Message Quarantine - Cofense Vision
This playbook allows users to quarantine various messages that meet their specified criteria.
Cofense Vision · 11 tasks · 18 inputs · 45 outputs
Inputs
subjects— A comma-separated string of subjects to create a search for an email's subject. It supports the use of one or more wildcard characters (*) in any position of a subject. Note: The search can only have a maximum of 3 values.senders— A comma-separated string of senders to create a search for an email's sender. It supports the use of one or more wildcard characters (*) in any position of a sender's email address. Note: The search can only have a maximum of 3 values.attachment_names— A comma-separated string of attachment names to create a search for an email's attachments. It supports the use of one or more wildcard characters (*) in any position of an attachment name. Note: The search can only have a maximum of 3 values.attachment_hash_match_criteria— The type of matching performed on the hashes specified in the attachment_hashes argument. Possible values are: ALL: Emails must include all listed attachment hashes. ANY: Emails must contain at least one of the listed attachment hash.attachment_hashes— A comma-separated string of attachment hashes to create a search for an email's attachment hashes. Supported format: hashtype1:hashvalue1, hashtype2:hashvalue2 Possible values for hashtype are: MD5, SHA256 Example: md5:938c2cc0dcc05f2b68c4287040cfcf71 Note: The search can only have a maximum of 3 values.attachment_mime_types— A comma-separated string of MIME types to create a search for an email's attachment MIME type. Note: The search can only have a maximum of 3 values.attachment_exclude_mime_types— A comma-separated string of MIME types to create a search for excluding an email's attachment MIME type. Note: The search can only have a maximum of 3 values.domain_match_criteria— The type of matching to perform on the domains specified in the domains argument. Possible values are: ALL: Emails must include all listed domains. ANY: Emails must contain at least one of the listed domains.domains— A comma-separated string of domains to create a search for domains in an email's body or its attachment. You can change the type of matching that happens on the specified domains using the domain_match_criteria argument. Note: The search can only have a maximum of 3 values.whitelist_urls— A comma-separated string of URLs to be whitelisted. Note: The search can only have a maximum of 3 values.headers— A comma-separated string of key-value pairs, defining the additional criteria to search for in the email header. Supported format: key1:value1, key2:value1:value2:value3 Example: Content-Type:application/json List of available headers to create a search can be retrieved by using the command 'cofense-searchable-headers-list'. Note: The search can only have a maximum of 3 values.internet_message_id— The unique identifier of the email, enclosed in angle brackets. This argument is case-sensitive. Example: <513C8CD8-E593-4DC4-82BF6202E8AC95CB@example.com>partial_ingest— Whether to create a search with partially ingested emails (true) or not with partially ingested emails (false).received_after_date— Date and time to create a search for emails to specify the received on or after the specified UTC date and time. Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Zreceived_before_date— Date and time to create a search for emails to specify the received before or on the specified UTC date and time. Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Zrecipient— Create a search with the specified recipient. Supports one or more wildcard characters (*) in any position of a recipient's email address.url— Create a search with the specified url. Supports one or more wildcard characters (*) in any position of the URL.message_size— The number of results to retrieve per page. The value must be a positive integer up to 2000. Default value is '50'
Outputs
Cofense.Search.Message.id— The ID of the message.Cofense.Search.Message.subject— The subject of the message.Cofense.Search.Message.receivedOn— The date and time when the message was received by the recipient.Cofense.Search.Message.sentOn— The date and time when the message was sent by the sender.Cofense.Search.Message.md5— The MD5 hash of the message.Cofense.Search.Message.internetMessageId— Unique identifier of the email.Cofense.Search.Message.from.address— The email address of the sender.Cofense.Search.Message.headers.value— The value of the header key.Cofense.Search.Message.headers.name— The name of the header key.Cofense.Search.Message.recipients.address— The email address of the recipient.Cofense.Search.Message.attachments.filename— The name of the attachment file.Cofense.Search.Message.attachments.md5— The MD5 hash of the attachment.Cofense.Search.Message.attachments.id— The ID of the attachment.Cofense.Message.id— ID of the message in cofense vision.Cofense.Message.subject— Subject of the email.Cofense.Message.receivedOn— Date and time an email was received by the recipient.Cofense.Message.sentOn— Date and time an email was sent to the recipient.Cofense.Message.md5— MD5 hash of the message.Cofense.Message.internetMessageId— ID of an email assigned by the message transfer agent.Cofense.Message.matchingIOCs— MD5 hash of one or more matching IOCs.Cofense.Message.matchingSources— One or more matching IOC sources.Cofense.Message.from.address— An email address of the sender.Cofense.Message.headers.name— The name of the key in the header.Cofense.Message.headers.value— The value of the key in the header.Cofense.Message.recipients.address— Email address of the recipient.Cofense.Message.attachments.filename— The name of the attachment file.Cofense.Message.attachments.md5— The MD5 hash of the attachment.Cofense.Message.attachments.id— The ID of the attachment.Cofense.QuarantineJob.id— ID of the quarantine job in cofense vision.Cofense.QuarantineJob.emailCount— Number of emails quarantined.Cofense.QuarantineJob.matchingIOCs— MD5 hash of one or more matching IOCs.Cofense.QuarantineJob.matchingSources— One or more IOC sources.Cofense.QuarantineJob.quarantineEmails.id— ID in cofense vision.Cofense.QuarantineJob.quarantineEmails.internetMessageID— ID of the email assigned by the message transfer agent.Cofense.QuarantineJob.quarantineEmails.recipientAddress— Email address of the account containing the emails to be quarantined.Cofense.QuarantineJob.quarantineEmails.status— Status of the email.Cofense.QuarantineJob.quarantineJobRuns.id— ID of the quarantine job in Cofense Vision.Cofense.QuarantineJob.quarantineJobRuns.status— Status of the quarantine job.Cofense.QuarantineJob.quarantineJobRuns.total— Total number of emails in the quarantine job.Cofense.Search.Message.from.id— The ID of the sender.Cofense.Search.Message.headers.id— The ID of the header.Cofense.QuarantineJob.matchingIocInfo.id— MD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.Cofense.QuarantineJob.matchingIocInfo.attributes.threat_type— Threat type of the IOC match.Cofense.QuarantineJob.matchingIocInfo.attributes.threat_value— Actual value of the IOC match in the email.Cofense.QuarantineJob.matchingIocInfo.metadata.source— Data that the IOC source reads and writes.
Commands used
cofense-message-metadata-get
cofense-message-search-create
cofense-message-search-results-get
cofense-quarantine-job-create