Zynap News Integration Guide

Overview

The Zynap News integration allows your NINA workflows to connect with the Zynap News API for accessing curated cybersecurity news feeds with advanced threat intelligence filtering. This integration enables you to retrieve and filter security news articles, search across multiple sources, and extract rich threat context including CVEs, MITRE ATT&CK techniques, malware families, and indicators of compromise.

Status

We currently support comprehensive news retrieval and threat intelligence operations:

Currently Supported:

• Feed-Based News Retrieval: Get news articles from specific feeds with extensive filtering
• Cross-Feed Search: Search news articles across all accessible feeds
• Article Details: Retrieve complete article information with threat intelligence metadata
• Threat Intelligence Summary: Get enriched threat intelligence analysis for specific articles

Advanced Features:

• Threat Intelligence Filters: CVEs, MITRE ATT&CK techniques, malware families, IoCs (domains, IPs, hashes)
• Context Filters: Organizations/entities, locations, technologies, source domains, tags
• Text Search: Title, summary, and full-text search capabilities
• Temporal Filtering: Published date ranges with ISO 8601 support
• Pagination Support: Page-based and cursor-based pagination for large result sets

Supported Resources and Operations

Feed

Operation	Description
Get News	Retrieve news articles from a specific feed with comprehensive filtering options

News

Operation	Description
Search All News	Search news articles across all accessible feeds with comprehensive filtering
Get News Article	Retrieve complete details of a specific news article including all IoCs and metadata
Get Threat Intelligence	Get enriched cybersecurity threat intelligence summary for a news article

Parameter Merging and Templating

The Zynap News integration takes advantage of NINA's parameter merging and templating capabilities:

Parameter Sources (in order of precedence)

1. Node Parameters: Parameters configured directly in the Zynap News Integration Node
2. Extracted Parameters: Parameters automatically extracted from the input data
3. Input Data: The complete input data from upstream nodes

Template variables within parameters are processed using {{variable_name}} syntax.

Example: Getting News from a Feed

Basic Feed News Retrieval

Node Configuration:

{
  "integration_service": "news-api",
  "resource": "feed",
  "operation": "get_news",
  "parameters": {
    "feedId": "feed_abc123def456",
    "pageSize": 50,
    "sortBy": "published_at",
    "sortOrder": "desc"
  }
}

Advanced Filtering with Template Variables

Input Data from Previous Node:

{
  "monitoring": {
    "feed_id": "feed_abc123def456",
    "time_window": {
      "start": "2024-01-01T00:00:00Z",
      "end": "2024-01-31T23:59:59Z"
    }
  },
  "filters": {
    "cve_ids": ["CVE-2024-1234", "CVE-2024-5678"]
  }
}

Node Configuration:

{
  "integration_service": "news-api",
  "resource": "feed",
  "operation": "get_news",
  "parameters": {
    "feedId": "{{monitoring.feed_id}}",
    "publishedAfter": "{{monitoring.time_window.start}}",
    "publishedBefore": "{{monitoring.time_window.end}}",
    "vulnerabilityCvesContains": "{{filters.cve_ids}}",
    "pageSize": 100
  }
}

Example: Searching News Across All Feeds

Basic Cross-Feed Search

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "fullTextSearch": "ransomware attack",
    "publishedAfter": "2024-01-01T00:00:00Z",
    "pageSize": 50
  }
}

Advanced Search with Threat Intelligence Filters

Input Data:

{
  "threat_hunt": {
    "malware": ["LockBit", "BlackCat"],
    "techniques": ["T1059", "T1055"],
    "entities": ["Microsoft", "Cisco"]
  }
}

Node Configuration:

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "malwareFamiliesContains": "{{threat_hunt.malware}}",
    "mitreAttackIdsContains": "{{threat_hunt.techniques}}",
    "entitiesMentionedContains": "{{threat_hunt.entities}}",
    "publishedAfter": "2024-01-01T00:00:00Z",
    "pageSize": 100
  }
}

Example: CVE Monitoring

Tracking Specific CVEs

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "vulnerabilityCvesContains": ["CVE-2024-1234", "CVE-2024-5678"],
    "publishedAfter": "2024-01-01T00:00:00Z",
    "pageSize": 100
  }
}

CVE with IoC Intelligence

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "vulnerabilityCvesContains": ["CVE-2024-1234"],
    "iocHashesContains": ["a1b2c3d4e5f6789abcdef1234567890abcdef1234567890abcdef1234567890"],
    "iocDomainsContains": ["malicious-domain.com"]
  }
}

Example: MITRE ATT&CK Intelligence

Tracking Specific Techniques

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "mitreAttackIdsContains": ["T1003", "T1059", "T1055"],
    "publishedAfter": "2024-01-01T00:00:00Z",
    "pageSize": 100
  }
}

Example: Malware Family Tracking

Monitoring Malware Campaigns

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "malwareFamiliesContains": ["LockBit", "BlackCat", "REvil"],
    "publishedAfter": "2024-01-01T00:00:00Z",
    "pageSize": 50
  }
}

Example: IoC Intelligence Gathering

Tracking Malicious Indicators

Input Data:

{
  "ioc_monitoring": {
    "domains": ["malicious-site.com", "evil-domain.net"],
    "ips": ["192.168.1.100", "10.0.0.50"],
    "hashes": ["a1b2c3d4e5f6789abcdef1234567890abcdef1234567890abcdef1234567890"]
  }
}

Node Configuration:

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "iocDomainsContains": "{{ioc_monitoring.domains}}",
    "iocIpsContains": "{{ioc_monitoring.ips}}",
    "iocHashesContains": "{{ioc_monitoring.hashes}}",
    "pageSize": 100
  }
}

Example: Entity and Location Monitoring

Tracking Organization-Specific Threats

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "entitiesMentionedContains": ["Microsoft", "Cisco", "VMware"],
    "locationsMentionedContains": ["United States", "Ukraine"],
    "technologiesMentionedContains": ["Windows Server", "Apache"],
    "publishedAfter": "2024-01-01T00:00:00Z"
  }
}

Example: Getting Article Details

Retrieving Complete Article Information

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "get_news_article",
  "parameters": {
    "newsId": "news_article_12345"
  }
}

This returns complete article details including:

• Full title, summary, and content
• All threat intelligence tags (CVEs, MITRE ATT&CK, malware families)
• Complete IoC lists (domains, IPs, hashes)
• Entity, location, and technology mentions
• Source information and original URL

Example: Getting Threat Intelligence Summary

Enriched Threat Analysis

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "get_threat_intelligence",
  "parameters": {
    "newsId": "news_article_12345"
  }
}

This returns AI-generated analysis including:

• Threat summary and key findings
• Attack vector analysis
• Impact assessment
• Recommended mitigations

Complete Workflow Example

Automated Threat Intelligence Pipeline

# Step 1: Search for recent threats
- integration_service: news-api
  resource: news
  operation: search_all_news
  parameters:
    publishedAfter: "{{workflow.start_date}}"
    vulnerabilityCvesContains: ["CVE-2024-1234"]
    malwareFamiliesContains: ["LockBit"]
    pageSize: 20

# Step 2: Get detailed article information
- integration_service: news-api
  resource: news
  operation: get_news_article
  parameters:
    newsId: "{{step1.results[0].id}}"

# Step 3: Extract threat intelligence
- integration_service: news-api
  resource: news
  operation: get_threat_intelligence
  parameters:
    newsId: "{{step1.results[0].id}}"

# Step 4: Send alert
- integration_service: slack
  resource: message
  operation: send
  parameters:
    channel: "#security-alerts"
    message: |
      🚨 New Threat: {{step2.title}}
      CVEs: {{step2.vulnerability_cves}}
      Summary: {{step3.threat_summary}}

Response Structure

Get News Response

{
  "news": [
    {
      "id": "news_article_12345",
      "title": "New LockBit Ransomware Variant Exploits CVE-2024-1234",
      "summary": "Security researchers discovered...",
      "url": "https://originalsource.com/article",
      "published_at": "2024-01-15T10:30:00Z",
      "vulnerability_cves": ["CVE-2024-1234"],
      "mitre_attack_ids": ["T1059", "T1055"],
      "malware_families": ["LockBit"],
      "entities_mentioned": ["Microsoft"],
      "ioc_domains": ["malicious-site.com"],
      "ioc_ips": ["192.168.1.100"],
      "ioc_hashes": ["a1b2c3..."]
    }
  ],
  "pagination": {
    "page": 1,
    "page_size": 50,
    "total_count": 1234,
    "cursor": "eyJwYWdlIjoyLCJvZmZzZXQiOjUwfQ=="
  }
}

Get Threat Intelligence Response

{
  "threat_intelligence": {
    "article_id": "news_article_12345",
    "threat_summary": "A new LockBit ransomware variant exploiting CVE-2024-1234...",
    "attack_vector": "Exploitation via exposed RDP services...",
    "impact_assessment": "Critical - Potential for widespread data encryption...",
    "recommended_mitigations": [
      "Apply security patches immediately",
      "Disable unnecessary RDP access"
    ],
    "confidence_score": 95,
    "severity": "critical"
  }
}

Available Parameters

Get News (Feed) Parameters

Parameter	Type	Description	Default
feedId	string	The feed ID (required)	-
page	number	Page number (starts from 1)	1
pageSize	number	Items per page (max 1000)	50
publishedAfter	string	Filter by published date (ISO 8601)	-
publishedBefore	string	Filter by published date (ISO 8601)	-
titleContains	string	Filter by title text	-
summaryContains	string	Filter by summary text	-
vulnerabilityCvesContains	array	Filter by CVE IDs	-
mitreAttackIdsContains	array	Filter by MITRE ATT&CK IDs	-
malwareFamiliesContains	array	Filter by malware families	-
entitiesMentionedContains	array	Filter by entities/organizations	-
locationsMentionedContains	array	Filter by locations/countries	-
technologiesMentionedContains	array	Filter by technologies	-
iocDomainsContains	array	Filter by malicious domains	-
iocIpsContains	array	Filter by IP addresses	-
iocHashesContains	array	Filter by file hashes	-
sortBy	string	Sort field (published_at, created_at, updated_at)	published_at
sortOrder	string	Sort order (asc, desc)	desc

Search All News Parameters

All parameters from Get News, plus:

Parameter	Type	Description	Default
fullTextSearch	string	Full-text search across title, summary, content	-
tagIdsContains	array	Filter by tag IDs	-
sourceIdsContains	array	Filter by source IDs	-

Sort options include discovery_count in addition to date fields.

Troubleshooting

Issue	Resolution
"Feed not found" errors	Ensure the feed ID is correct. Use the dynamic feeds dropdown to select valid feeds.
Empty results	Verify filters are not too restrictive. Try broadening the search by removing some filters.
Invalid date format	Use ISO 8601 format: 2024-01-15T10:30:00Z
Pagination issues	Use cursor from response for next page requests
Array parameter issues	Ensure arrays are properly formatted as JSON arrays

Best Practices

1. Use Appropriate Scope: Use get_news for feed-specific searches, search_all_news for cross-feed intelligence

2. Leverage Template Variables: Use {{variable_name}} syntax for dynamic parameter insertion

3. Implement Time Filtering: Use publishedAfter/publishedBefore to focus on relevant time windows

4. Combine Multiple Filters: Use threat intelligence filters together for precise threat hunting

5. Optimize Pagination: Use appropriate pageSize (default 50, max 1000) and cursor-based pagination

6. Enrich with Threat Intel: Use get_threat_intelligence for AI-generated analysis on critical articles

7. Sort Strategically: Use published_at for timeline analysis, discovery_count for trending threats

8. Track IoCs Systematically: Use IoC filters for indicator-based threat hunting

9. Monitor Technology Stack: Use technologiesMentionedContains to track threats affecting your infrastructure

10. Automate Workflows: Create scheduled workflows for continuous threat monitoring

Advanced Use Cases

CVE Impact Assessment

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "vulnerabilityCvesContains": ["CVE-2024-1234"],
    "technologiesMentionedContains": ["Windows Server"],
    "pageSize": 100
  }
}

Ransomware Campaign Monitoring

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "malwareFamiliesContains": ["LockBit", "BlackCat"],
    "entitiesMentionedContains": ["Healthcare"],
    "publishedAfter": "{{last_week}}",
    "sortBy": "discovery_count"
  }
}

IoC-Based Threat Hunting

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "iocDomainsContains": ["{{detected_domain}}"],
    "iocIpsContains": ["{{detected_ip}}"]
  }
}

Zero-Day Tracking

{
  "integration_service": "news-api",
  "resource": "news",
  "operation": "search_all_news",
  "parameters": {
    "fullTextSearch": "zero-day",
    "publishedAfter": "{{last_24_hours}}",
    "sortBy": "published_at",
    "sortOrder": "desc"
  }
}

Date and Time Formats

All date parameters use ISO 8601 format:

2024-01-15T10:30:00Z (UTC)
2024-01-15T10:30:00-05:00 (with timezone offset)

Best Practice: Use UTC timestamps (with 'Z' suffix) for consistency.

Updated: 2026-01-20