Skip to main content

Cofense Intelligence (Deprecated)

This Integration is part of the Cofense Intelligence (Deprecated) Pack.#

Deprecated

Use Cofense Intelligence v2 instead.

Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses.

Configure Cofense Intelligence in Cortex#

ParameterDescriptionRequired
Server URL (e.g., https://www.threathq.com/apiv1)True
API usernameTrue
Source ReliabilityReliability of the source providing the intelligence data.True
Use system proxy settingsFalse
Trust any certificate (not secure)False
URL Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the URL maliciousFalse
File Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the file maliciousFalse
IP Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the IP maliciousFalse
Email Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the email maliciousFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

url#


Checks the reputation of a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to check.Required

Context Output#

PathTypeDescription
URL.DataunknownBad URLs.
URL.Malicious.VendorunknownFor malicious URLs, the vendor that made the decision.
URL.Malicious.DescriptionunknownFor malicious URLs, the reason that the vendor made the decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Cofense.URL.DataunknownBad URLs.
Cofense.URL.Malicious.VendorunknownFor malicious URLs, the vendor that made the decision.
Cofense.URL.Malicious.DescriptionunknownFor malicious URLs, the reason that the vendor made the decision.
Cofense.URL.Cofense.ThreatIDsunknownThe thread IDs retrieved by the vendor.

Command Example#

!url url=example.com using="Cofense Intelligence_instance_1"

Context Example#

{
"DBotScore": {
"Indicator": "example.com",
"Reliability": "B - Usually reliable",
"Score": 0,
"Type": "url",
"Vendor": "Cofense"
}
}

Human Readable Output#

Cofense URL Reputation for: example.com#

No information found for this url

file#


Checks the reputation of a file hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileA CSV list of file hashes to check (MD5, SHA1, or SHA256).Required

Context Output#

PathTypeDescription
File.MD5unknownFile MD5
File.Malicious.VendorunknownFor malicious files, the vendor that made the decision.
File.Malicious.DescriptionunknownFor malicious files, the reason that the vendor made the decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Cofense.File.MD5unknownMD5 hash of the file.
Cofense.File.Malicious.VendorunknownFor malicious files, the vendor that made the decision.
Cofense.File.Malicious.DescriptionunknownFor malicious files, the reason that the vendor made the decision.
Cofense.File.ThreatIDsunknownThe thread IDs retrieved by the vendor.

Command Example#

Human Readable Output#

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required

Context Output#

PathTypeDescription
IP.DataunknownBad IP Address found
IP.Malicious.VendorunknownFor malicious IPs, the vendor that made the decision
IP.Malicious.DescriptionunknownFor malicious IPs, the reason that the vendor made the decision
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Cofense.IP.DataunknownBad IP Address found
Cofense.IP.Malicious.VendorunknownFor malicious IPs, the vendor that made the decision
Cofense.IP.Malicious.DescriptionunknownFor malicious IPs, the reason that the vendor made the decision
Cofense.IP.Cofense.ThreatIDsunknownThe thread ids retrieved by the vendor.
IP.ASNunknownAutonomous System name for the IP.
IP.GEO.LocationunknownLocation in format latitude, longitude.
IP.GEO.CountryunknownCountry of the IP.
IP.AddressstringIP address.

Command Example#

!ip ip=1.2.3.4 using="Cofense Intelligence_instance_1"

Context Example#

{
"DBotScore": {
"Indicator": "1.2.3.4",
"Reliability": "B - Usually reliable",
"Score": 0,
"Type": "ip",
"Vendor": "Cofense"
}
}

Human Readable Output#

Cofense IP Reputation for: x.x.x.x#

No information found for this ip

email#


Checks the reputation of an email address.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailSender email address to check.Required

Context Output#

PathTypeDescription
Email.DataunknownSender address to check.
Account.Email.AddressunknownSender email address to check.
Account.Email.Malicious.VendorunknownFor malicious emails, the vendor that made the decision.
Account.Email.Malicious.DescriptionunknownFor malicious emails, the reason that the vendor made the decision.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Cofense.Email.DataunknownSender address to check.
Cofense.Email.Malicious.VendorunknownFor malicious emails, the vendor that made the decision.
Cofense.Email.Malicious.DescriptionunknownFor malicious URLs, the reason that the vendor made the decision.
Cofense.Email.Cofense.ThreatIDsunknownThe thread ids retrieved by the vendor.

Command Example#

!email email=example@example.com using="Cofense Intelligence_instance_1"

Context Example#

{
"DBotScore": {
"Indicator": "example@example.com",
"Reliability": "B - Usually reliable",
"Score": 0,
"Type": "email",
"Vendor": "Cofense"
}
}

Human Readable Output#

Cofense email Reputation for: example@example.com#

No infomation found for this email

cofense-search#


Searches for extracted strings identified within malware campaigns.

Base Command#

cofense-search

Input#

Argument NameDescriptionRequired
strString to search.Required
limitMaximum number of strings to search. Default is 10. Default is 10.Optional

Context Output#

PathTypeDescription
Cofense.NumOfThreatsunknownNumber of threats.
Cofense.StringunknownString that was searched.

Command Example#

Human Readable Output#