Cofense Triage v3

The integration uses the Cofense Triage v2 API that allows users to ingest phishing reports as incident alerts and execute commands such as threat indicators, reporters, categorize reports, and more.

Data Enrichment & Threat Intelligence · Cofense Triage

Configuration parameters

  • url — Server URL (required)
  • credentials — Client ID (required)
  • max_fetch — Maximum number of incidents per fetch
  • first_fetch — First fetch time interval
  • mailbox_location — Report Location
  • match_priority — Match Priority
  • category_id — Category ID
  • tags — Tags
  • categorization_tags — Categorization Tags
  • mirror_direction — Incident Mirroring Direction
  • filter_by — Advanced Filters
  • proxy — Use system proxy settings
  • insecure — Trust any certificate (not secure)
  • incidentType — Incident type
  • isFetch — Fetch incidents

Commands (20)

  • cofense-attachment-payload-list

    Retrieves attachment payloads based on the filter values provided in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email.

  • cofense-category-list

    Retrieves categories based on the provided parameters. Categories are applied while processing the email to indicate the type of threat (or non-threat) that reports and clusters pose to the organization.

  • cofense-cluster-list

    Retrieves clusters based on the filter values provided in the command arguments.

  • cofense-comment-list

    Retrieves comments based on the filter values provided in the command arguments.

  • cofense-integration-submission-get

    Retrieves integration submission based on the filter values provided in the command arguments.

  • cofense-report-attachment-download

    Downloads the attachment for the specified attachment ID.

  • cofense-report-attachment-list

    Retrieves attachments based on provided report id in the command arguments. For reported emails that contain attachments, Cofense Triage captures the attachment's filename and size.

  • cofense-report-attachment-payload-list

    Retrieves attachment payloads based on provided report id in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email attachment.

  • cofense-report-categorize

    Categorizes a report into a specific category provided by the user.

  • cofense-report-download

    Downloads the raw email for the report that matches the specified report ID.

  • cofense-report-image-download

    Downloads the image of the report that matches the specified report ID.

  • cofense-report-list

    Retrieves a report or a list of reports based on the filter values provided in the command arguments.

  • cofense-reporter-list

    Retrieves the reporters that match the provided parameters. Reporters are employees of an organization who send, or report, suspicious emails to Cofense Triage.

  • cofense-rule-list

    Retrieves rules based on the filter values provided in the command arguments. Rules identify specific characteristics for categorizing the reported emails.

  • cofense-threat-indicator-create

    Creates a threat indicator based on the values provided in the command arguments.

  • cofense-threat-indicator-list

    Retrieves the list of threat indicators based on the provided parameters. Threat indicators identify the threat level of an email's subject, sender, domains, URLs, and MD5 and SHA256 attachment hash signatures.

  • cofense-threat-indicator-update

    Updates a threat indicator based on the values provided in the command arguments.

  • cofense-url-list

    Retrieves URLs based on the filter values provided in the command arguments. URLs are the threats (or non-threat) that are detected in the reported emails.

  • get-modified-remote-data

    Gets the list of incidents that were modified since the last update time. Note that this method is here for debugging purposes. The get-modified-remote-data command is used as part of a mirroring feature, which is available from Cortex XSOAR version 6.1.

  • get-remote-data

    Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.