Cofense Triage v3
The integration uses the Cofense Triage v2 API that allows users to ingest phishing reports as incident alerts and execute commands such as threat indicators, reporters, categorize reports, and more.
Data Enrichment & Threat Intelligence · Cofense Triage
Configuration parameters
url— Server URL (required)credentials— Client ID (required)max_fetch— Maximum number of incidents per fetchfirst_fetch— First fetch time intervalmailbox_location— Report Locationmatch_priority— Match Prioritycategory_id— Category IDtags— Tagscategorization_tags— Categorization Tagsmirror_direction— Incident Mirroring Directionfilter_by— Advanced Filtersproxy— Use system proxy settingsinsecure— Trust any certificate (not secure)incidentType— Incident typeisFetch— Fetch incidents
Commands (20)
-
cofense-attachment-payload-listRetrieves attachment payloads based on the filter values provided in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email.
-
cofense-category-listRetrieves categories based on the provided parameters. Categories are applied while processing the email to indicate the type of threat (or non-threat) that reports and clusters pose to the organization.
-
cofense-cluster-listRetrieves clusters based on the filter values provided in the command arguments.
-
cofense-comment-listRetrieves comments based on the filter values provided in the command arguments.
-
cofense-integration-submission-getRetrieves integration submission based on the filter values provided in the command arguments.
-
cofense-report-attachment-downloadDownloads the attachment for the specified attachment ID.
-
cofense-report-attachment-listRetrieves attachments based on provided report id in the command arguments. For reported emails that contain attachments, Cofense Triage captures the attachment's filename and size.
-
cofense-report-attachment-payload-listRetrieves attachment payloads based on provided report id in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email attachment.
-
cofense-report-categorizeCategorizes a report into a specific category provided by the user.
-
cofense-report-downloadDownloads the raw email for the report that matches the specified report ID.
-
cofense-report-image-downloadDownloads the image of the report that matches the specified report ID.
-
cofense-report-listRetrieves a report or a list of reports based on the filter values provided in the command arguments.
-
cofense-reporter-listRetrieves the reporters that match the provided parameters. Reporters are employees of an organization who send, or report, suspicious emails to Cofense Triage.
-
cofense-rule-listRetrieves rules based on the filter values provided in the command arguments. Rules identify specific characteristics for categorizing the reported emails.
-
cofense-threat-indicator-createCreates a threat indicator based on the values provided in the command arguments.
-
cofense-threat-indicator-listRetrieves the list of threat indicators based on the provided parameters. Threat indicators identify the threat level of an email's subject, sender, domains, URLs, and MD5 and SHA256 attachment hash signatures.
-
cofense-threat-indicator-updateUpdates a threat indicator based on the values provided in the command arguments.
-
cofense-url-listRetrieves URLs based on the filter values provided in the command arguments. URLs are the threats (or non-threat) that are detected in the reported emails.
-
get-modified-remote-dataGets the list of incidents that were modified since the last update time. Note that this method is here for debugging purposes. The get-modified-remote-data command is used as part of a mirroring feature, which is available from Cortex XSOAR version 6.1.
-
get-remote-dataGet remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.