName": "screenshot.png"
  }
}

Returns a map with filename, contentType, and base64 fields. Use a Script Node to decode the base64 content if you need to process or forward the file.

Downloading an Analysis Report

{
  "resource": "alert",
  "operation": "getAnalysisReport",
  "parameters": {
    "alertRefId": "ARG-12345"
  }
}

Returns the Cyberint analyst report as a base64-encoded PDF. Useful for attaching reports to tickets or storing in document management systems.

Looking Up IOCs for a Specific Date

{
  "resource": "threatIntel",
  "operation": "lookupIoc",
  "parameters": {
    "date": "2026-04-16",
    "iocType": "ipv4",
    "detectedActivity": "cnc_server"
  }
}

This retrieves threat intelligence records for IPv4 indicators associated with command-and-control server activity on the specified date.

Retrieving the Daily Domain IOC Feed

{
  "resource": "threatIntel",
  "operation": "dailyFeed",
  "parameters": {
    "date": "2026-04-16",
    "iocType": "domain"
  }
}

This fetches the complete daily feed of malicious domain indicators. Useful for bulk blocklist updates or threat hunting workflows.

Extracting Assets from Recent Alerts

{
  "resource": "asset",
  "operation": "listFromAlerts",
  "parameters": {
    "statuses": "open,acknowledged",
    "severities": "high,very_high",
    "createdDateFrom": "2026-04-01"
  }
}

This queries your open and acknowledged high-severity alerts and returns a deduplicated list of all IOCs and target assets found within them. The result includes the asset type (e.g., ipv4, domain), value, and source (ioc or target_asset).

Response Structure

Alert List Response

{
  "alerts": [
    {
      "ref_id": "ARG-12345",
      "title": "Phishing Website Targeting Your Brand",
      "type": "phishing_website",
      "status": "open",
      "severity": "high",
      "created_date": "2026-04-15T08:30:00Z",
      "update_date": "2026-04-16T12:00:00Z",
      "environment": "prod",
      "iocs": [
        { "type": "domain", "value": "acme-secure-login.com" },
        { "type": "ipv4", "value": "203.0.113.45" }
      ],
      "target_asset": {
        "type": "domain",
        "value": "acme.com"
      }
    }
  ],
  "total": 128,
  "page": 1,
  "size": 25
}

Asset List Response

{
  "assets": [
    { "type": "domain", "value": "acme-secure-login.com", "source": "ioc" },
    { "type": "ipv4", "value": "203.0.113.45", "source": "ioc" },
    { "type": "domain", "value": "acme.com", "source": "target_asset" }
  ],
  "count": 3
}

Attachment / Report Response

{
  "filename": "analysis_report_ARG-12345.pdf",
  "contentType": "application/pdf",
  "base64": "JVBERi0xLjQK..."
}

Threat Intelligence Response

{
  "iocs": [
    {
      "type": "ipv4",
      "value": "198.51.100.22",
      "detected_activity": "cnc_server",
      "confidence": "high",
      "first_seen": "2026-04-14T00:00:00Z",
      "last_seen": "2026-04-16T00:00:00Z"
    }
  ],
  "total": 42
}

Integration in Workflow Context

The Cyberint integration is particularly effective in security operations, incident response, and threat intelligence workflows:

Common Workflow Patterns

Daily Alert Triage:
- Schedule Node → Cyberint Node (alert list: severity=high,very_high, status=open) → Script Node (prioritize) → Jira Node (create ticket) → Cyberint Node (updateStatus: acknowledged)
Automated Alert Closure:
- Cyberint Node (alert list) → Script Node (apply business rules) → Cyberint Node (updateStatus: closed, closureReason=false_positive) → Slack Node (notify team)
Threat Intelligence Ingestion:
- Schedule Node (daily) → Cyberint Node (dailyFeed: iocType=domain) → Script Node (format for blocklist) → Firewall / Proxy Node (update blocklist) → Report Node
IOC Enrichment Pipeline:
- Alert Source Node → Cyberint Node (lookupIoc) → VirusTotal Node (getReport) → Script Node (merge intelligence) → SIEM Node (enrich incident)
Incident Evidence Collection:
- Trigger Node (new alert) → Cyberint Node (alert get) → Cyberint Node (getAnalysisReport) → SharePoint Node (upload report) → Jira Node (attach to ticket)
Exposed Asset Inventory:
- Schedule Node (weekly) → Cyberint Node (asset listFromAlerts) → Script Node (diff with previous run) → Slack Node (alert on new exposures) → Database Node (update inventory)
SOC Handover Report:
- Schedule Node (end-of-shift) → Cyberint Node (alert list: updatedDateFrom=shift-start) → Script Node (summarize by severity) → Email Node (send to incoming analyst)

Best Practices

Filter Before You Paginate: Use severity and status filters when listing alerts to reduce result volume. Retrieving unfiltered alerts on large tenants can be slow and exhaust downstream node memory.
Acknowledge on Intake: Update alert status to acknowledged immediately when a workflow picks up an alert. This prevents other concurrent workflows from processing the same alert twice.
Always Provide a Closure Reason: When setting status to closed, include a closureReason. It keeps your Cyberint portal clean and improves analytics on alert disposition patterns.
Use Daily Feed for Bulk Ingestion: For blocklist updates or threat hunting at scale, use threatIntel.dailyFeed rather than threatIntel.lookupIoc in a loop. A single call returns all IOCs for a given day and type.
Decode Base64 in Script Nodes: Attachments and reports are returned as base64 strings. Use a Script Node immediately after to decode and pass the binary content to downstream nodes (e.g., file storage, email attachments).
Use Asset Extraction for Exposure Monitoring: Run asset.listFromAlerts on a schedule to maintain an up-to-date view of your exposed attack surface without requiring direct access to the Cyberint assets portal.
Validate Date Formats: The date parameter for threat intelligence operations must be in YYYY-MM-DD format. Use a Script Node to format dates dynamically from upstream timestamps.
Handle Empty Feeds Gracefully: Threat intelligence feeds may be empty for certain IOC types on low-activity days. Add a condition node after the feed call to skip downstream processing when the IOC count is zero.

Troubleshooting

Common Issues and Solutions

Issue	Possible Solution
401 Unauthorized	Verify the access token is correct and has not been rotated; re-test the credential in NINA
403 Forbidden	Your token may lack permissions for the requested operation; contact your Cyberint account manager
404 Not Found	The `alertRefId` or `attachmentId` does not exist; verify the ID from a prior alert list call
429 Too Many Requests	Rate limit exceeded; the integration retries automatically (up to 3 times with backoff), but reduce workflow concurrency if this persists
Empty asset list	No alerts match the filter criteria, or matched alerts contain no IOC/target asset data
Invalid date format error	Ensure the `date` parameter is `YYYY-MM-DD` — ISO 8601 timestamps are not accepted for IOC feed operations
Environment URL not accepted	Ensure the URL includes the protocol (`https://`) and does not end with a trailing slash; e.g., `https://yourcompany.cyberint.io`
Large attachment fails	Base64-encoded attachments for very large files may exceed node output limits; consider storing directly to S3 or SharePoint from the workflow

Error Response Format

{
  "message": "Unauthorized",
  "status": 401
}

Common HTTP Status Codes

Status Code	Description
200	Success
400	Bad Request — check request body parameters
401	Unauthorized — invalid or expired access token
403	Forbidden — token lacks required permissions
404	Not Found — the requested resource does not exist
429	Too Many Requests — rate limit exceeded (auto-retried)
500	Internal Server Error — Cyberint service issue

Support

If you encounter issues with the Cyberint integration, please contact our support team with:

The resource and operation you were attempting
Any error messages received
The alert reference IDs or parameters you were using
The workflow context where the issue occurred

Additional Resources

Updated: 2026-04-23

Overview​

Status​

Credential Configuration​

Authentication Method​

Creating a Cyberint Credential​

Supported Resources and Operations​

Alert​

Threat Intelligence​

Asset​

Parameters Reference​

Alert — List​

Alert — Update Status​

Threat Intelligence — Lookup IOC / Daily Feed​

Examples​

Listing Open High-Severity Alerts​

Listing Alerts by Date Range​

Getting a Specific Alert​

Acknowledging Multiple Alerts​

Closing an Alert with a Closure Reason​

Downloading an Alert Attachment​

Downloading an Analysis Report​

Looking Up IOCs for a Specific Date​

Retrieving the Daily Domain IOC Feed​

Extracting Assets from Recent Alerts​

Response Structure​

Alert List Response​

Asset List Response​

Attachment / Report Response​

Threat Intelligence Response​

Integration in Workflow Context​

Common Workflow Patterns​

Best Practices​

Troubleshooting​

Common Issues and Solutions​

Error Response Format​

Common HTTP Status Codes​

Support​

Additional Resources​