6 Ways to Automate Threat Intelligence with the Feedly API

Introduction

Not every CTI workflow needs to start and finish in the Feedly UI.

The Feedly Threat Intelligence API gives you programmatic access to everything that makes Feedly useful: Intel Agents, Ask AI, AI Feeds, Boards, Insights Cards, and the millions of relationships in the Real-Time Threat Graph, so you can pull enriched, contextualized intelligence directly into the tools and workflows your team already relies on.

Whether you’re feeding a TIP, pushing alerts to a SIEM, or building a custom internal system, the API lets you automate the collection, processing, and analysis steps that would otherwise require manual effort inside the Feedly UI.

In this post, we’ll cover how the API works and walk through six practical ways to use it to streamline and scale your threat intelligence operations.

How to use the Feedly Threat Intelligence API

Feedly’s REST API makes it easy to integrate threat intelligence into your existing workflows. With a few simple steps, you can automate the sharing of high-value intelligence with leadership, operations, and other tools in your stack.

Step 1: Generate an API Access Token

If you’re on the Feedly Threat Intelligence Advanced plan, you can generate a personal API access token directly from the self-service section of the Feedly app.

Step 2: Identify the Stream ID

Locate the stream ID of the folder or Board you want to access. This ID is used to tell the API what data to retrieve or act on.

Step 3: Make REST API Requests

The Feedly API follows RESTful conventions, using standard HTTP methods like GET, POST, and DELETE. All requests and responses use JSON formatting, making it simple to integrate with modern workflows and tools.

Example 1: Enriching custom dashboards

Many customers integrate Feedly with analytics and visualization platforms like Power BI and Azure Data Explorer to gain deeper threat insights. They pull in enriched articles from Feedly that include context such as CVEs, TTPs, malware, and threat actors, and correlate that intelligence with data from other sources, including closed-source reports, dark web monitoring, and internal telemetry. This creates a more comprehensive and connected view of the threat landscape.

Example 2: Summarize content with Ask AI

One effective way to use the API is to pull article content on top stories and use Ask AI to automatically synthesize it. Ask AI can summarize key points or identify related indicators, giving users the flexibility to analyze single articles or groups of articles. This helps extract data, highlight themes, break down technical details, and format customized output.

Here are just a few examples of how to use Ask AI in the API:

• Cross-reference TTPs: Automatically query a folder or an AI Feed for TTPs associated with a threat actor as new articles are collected.
• CVE analysis and enrichment: Query new critical CVEs affecting your tech stack to return structured data on exploits, affected systems, and CVSS.
• Diamond Model analysis: Programmatically generate a full analysis when a tracked threat actor is associated with a behavioral change.
• Automate recurring deliverables: Schedule daily threat summaries to run against your PIRs and deliver specific, formatted output.

Prompt

I used the prompt here: Generate threat hunt hypothesis to create a workflow where you can save articles to a Board and then run a cron job to generate hypotheses via Ask AI.

Output

The output of the script is saved in this Notion page.

Example 3: Ingesting Feedly data into a security tool

Feedly Threat Intelligence offers no-code integrations with several popular security tools, including Splunk, Anomali, Microsoft Sentinel, and MISP (see the full list). For tools that are not yet supported with no-code options, users can build custom integrations using the Feedly API. This flexibility allows teams to seamlessly integrate Feedly with their existing security stack, automate workflows, and ensure threat intelligence is delivered quickly to the right tools.

For more sample customer scripts, visit: https://github.com/feedly/sample-customer-scripts/tree/main

Example 4: Identify changes to vulnerabilities

The criticality and priority of vulnerabilities can shift as new information becomes available, such as updated CVSS scores, newly discovered exploits, or patch releases. However, tracking when these updates change the status of a vulnerability can be challenging. Some Feedly customers use the API to extract data from the Vulnerability Agent into a separate database. By comparing each version of the data to previous pulls, they can detect changes and trigger notifications through tools like Slack or Microsoft Teams.

Example 5: Facilitate remediation workflows in service management tool

Many security teams already live in service management tools like ServiceNow. Feedly’s API lets them stay there, surfacing threats from Feedly and pushing them directly into their existing remediation workflows, where tickets get created, prioritized, and tracked automatically. It removes context switching and ensures that critical issues are tracked, prioritized, and resolved through established IT processes.

Example 6: Automate threat hunting

Integrating Feedly with a SOAR platform enables security teams to automate the ingestion and analysis of threat intelligence, streamlining threat-hunting workflows. Using the Feedly API, the SOAR connector can pull fresh indicators of compromise (IoCs) enriched with context such as malware, threat actors, CVEs, products, and TTPs. Then, each night they can run automated checks to flag any IoCs that match threat-hunting criteria. By the time analysts start their day, they have a prioritized list of threats, complete with the context needed to investigate.

Secure Cyber Defense explains this in more detail in this case study.

Want to learn more about setting up the Feedly API?

Visit: https://developers.feedly.com