Feedly Integration Guide

Overview

The Feedly integration allows your NINA workflows to connect with Feedly's threat intelligence and content aggregation platform. This integration enables you to collect articles from feeds and streams, search for threat intelligence content, access CVE vulnerability data, track TTPs (Tactics, Techniques, and Procedures), monitor threat actors and malware, and retrieve indicators of compromise directly from your workflows.

Status

We currently support comprehensive threat intelligence and content collection operations:

Currently Supported:

• Articles Collection: Retrieve articles from streams with filtering options (ranked, unread, time-based)
• Search Capabilities: Content search within streams with time filtering, AI-powered retrieval-augmented generation (RAG) search
• Threat Intelligence: Trending articles, cyber attacks dashboard, and categorized threat data
• CVE Intelligence: Trending vulnerabilities, CVE metadata, and severity-based filtering
• TTPs: List TTPs with time-based filtering, collect procedures for specific techniques
• Threat Actors: Trending attackers, threat actor profiles and metadata
• IOCs: Retrieve indicators of compromise from enterprise streams with rich context
• Malware Intelligence: Trending malware families and detailed malware metadata
• Subscription Management: List personal feed subscriptions

Advanced Features:

• Pagination Support: Continuation tokens for article collection and search results
• AI-Powered RAG Search: Natural language retrieval-augmented generation search with stream targeting
• Time-Based Filtering: Flexible time periods (Last7Days, Last30Days, custom ranges) and timestamp filtering
• Stream-Based Collection: Support for personal and enterprise team streams
• Search Time Ranges: newerThan and olderThan filters for precise temporal search control

Important Note: For enterprise accounts, team feeds and boards must be accessed using their stream IDs (e.g., enterprise/{teamId}/category/{uuid}) which can be found in the Feedly web UI. The API does not currently expose an endpoint to list enterprise feeds via API tokens.

Credential Configuration

Before using the Feedly integration in your workflows, you need to configure credentials for authentication. The NINA platform supports Bearer Token authentication for Feedly:

Authentication Method

Bearer Token

For access to your Feedly account:

Field	Description	Example
Bearer Token	Your Feedly API bearer token	eyJhbGciOiJIUzI1NiIs...
Base URL	Feedly API base URL (optional)	https://api.feedly.com/v3

How to get your Bearer Token:

1. Sign up or log in to your Feedly account at https://feedly.com
2. Navigate to your Account Settings
3. Go to the Developer or API section
4. Generate or copy your existing API access token
5. Note: Enterprise features require an enterprise-level API token

Creating a Feedly Credential

1. Navigate to the Credentials section in NINA

2. Click Add New Credential

3. Fill in the credential details:

   • Name: A descriptive name (e.g., "Feedly Production")
   • Description: Optional details about the credential's purpose
   • Integration Service: Select "Feedly"
   • Auth Type: Choose "Bearer Token"
   • Bearer Token: Enter your Feedly API bearer token
   • Base URL: Leave default (https://api.feedly.com/v3) unless using a custom instance

4. Click Test Connection to verify credentials

5. Click Save to store the credential

Supported Resources and Operations

The Feedly integration supports the following resources and operations:

Articles

Operation	Description
Collect Articles	Retrieve articles from a specific stream with filtering and pagination

Search

Operation	Description
Search Content	Search for articles and content within a specific stream
AI Search (RAG)	Perform AI-powered retrieval-augmented generation search with natural language queries

Threat Intelligence

Operation	Description
Trending Articles	Get trending threat intelligence articles with category filtering
Cyber Attacks Dashboard	Retrieve cyber attacks dashboard data with time range

CVEs

Operation	Description
Get Trending Vulnerabilities	Retrieve trending CVE vulnerabilities with severity filtering
Get CVE Metadata	Get detailed metadata for a specific CVE identifier

TTPs

Operation	Description
List TTPs	Get TTPs from dashboard with time-based and threat layer filtering
Collect Procedures	Get procedures and articles for a specific TTP with filtering

Threat Actors

Operation	Description
Get Trending Attackers	Retrieve trending threat actors with time range filtering
Get Threat Actor Metadata	Get detailed metadata for a specific threat actor

Indicators of Compromise

Operation	Description
Get IoCs	Retrieve indicators of compromise from enterprise streams with context

Malware

Operation	Description
Get Trending Malware	Retrieve trending malware families with time range filtering
Get Malware Metadata	Get detailed metadata for a specific malware family

Subscriptions

Operation	Description
List Subscriptions	Retrieve list of personal feed subscriptions (note: excludes enterprise team feeds)

Parameter Merging and Templating

The Feedly integration takes full advantage of NINA's parameter merging and templating capabilities:

Parameter Sources (in order of precedence)

1. Node Parameters: Parameters configured directly in the Feedly Integration Node
2. Extracted Parameters: Parameters automatically extracted from the input data
3. Input Data: The complete input data from upstream nodes

When a Feedly Integration Node executes:

• It combines parameters from all sources
• Node parameters take precedence over extracted parameters
• Template variables within parameters are processed (using {{variable_name}} syntax)
• The combined parameters are used to execute the Feedly operation

Example: Collecting Articles from Streams

Basic Article Collection

Below is an example of collecting articles from a stream using the Integration Node:

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "articles",
  "operation": "collectArticles",
  "parameters": {
    "streamId": "user/c805fcbf-3acf-4302-a97e-d82f9d7c897f/category/global.all",
    "count": 20,
    "ranked": "newest",
    "unreadOnly": false
  }
}

Advanced Article Collection with Template Variables

You can use template variables to dynamically insert values from input data:

Input Data from Previous Node:

{
  "monitoring": {
    "stream_id": "enterprise/abc123/category/threat-intel",
    "max_articles": 50,
    "fetch_unread": true
  },
  "filters": {
    "ranking": "engagement",
    "newer_than_timestamp": 1704067200000
  }
}

Node Configuration with Template Variables:

{
  "integration_service": "feedly",
  "resource": "articles",
  "operation": "collectArticles",
  "parameters": {
    "streamId": "{{monitoring.stream_id}}",
    "count": "{{monitoring.max_articles}}",
    "ranked": "{{filters.ranking}}",
    "unreadOnly": "{{monitoring.fetch_unread}}",
    "newerThan": "{{filters.newer_than_timestamp}}"
  }
}

Result:

This will collect articles with:

• Stream ID: "enterprise/abc123/category/threat-intel"
• Count: 50
• Ranked by: "engagement"
• Unread only: true
• Articles newer than: 1704067200000 (timestamp)

Article Collection with Pagination

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "articles",
  "operation": "collectArticles",
  "parameters": {
    "streamId": "user/c805fcbf-3acf-4302-a97e-d82f9d7c897f/category/global.all",
    "count": 100,
    "continuation": "eyJwb3NpdGlvbiI6MTAwfQ=="
  }
}

Example: Searching for Threat Intelligence

Basic Content Search

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "search",
  "operation": "search",
  "parameters": {
    "streamId": "enterprise/abc123/category/threat-intel",
    "query": "ransomware attack",
    "count": 20,
    "unreadOnly": false
  }
}

Advanced Content Search with Time Filtering

Input Data:

{
  "search_config": {
    "stream_id": "enterprise/abc123/category/vulnerabilities",
    "search_term": "zero-day exploit",
    "start_time": 1704067200000,
    "end_time": 1706745600000
  }
}

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "search",
  "operation": "search",
  "parameters": {
    "streamId": "{{search_config.stream_id}}",
    "query": "{{search_config.search_term}}",
    "newerThan": "{{search_config.start_time}}",
    "olderThan": "{{search_config.end_time}}",
    "count": 50
  }
}

AI-Powered Semantic Search (RAG)

Input Data:

{
  "threat_hunt": {
    "description": "What threat actors are targeting aeronautics and aerospace companies?",
    "target_streams": [
      "enterprise/abc123/category/vulnerabilities",
      "enterprise/abc123/category/critical-alerts"
    ],
    "time_filter": 1704067200000
  }
}

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "search",
  "operation": "searchAI",
  "parameters": {
    "query": "{{threat_hunt.description}}",
    "streamIds": "{{threat_hunt.target_streams}}",
    "newerThan": "{{threat_hunt.time_filter}}"
  }
}

Example: CVE Intelligence

Getting Trending Vulnerabilities

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "cves",
  "operation": "getTrendingVulnerabilities",
  "parameters": {
    "count": 20,
    "severity": "critical",
    "timeRange": "7d"
  }
}

Getting CVE Metadata

Input Data:

{
  "vulnerability": {
    "cve_id": "CVE-2024-1234",
    "investigation_id": "SEC-2024-001"
  }
}

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "cves",
  "operation": "getCVEMetadata",
  "parameters": {
    "cveId": "{{vulnerability.cve_id}}"
  }
}

Example: Tracking TTPs

Listing TTPs with Time-Based Filtering

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "ttps",
  "operation": "listTTPs",
  "parameters": {
    "period": {
      "type": "Last30Days"
    }
  }
}

Listing TTPs with Custom Time Range and Filters

Input Data:

{
  "ttp_analysis": {
    "start_date": "2024-01-01",
    "end_date": "2024-01-31",
    "threat_actors": ["nlp/f/entity/gz:ta:12345", "nlp/f/entity/gz:ta:67890"],
    "ttp_filter": ["T1003", "T1059"]
  }
}

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "ttps",
  "operation": "listTTPs",
  "parameters": {
    "period": {
      "type": "Custom",
      "start": "{{ttp_analysis.start_date}}",
      "end": "{{ttp_analysis.end_date}}"
    },
    "threatLayers": "{{ttp_analysis.threat_actors}}",
    "ttpLayer": "{{ttp_analysis.ttp_filter}}"
  }
}

Collecting Procedures for a Specific TTP

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "ttps",
  "operation": "collectProcedures",
  "parameters": {
    "ttpId": "T1003",
    "period": {
      "type": "Last7Days"
    }
  }
}

Example: Threat Actor Intelligence

Getting Trending Attackers

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "threatActors",
  "operation": "getTrendingAttackers",
  "parameters": {
    "count": 20,
    "timeRange": "30d"
  }
}

Getting Threat Actor Metadata

Input Data:

{
  "actor": {
    "id": "nlp/f/entity/gz:ta:12345",
    "incident_id": "INC-2024-456"
  }
}

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "threatActors",
  "operation": "getThreatActorMetadata",
  "parameters": {
    "actorId": "{{actor.id}}"
  }
}

Example: Indicators of Compromise

Retrieving IoCs from Enterprise Streams

Input Data:

{
  "enterprise": {
    "team_id": "abc123",
    "ioc_stream_uuid": "def456-789ghi-012jkl"
  }
}

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "iocs",
  "operation": "getIoCs",
  "parameters": {
    "streamId": "enterprise/{{enterprise.team_id}}/category/{{enterprise.ioc_stream_uuid}}"
  }
}

Example: Malware Intelligence

Getting Trending Malware

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "malware",
  "operation": "getTrendingMalware",
  "parameters": {
    "count": 20,
    "timeRange": "7d"
  }
}

Getting Malware Metadata

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "malware",
  "operation": "getMalwareMetadata",
  "parameters": {
    "malwareId": "nlp/f/entity/gz:mal:e8c18245-d978-3f5c-ad82-cb89f8d1fed3"
  }
}

Example: Threat Intelligence Dashboard

Getting Trending Threat Articles

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "threatIntelligence",
  "operation": "trendingArticles",
  "parameters": {
    "count": 20,
    "category": "ransomware"
  }
}

Getting Cyber Attacks Dashboard Data

Node Configuration:

{
  "integration_service": "feedly",
  "resource": "threatIntelligence",
  "operation": "cyberAttacksDashboard",
  "parameters": {
    "timeRange": "30d"
  }
}

Complete Workflow Example

Automated Threat Intelligence Collection Pipeline

Here's a complete workflow that demonstrates multiple Feedly operations:

1. Collect latest threat intelligence articles
2. Search for specific vulnerabilities using AI
3. Retrieve trending CVEs
4. Get detailed CVE metadata
5. Collect related TTPs

Workflow Configuration:

# Step 1: Collect latest threat intelligence articles
- integration_service: feedly
  resource: articles
  operation: collectArticles
  parameters:
    streamId: "{{threat_intel_stream}}"
    count: 50
    ranked: "newest"
    unreadOnly: true

# Step 2: AI-powered search for zero-day vulnerabilities
- integration_service: feedly
  resource: search
  operation: searchAI
  parameters:
    query: "zero-day vulnerabilities in critical infrastructure"
    streamIds: ["{{threat_intel_stream}}"]

# Step 3: Get trending critical CVEs
- integration_service: feedly
  resource: cves
  operation: getTrendingVulnerabilities
  parameters:
    count: 20
    severity: "critical"
    timeRange: "7d"

# Step 4: Get detailed metadata for specific CVE
- integration_service: feedly
  resource: cves
  operation: getCVEMetadata
  parameters:
    cveId: "{{cve_id}}"

# Step 5: Collect related TTPs
- integration_service: feedly
  resource: ttps
  operation: listTTPs
  parameters:
    period:
      type: "Last30Days"

Troubleshooting

Issue	Resolution
Authentication failures	Verify your bearer token is correct and has not expired. Enterprise features require enterprise-level tokens.
"Stream not found" errors	Ensure the stream ID is correct. For enterprise feeds, verify the format: enterprise/{teamId}/category/{uuid}.
"Invalid stream ID" errors	Check that the stream ID follows the correct format for personal or enterprise streams.
Empty results	Verify that the stream has content and your filters are not too restrictive. Check if unreadOnly is set correctly.
Rate limiting	Feedly has rate limits. Implement delays between requests or use pagination effectively.
Enterprise stream access denied	Ensure you have an enterprise-level API token and appropriate permissions for team feeds.
Malware/Threat Actor ID not found	Verify the entity ID format is correct when using metadata operations (e.g., nlp/f/entity/gz:mal:... for malware, nlp/f/entity/gz:ta:... for threat actors).
Pagination issues	Use continuation tokens returned in responses for subsequent requests.
CVE metadata not available	Some CVEs may not have complete metadata. Check if the CVE exists in Feedly's database.
TTP filtering returns no results	Verify threat actor IDs and TTP IDs are in the correct format and exist in Feedly's database.

Best Practices

1. Use Meaningful Stream IDs: For enterprise accounts, document your stream IDs as they must be obtained from the Feedly web UI.

2. Leverage Template Variables: Use {{variable_name}} syntax to dynamically insert values from input data.

3. Implement Pagination: Use continuation tokens for large result sets to avoid missing data.

4. Optimize Article Collection: Use unreadOnly and newerThan filters to collect only relevant articles.

5. Use AI Search Strategically: Leverage AI-powered semantic search for complex threat hunting queries.

6. Filter by Severity: When collecting CVEs, use severity filtering to focus on critical vulnerabilities.

7. Time-Based Analysis: Use appropriate time ranges (Last7Days, Last30Days, custom) for TTP and threat actor analysis.

8. Combine Operations: Create workflows that combine article collection, search, and entity metadata retrieval for comprehensive intelligence.

9. Monitor Trending Threats: Regularly collect trending vulnerabilities, malware, and threat actors for proactive threat hunting.

10. Secure Your Tokens: Keep your Feedly bearer tokens secure using the system's built-in credential management.

11. Document Stream IDs: Maintain a registry of enterprise stream IDs for easy reference in workflows.

12. Use Time-Based Search Filters: Leverage newerThan and olderThan parameters in search operations to narrow results to specific time windows.

Advanced Use Cases

Automated Vulnerability Monitoring

Create workflows that continuously monitor for new critical vulnerabilities:

{
  "integration_service": "feedly",
  "resource": "cves",
  "operation": "getTrendingVulnerabilities",
  "parameters": {
    "count": 50,
    "severity": "critical",
    "timeRange": "7d"
  }
}

Threat Actor Campaign Tracking

Monitor specific threat actors and their associated TTPs:

{
  "integration_service": "feedly",
  "resource": "ttps",
  "operation": "listTTPs",
  "parameters": {
    "period": {
      "type": "Last30Days"
    },
    "threatLayers": ["{{threat_actor_id}}"]
  }
}

IoC Collection for SIEM Integration

Automatically collect IoCs from enterprise streams for SIEM ingestion:

{
  "integration_service": "feedly",
  "resource": "iocs",
  "operation": "getIoCs",
  "parameters": {
    "streamId": "enterprise/{{team_id}}/category/{{ioc_stream_id}}"
  }
}

Malware Campaign Analysis

Track emerging malware families and their metadata:

{
  "integration_service": "feedly",
  "resource": "malware",
  "operation": "getTrendingMalware",
  "parameters": {
    "count": 20,
    "timeRange": "7d"
  }
}

Threat Intelligence Enrichment

Enrich security alerts with Feedly threat intelligence:

{
  "integration_service": "feedly",
  "resource": "search",
  "operation": "searchAI",
  "parameters": {
    "query": "{{alert_description}}",
    "streamIds": ["{{threat_intel_streams}}"]
  }
}

Time Period Options

When using TTP operations, you can specify time periods in the following formats:

Predefined Periods

{
  "period": {
    "type": "Last7Days"
  }
}

Valid predefined types:

• Last7Days
• Last30Days
• Last3Months
• Last6Months

Custom Periods

{
  "period": {
    "type": "Custom",
    "start": "2024-01-01",
    "end": "2024-01-31"
  }
}

Understanding Stream IDs

Personal Stream IDs

Personal streams follow the format:

user/{userId}/category/{categoryName}

Example:

user/c805fcbf-3acf-4302-a97e-d82f9d7c897f/category/global.all

Enterprise Stream IDs

Enterprise team feeds follow the format:

enterprise/{teamId}/category/{uuid}

Example:

enterprise/abc123/category/def456-789ghi-012jkl

Important: Enterprise stream IDs cannot be listed via the API. You must obtain them from the Feedly web UI by navigating to the desired feed and copying the stream ID from the URL or feed settings.

Entity ID Formats

Feedly uses specific ID formats for different entity types:

• Malware: nlp/f/entity/gz:mal:{uuid}
• Threat Actor: nlp/f/entity/gz:ta:{identifier}
• CVE: Standard CVE format (e.g., CVE-2024-1234)
• TTP: MITRE ATT&CK technique ID (e.g., T1003)

For more information about Feedly's API and capabilities, refer to the Feedly API documentation.