Darkfeed Integration Guide

Overview

The Darkfeed integration connects NINA workflows to Cybersixgill's Darkfeed threat intelligence platform across 4 resources:

• IOC — Fetch Darkfeed IOC bundles, acknowledge consumed bundles, and enrich individual indicators (IPs, domains, URLs, file hashes, threat actors, dark-web post IDs)
• Alert — List, retrieve, update, delete, and inspect the content of Cybersixgill Actionable Alerts
• DVE — Query the DVE (Dynamic Vulnerability Exploit) feed for actively exploited vulnerabilities
• Organization — List organizations for MSSP multi-tenant deployments

Authentication uses OAuth2 client credentials (client_id + client_secret). Tokens are fetched automatically and cached for the duration of their validity.

---

Credential Configuration

Authentication

Field	Description	Default
Client ID	Your Cybersixgill API client ID	—
Client Secret	Your Cybersixgill API client secret	—
Base URL	API endpoint	https://api.cybersixgill.com

How to Get Your Cybersixgill API Credentials

1. Log in to the Cybersixgill Developer Portal
2. Navigate to API Credentials and create a new application
3. Copy the generated Client ID and Client Secret
4. Ensure the application has access to the Darkfeed products your workflows require

Subscription notes:

• IOC bundle and enrichment endpoints require an active Darkfeed subscription
• DVE feed access requires a separate DVE subscription
• Multi-tenant Organization API is only available for MSSP accounts

Creating a Credential in NINA

1. Navigate to Credentials → Add New Credential
2. Select integration service: Darkfeed
3. Auth type: Client Credentials
4. Fill in your Client ID and Client Secret, and optionally override the Base URL
5. Click Test Connection then Save

---

Supported Resources and Operations

IOC

Interact with Cybersixgill's Darkfeed IOC stream. The recommended workflow is to call getBundle to consume a batch of new IOCs, then acknowledge to advance the cursor so the next call returns only new indicators.

Operation	Name	HTTP	Description
getBundle	Get IOC Bundle	GET /darkfeed/ioc	Fetch a bundle of Darkfeed IOCs
acknowledge	Acknowledge IOC Bundle	POST /darkfeed/ioc/ack	Acknowledge a consumed bundle to advance the cursor
enrichIp	Enrich IP	GET /darkfeed/enrich	Enrich an IP address against Darkfeed intelligence
enrichDomain	Enrich Domain	GET /darkfeed/enrich	Enrich a domain against Darkfeed intelligence
enrichUrl	Enrich URL	GET /darkfeed/enrich	Enrich a URL against Darkfeed intelligence
enrichFile	Enrich File Hash	GET /darkfeed/enrich	Enrich a file hash against Darkfeed intelligence
enrichActor	Enrich Threat Actor	GET /darkfeed/enrich	Enrich a threat actor name against Darkfeed intelligence
enrichPostId	Enrich Post ID	GET /darkfeed/enrich	Enrich a dark-web post ID against Darkfeed intelligence

getBundle parameters:

• limit — max IOCs to return (default: 100, max: 2000)

Enrich operation parameters (all enrich operations share the same shape):

• ioc_value (required) — the indicator value to enrich (e.g., 1.2.3.4, evil.com, a SHA-256 hash, a threat actor name, or a dark-web post ID)
• ioc_type (required, fixed per operation) — automatically set to the correct type (ip, domain, url, file, actor, post_id)

Cursor mechanics: The Darkfeed IOC endpoint maintains a server-side cursor per client. Each getBundle call returns the next batch of new indicators. Call acknowledge after successfully processing a bundle to advance the cursor. If you do not acknowledge, the same bundle will be returned on the next call.

---

Alert

Manage Cybersixgill Actionable Alerts — intelligence alerts generated when dark-web activity matches your monitored assets.

Operation	Name	HTTP	Description
list	List Alerts	GET /alerts/actionable_alert	List actionable alerts with optional filters
get	Get Alert	GET /alerts/actionable_alert/{alert_id}	Retrieve a single alert by ID
update	Update Alert	PATCH /alerts/actionable_alert/{alert_id}	Update alert status or read state
delete	Delete Alert	DELETE /alerts/actionable_alert/{alert_id}	Delete an alert
getContent	Get Alert Content	GET /alerts/actionable-alert-content	Retrieve the content items associated with an alert

Key parameters for list:

• threat_level — enum: low, medium, high, critical
• threat_type — free-text threat type filter
• organization_id — scope results to a specific organization (MSSP)
• limit — max alerts to return (default: 25)
• skip — pagination offset (default: 0)
• from_date / to_date — ISO 8601 date range filter

Key parameters for update:

• alert_id (required) — path parameter identifying the alert
• status — enum: treat, non_threat, suspicious
• read — boolean; mark the alert as read or unread

Key parameters for getContent:

• alert_id (required) — the alert whose content to retrieve
• organization_id — optional organization scope

---

DVE

Query Cybersixgill's Dynamic Vulnerability Exploit (DVE) feed. The DVE feed surfaces CVEs that have active exploit activity observed on the dark web, ranked by real-world exploitation likelihood.

Operation	Name	HTTP	Description
feed	Get DVE Feed	GET /dve_feed	Retrieve DVE exploit feed entries

feed parameters:

• limit — max entries to return (default: 25)
• skip — pagination offset (default: 0)
• sort_by — field to sort results by
• sort_order — enum: asc, desc

---

Organization

List organizations for MSSP multi-tenant deployments. Use the returned organization IDs to scope Alert and IOC operations to a specific customer.

Operation	Name	HTTP	Description
list	List Organizations	GET /multi-tenant/organization	List all organizations accessible to the authenticated client

This operation takes no parameters. It is only available for MSSP accounts.

---

Examples

Fetch a Darkfeed IOC Bundle

{
  "integration_service": "darkfeed",
  "resource": "ioc",
  "operation": "getBundle",
  "parameters": {
    "limit": 500
  }
}

Acknowledge a Consumed Bundle

Call this after successfully processing a bundle to advance the server-side cursor.

{
  "integration_service": "darkfeed",
  "resource": "ioc",
  "operation": "acknowledge",
  "parameters": {}
}

Enrich an IP Address

{
  "integration_service": "darkfeed",
  "resource": "ioc",
  "operation": "enrichIp",
  "parameters": {
    "ioc_value": "198.51.100.42"
  }
}

Enrich a Domain

{
  "integration_service": "darkfeed",
  "resource": "ioc",
  "operation": "enrichDomain",
  "parameters": {
    "ioc_value": "malicious-domain.com"
  }
}

Enrich a File Hash

{
  "integration_service": "darkfeed",
  "resource": "ioc",
  "operation": "enrichFile",
  "parameters": {
    "ioc_value": "d41d8cd98f00b204e9800998ecf8427e"
  }
}

Enrich a Threat Actor

{
  "integration_service": "darkfeed",
  "resource": "ioc",
  "operation": "enrichActor",
  "parameters": {
    "ioc_value": "Lazarus Group"
  }
}

List High-Severity Alerts

{
  "integration_service": "darkfeed",
  "resource": "alert",
  "operation": "list",
  "parameters": {
    "threat_level": "high",
    "limit": 50,
    "skip": 0
  }
}

Get a Single Alert

{
  "integration_service": "darkfeed",
  "resource": "alert",
  "operation": "get",
  "parameters": {
    "alert_id": "abc123def456"
  }
}

Mark an Alert as Reviewed

{
  "integration_service": "darkfeed",
  "resource": "alert",
  "operation": "update",
  "parameters": {
    "alert_id": "abc123def456",
    "status": "treat",
    "read": true
  }
}

Get Alert Content Items

{
  "integration_service": "darkfeed",
  "resource": "alert",
  "operation": "getContent",
  "parameters": {
    "alert_id": "abc123def456"
  }
}

Get the DVE Feed

{
  "integration_service": "darkfeed",
  "resource": "dve",
  "operation": "feed",
  "parameters": {
    "limit": 25,
    "sort_order": "desc"
  }
}

List Organizations (MSSP)

{
  "integration_service": "darkfeed",
  "resource": "organization",
  "operation": "list",
  "parameters": {}
}

---

Common Workflow Patterns

IOC Ingestion Pipeline

1. getBundle (ioc) — pull the next batch of Darkfeed IOCs (up to 2000 per call)
2. Script Node — parse the STIX-2.1 bundle, extract indicator values and types
3. SIEM / TIP Node — push indicators to your SIEM, EDR, or threat intelligence platform
4. acknowledge (ioc) — advance the cursor so the next run returns only new IOCs

IOC Enrichment on Detection

1. Alert / Webhook Node — trigger on a SIEM detection with an associated indicator
2. Route by IOC type — use a Switch Node to dispatch to the correct enrich operation
3. enrichIp / enrichDomain / enrichFile (ioc) — fetch Darkfeed context for the indicator
4. Script Node — evaluate Darkfeed risk data and decide on response action

Alert Triage Workflow

1. Schedule Node — run every 15 minutes or on-demand
2. list (alert) — fetch new unread alerts, filtered by threat_level
3. get (alert) — retrieve full detail for each alert
4. getContent (alert) — pull associated dark-web content items
5. update (alert) — set status and read: true after analyst review

DVE Vulnerability Prioritization

1. Schedule Node — run daily
2. feed (dve) — retrieve the latest DVE entries
3. Script Node — cross-reference CVE IDs against your asset inventory
4. Alert / Ticket Node — create tickets for CVEs present in your environment

MSSP Per-Tenant Alert Processing

1. list (organization) — retrieve all tenant organization IDs
2. Loop Node — iterate over each organization
3. list (alert) — fetch alerts scoped to organization_id
4. Process and route alerts per tenant

---

Troubleshooting

Issue	Resolution
401 Unauthorized on token fetch	Client ID or client secret is invalid — verify in the Cybersixgill Developer Portal and update the credential
403 Forbidden	Your subscription does not include this endpoint (e.g., DVE feed, MSSP organization API)
404 Not Found	Alert ID does not exist or has already been deleted
Empty IOC bundle	All available IOCs have been consumed — call acknowledge and wait for new indicators to be ingested
Same bundle returned repeatedly	acknowledge was not called after the previous getBundle — the cursor has not advanced
429 Too Many Requests	Rate limit exceeded (~45 req/s) — reduce request frequency or add delays between nodes
organization_id filter returns no results	ID may belong to a different account or the tenant has no matching alerts
update returns 422	status value must be exactly treat, non_threat, or suspicious (lowercase with underscores)
DVE feed returns no results	DVE subscription may not be provisioned — confirm access with your Cybersixgill account manager

---

Security Considerations

1. Protect Credentials: Store client ID and secret exclusively through NINA credential management — never in workflow parameters or logs
2. Token Handling: Access tokens are cached in memory for the token's lifetime — they are never written to disk or logs
3. IOC Data Sensitivity: Darkfeed IOC bundles may contain sensitive intelligence about ongoing threat campaigns — restrict workflow and credential access accordingly
4. Alert Content: Alert content items may include raw dark-web text — review access controls before routing this data to external systems
5. Credential Rotation: Rotate client secrets regularly; revoke immediately if compromised via the Cybersixgill Developer Portal

---

Additional Resources

• Cybersixgill Developer Portal
• Darkfeed Product Overview
• Cybersixgill API Reference
• DVE Score Methodology

Updated: 2026-04-23