150,000 cybersecurity professionals use Feedly to gather insights into the changing threat landscape.
Threat research and collection is a stage of intelligence, investigation and response to overall threats.
The Feedly Cybersecurity API allows security teams to easily integrate the information they collect in Feedly into other systems and applications. Some teams use the API to extract threat and vulnerability data and feed broader machine learning threat priority models. Some teams use the API to create Jira tickets based on the content of Feedly tabs to ensure critical vulnerabilities are reviewed and corrected in a timely manner.
Access to the Feedly API (up to 200,000 requests per month) is an add-on included in the Enterprise edition of the Feedly cybersecurity package.
In this tutorial, we’ll show you how to use the Feedly API to access the content of your security feeds, boards, and Leo priorities.
When you subscribe to Feedly for Cybersecurity Enterprise Edition, we will provide you with a special Feedly access token associated with your account. That token will allow you to access the content of your feeds, boards and priorities and execute up to 200,000 requests per month.
Articles like JSON
The JSON representation of an article combines some of the open source content included in the RSS or website, aggregated CVE / CVSS / Exploit information from vulnerability and exploit databases, as well as the results of Leo’s cybersecurity models.
The title, content and visual information give you access to the core of the article content:
The commonTopics array represents Leo’s classification of topics. Entities represent CVEs, products or companies that Leo identified in the article. The CVE entity includes CVSS and leverages information extracted from vulnerability databases.
Estimated CVSS is the result of Leo’s CVSS scoring model. This is useful for zero-days and articles that don’t explicitly mention a CVE. In these cases, Leo reads the content of the article and calculates an approximate CVSS score based on the terminology used in the article or tweet.
Pro tip: When you have an article open in the Feedly web application, you can use the keyboard shortcut Shift + D to view and inspect the article’s JSON.
Access the content of your feeds
Let’s imagine you have a “Security News” feed that contains a list of known and trusted security sources that you want to follow.
The Feedly API allows you to query Feedly and ask for the last 100 aggregated articles in that feed. Articles are normalized into a JSON format which includes title, content, source information as well as all some cybersecurity metadata (Leo topic classification, CVE metadata, CVSS metadata, exploit information.
You can use the Flow endpoint to get the last 100 articles published in a feed:
The most important parameter is the streamId. Each feed in your Feedly account has a unique stream ID. When you select the feed in the left navigation bar, you see the streamId as part of the URL. The stream ID is formatted as “company / xxxx / category / xxxx” for team feeds and “user / xxxx / category / xxxx” for personal feeds.
You counting parameter defines the number of articles that the server will return. We recommend that you select a number between 20 and 100. If you need access to more than 100 articles, you can use the continuation parameter returned from the response to chain requests and ask for the next 100 articles.
Finally, the ImportantParameter only allows you to get the list of articles in the stream that have been prioritized by Leo.
- Make sure the requests you are making are authenticated using the token you received from the Feedly team.
- Make sure streamId is URL encoded when passed as a parameter to the Stream endpoint.
Access the content of your message boards
Security teams use cards to mark critical items that all team members should be aware of. They also often use message boards to tag articles they want to share with other applications.
You can use the same Stream endpoint to access the latest N articles manually bookmarked by your team on a board.
The only difference will be the streamId. Team Board streamIds are formatted as `enterprise / xxxx / tag / xxxx`. Personal dashboard streamIds are formatted as `user / xxxx / tag / xxxx`.
If users annotated articles with some notes and highlights when saving the article to a board, those notes and highlights will be included in the article’s JSON structure.
Example: Feedly integration with your ticketing system
Here’s an example of how you can simplify the integration between the research and collection work of your threat intelligence team and the analysis and patching work of your operations team.
The research team creates a Feedly tab called Critical Vulns where you want articles related to critical vulnerabilities to be bookmarked and for the operations team to be aware of and review.
Whenever the research team finds a critical insight, they save that article to the critical vulnerabilities board, adding a note as to why they think the vulnerability needs to be reviewed and fixed.
Instead of asking the research team to manually create a ticket in your ticketing system (Jira, Service Now, etc.), you can write a small app that every 5 minutes connects to the Critical Vulns board, requests the last 20 articles marked in that board, and for each new post, use your ticketing system’s API to create a new ticket. The app can enrich the ticket with the URL of the article saved in the bulletin board, the CVE information, the notes and the highlights of the researcher.
This is a powerful way to break the silos between your research team and your operations team and make sure critical vulnerabilities are fixed faster.
Pro tip: There is a simple solution to find new articles saved on a board. When your app processes a list of articles, it should save the first article in the list and the next time it uses the Stream Feedly app to add the most recent articles to a board, your app can use the newerThan parameter di / v3 / stream / content and pass that article ID instead of a timestamp to get more recent articles.
The Feedly web application and mobile applications are based on the Feedly API. This means that every information available in the application and every action taken in the application is available in the API.
For more information on the Feedly API, visit the Feedly developer website.
Simplify your open source intelligence
We are excited to see many security teams use the Feedly API to streamline their open source threat intelligence process. Sign up today and find out what Feedly for Cybersecurity can do for you!
If you are interested in learning more about Leo’s roadmap, you can join the Feedly Community Slack. 2020 will be an exciting year with new skills and bold experiments!