Cofense Intelligence (Deprecated)
#
This Integration is part of the Cofense Intelligence (Deprecated) Pack.Deprecated
Use Cofense Intelligence v2 instead.
Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses.
#
Configure Cofense Intelligence in CortexParameter | Description | Required |
---|---|---|
Server URL (e.g., https://www.threathq.com/apiv1) | True | |
API username | True | |
Source Reliability | Reliability of the source providing the intelligence data. | True |
Use system proxy settings | False | |
Trust any certificate (not secure) | False | |
URL Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the URL malicious | False | |
File Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the file malicious | False | |
IP Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the IP malicious | False | |
Email Threshold (None, Minor, Moderate, or Major). Minimum severity to consider the email malicious | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
urlChecks the reputation of a URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | URL to check. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
URL.Data | unknown | Bad URLs. |
URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Cofense.URL.Data | unknown | Bad URLs. |
Cofense.URL.Malicious.Vendor | unknown | For malicious URLs, the vendor that made the decision. |
Cofense.URL.Malicious.Description | unknown | For malicious URLs, the reason that the vendor made the decision. |
Cofense.URL.Cofense.ThreatIDs | unknown | The thread IDs retrieved by the vendor. |
#
Command Example!url url=example.com using="Cofense Intelligence_instance_1"
#
Context Example#
Human Readable Output#
Cofense URL Reputation for: example.comNo information found for this url
#
fileChecks the reputation of a file hash.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | A CSV list of file hashes to check (MD5, SHA1, or SHA256). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.MD5 | unknown | File MD5 |
File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
File.Malicious.Description | unknown | For malicious files, the reason that the vendor made the decision. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
Cofense.File.MD5 | unknown | MD5 hash of the file. |
Cofense.File.Malicious.Vendor | unknown | For malicious files, the vendor that made the decision. |
Cofense.File.Malicious.Description | unknown | For malicious files, the reason that the vendor made the decision. |
Cofense.File.ThreatIDs | unknown | The thread IDs retrieved by the vendor. |