Skip to main content

Cofense Intelligence v2

This Integration is part of the Cofense Intelligence v2 Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the Cofense Intelligence integration to check the reputation of domains, URLs, IP addresses, file hashes, and email addresses. This integration was integrated and tested with version 2 of Cofense Intelligence

Some changes have been made that might affect your existing content. For more information, see Breaking Changes.

Search for threats associated with an indicator. The verdict (Unknown, Benign, Suspicious, Malicious) of each threat is determined by the impact (None, Minor, Moderate, Major) of its associated web locations as detected in cofense, along with a threshold value that is being set by the user (when configuring the instance):

for each Threat, if the searched indicator is found in the report - we will use its impact as the verdict, else will use the maximal impact in the report.

Example: Threshold = Major (Default value)

Threat IDImpactDbot scoreAdjusted Verdict
1MinorSuspiciousSuspicious
2ModerateSuspiciousSuspicious
3MajorBadMalicious

Configure CofenseIntelligenceV2 in Cortex#

ParameterDescriptionRequired
Server URLThe Api endpoint (https://www.threathq.com)True
Token NameCofense API Token nameTrue
PasswordCofense API passwordTrue
Source ReliabilityReliability of the source providing the intelligence data.False
IP ThresholdThreshold for IP related threats' severity.False
File ThresholdThreshold for file related threats' severity.False
URL ThresholdThreshold for URL related threats' severity.False
Email ThresholdThreshold for email related threats' severity.False
Domain ThresholdThreshold for domain related threats' severity.False
Time limit for collecting dataThe maximum number of days from which to start returning data. 90 days is recomended by Cofense.
Create relationshipsCreate relationships between indicators as part of Enrichment.False
Score MappingMapping of Cofense Intelligence indicator rating to XSOAR DBOT Score standard rating.
For Example-: None:0, Minor:1, Moderate:2, Major:3

Note: Cofense Indicator ratings are Major, Minor, Moderate, None.
False
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recommended by Cofense.Optional

Context Output#

PathTypeDescription
IP.ASNunknownThe autonomous system name for the IP address.
IP.GEO.LocationunknownThe geolocation where the IP address is located, in the format of latitude: longitude.
IP.GEO.CountryunknownThe country in which the IP address is located.
IP.AddressunknownIP address.
IP.MalwareFamilyunknownThe malware family associated with the IP address.
IP.Relationships.EntityAStringThe source of the relationship.
IP.Relationships.EntityBStringThe destination of the relationship.
IP.Relationships.RelationshipStringThe name of the relationship.
IP.Relationships.EntityATypeStringThe type of the source of the relationship.
IP.Relationships.EntityBTypeStringThe type of the destination of the relationship.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
CofenseIntelligence.IP.DataStringThe IP address.
CofenseIntelligence.IP.Threats.idNumberThreat ID.
CofenseIntelligence.IP.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.IP.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.IP.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.IP.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.IP.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.IP.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.IP.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.IP.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.IP.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.IP.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.IP.Threats.blockSet.roleDescriptionStringDescription of infrastructure type.
CofenseIntelligence.IP.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.IP.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.IP.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.IP.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.IP.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.IP.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.IP.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.IP.Threats.domainSet.totalCountNumberTotal number of the instances of each item named.
CofenseIntelligence.IP.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.IP.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.IP.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.IP.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.IP.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.IP.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.IP.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.IP.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.IP.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.IP.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.IP.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.IP.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.IP.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.senderIpSet.ipStringOne of possibly many IP addresses used in the delivery of the email.
CofenseIntelligence.IP.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.IP.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.IP.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.IP.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.IP.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.IP.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.IP.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.IP.Threats.reportURLStringDirect URL to the human readable report for this campaign.
CofenseIntelligence.IP.Threats.apiReportURLStringURL to the human readable report for this campaign.
CofenseIntelligence.IP.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.IP.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.IP.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.IP.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!ip ip=8.8.8.8 using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"IP": {
"Data": "8.8.8.8",
"Threats": [
{
"apiReportURL": "https://www.threathq.com/apiv1/t3/malware/125002/html",
"blockSet": [
{
"blockType": "IPv4 Address",
"confidence": 0,
"data": "8.8.8.8",
"data_1": "8.8.8.8",
"impact": "Minor",
"ipDetail": {
"asn": 23456,
"continentCode": "AS",
"continentName": "Asia",
"countryIsoCode": "IN",
"countryName": "India",
"ip": "8.8.8.8",
"isp": "Seema Infotech",
"latitude": 20,
"longitude": 77,
"lookupOn": 1616428612903,
"organization": "Seema Infotech",
"timeZone": "Asia/Kolkata"
}
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [],
"domainSet": [],
"executableSet": [
],
"executiveSummary": "summary",
"extractedStringSet": [],
"feeds": [
],
"firstPublished": 1616428569154,
"hasReport": true,
"id": 125002,
"label": "Finance - FormGrabber",
"lastPublished": 1616428570962,
"malwareFamilySet": [
{
"description": "FormGrabber is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.",
"familyName": "FormGrabber"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "link",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "subject",
"totalCount": 1
}
],
"threatDetailURL": "",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "8.8.8.8",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ip",
"Vendor": "CofenseIntelligenceV2"
},
"IP": {
"ASN": 23456,
"Address": "8.8.8.8",
"Geo": {
"Country": "IN",
"Location": "20.0:77.0"
},
"MalwareFamily": "FormGrabber"
}
}

Human Readable Output#

Cofense IP Reputation for IP 8.8.8.8#

Threat IDThreat TypeVerdictExecutive SummaryCampaignMalware Family DescriptionLast PublishedASNCountryThreat Report
125002typeSuspicioussummaryCampaignFamily Description2021-03-22 15:56:10ASNcountrylink

cofense-search#


Retrieves a specific threat or a list of threats based on the filter values provided in the command arguments.

Base Command#

cofense-search

Input#

Argument NameDescriptionRequired
strString to search.Optional
limitMaximum number of strings to search. Default is 10.Optional
days_backLimit the number of days from which we should start returning data. 90 days limit is recommended by Cofense.Optional
malware_familyThe malware family associated with a malware campaign.Optional
malware_fileThe filename associated with a phishing or malware campaign.Optional
malware_subjectSearch the message subject associated with malware campaigns.Optional
urlA specific url to search for.

Note: This supports exact and partial matching of urls.
Optional

Context Output#

PathTypeDescription
CofenseIntelligence.Threats.idNumberThreat ID.
CofenseIntelligence.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.Threats.blockSet.roleDescriptionStringDescription of infrastructure type.
CofenseIntelligence.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.Threats.executableSet.malwareFamily.familyNameStringFamily name of malware.
CofenseIntelligence.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.Threats.executiveSummaryString.Analyst written summary of the campaign.
CofenseIntelligence.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.Threats.malwareFamilySet.familyNameStringFamily name of malware.
CofenseIntelligence.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!cofense-search str=border using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"Threats": {
"apiReportURL": "url",
"blockSet": [
],
"campaignBrandSet": [
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [],
"domainSet": [
{
"domain": "szmc.goldentec.com",
"totalCount": 3
}
],
"executableSet": [],
"executiveSummary": "summary",
"extractedStringSet": [
{
"data": "border",
"malwareFamily": {
"description": "An instance of credential phishing",
"familyName": "Credential Phishing"
}
}
],
"feeds": [
{
"displayName": "Cofense",
"id": 23,
"permissions": {
"OWNER": false,
"READ": true,
"WRITE": false
}
}
],
"firstPublished": 1618498390036,
"hasReport": true,
"id": 178991,
"label": "Refund - Credential Phishing",
"lastPublished": 1618498391774,
"malwareFamilySet": [
{
"description": "An instance of credential phishing",
"familyName": "Credential Phishing"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "link",
"senderEmailSet": [
],
"senderIpSet": [],
"senderNameSet": [
],
"threatDetailURL": "link",
"threatType": "MALWARE"
}
}
}

Human Readable Output#

There are 1 threats regarding your string search#

Threat IDThreat TypeExecutive SummaryCampaignMalware FamilyMalware FileMalware SubjectMalware Family DescriptionLast PublishedThreat Report
178991typesummaryRefund - Credential PhishingFamilyFileSubjectFamily Description2021-04-15 14:53:11Link

file#


Checks the reputation of a file hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe hash of the file to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recommended by Cofense.Optional

Context Output#

PathTypeDescription
File.ExtensionUnknownThe file extension.
File.MD5UnknownThe MD5 hash of the file.
File.sha1StringThe SHA-1 hash of the file.
File.sha256StringThe SHA-256 hash of the file.
File.sha512StringThe SHA-512 hash of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.TypeStringThe file type.
File.Hashes.typeStringThe hash type.
File.Hashes.valueStringThe hash value.
File.Malicious.DescriptionUnknownA description explaining why the file was determined to be malicious.
File.Malicious.VendorUnknownThe vendor who reported the file as malicious.
File.MalwareFamilyUnknownThe malware family associated with the file.
File.NameUnknownThe full file name.
File.Relationships.EntityAStringThe source of the relationship.
File.Relationships.EntityBStringThe destination of the relationship.
File.Relationships.RelationshipStringThe name of the relationship.
File.Relationships.EntityATypeStringThe type of the source of the relationship.
File.Relationships.EntityBTypeStringThe type of the destination of the relationship.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
CofenseIntelligence.File.DataStringThe file hash.
CofenseIntelligence.File.Threats.idNumberThreat ID.
CofenseIntelligence.File.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.File.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.File.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.File.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.File.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.File.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.File.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.File.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.File.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.File.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.File.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.File.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.File.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.File.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.File.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.File.Threats.campaignBrandSet.totalCountNumberNumber of individual messages associated with this brand.
CofenseIntelligence.File.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.File.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.File.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.File.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.File.Threats.executableSet.malwareFamily.familyNameStringFamily name of malware.
CofenseIntelligence.File.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.File.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.File.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.File.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.File.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.File.Threats.executableSet.ssdeepStringThe ssdeep hash of the file.
CofenseIntelligence.File.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.File.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.File.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.File.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.File.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.File.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.File.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.File.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.File.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.File.Threats.firstPublishedDateTimestamp of when this campaign was initially published
CofenseIntelligence.File.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.File.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.File.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.File.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.File.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.File.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.File.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.File.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.File.Threats.threatTypeStringIf malware, will have value 'malware', otherwise it is empty.

Command Example#

!file file=9798ba6199168e6d2cf205760ea683d1 using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"File": {
"Data": "9798ba6199168e6d2cf205760ea683d1",
"Threats": [
{
"apiReportURL": "https://www.threathq.com/apiv1/t3/malware/158959/html",
"blockSet": [
{
"blockType": "Email",
"confidence": 0,
"data": "email@email.com",
"data_1": "email@email.com",
"impact": "Major",
"malwareFamily": {
"description": "Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.",
"familyName": "Agent Tesla"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
}
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [
{
"description": "Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor allowing for arbitrary code execution",
"mechanismName": "CVE-2017-11882"
}
],
"domainSet": [],
"executableSet":[
{
"dateEntered": 1598576136841,
"deliveryMechanism": {
"description": "Microsoft Office documents with macro scripting for malware delivery",
"mechanismName": "OfficeMacro"
},
"fileName": "bobbyx.exe",
"fileNameExtension": "exe",
"md5Hex": "9798ba6199168e6d2cf205760ea683d1",
"severityLevel": "Major",
"sha1Hex": "dcfad03686e029646d6118a5edd18a3b56a2c358",
"sha224Hex": "78c4f0f7f8c90d137fcb633b6c2c24e2a9f6b9c6054e5de1157d1bed",
"sha256Hex": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a",
"sha384Hex": "9bd5ab8d458cf2bd64e6942dd586b5456f4a37d73ae788e4acbef666332c7ed00672fa4bc714d1f5b1b826f8e32ca6fe",
"sha512Hex": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03",
"ssdeep": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp",
"type": "Attachment",
"vendorDetections": []
}
],
"executiveSummary": "summary",
"extractedStringSet": [],
"feeds": [
{
"displayName": "Cofense",
"id": 23,
"permissions": {
"OWNER": false,
"READ": true,
"WRITE": false
}
}
],
"firstPublished": 1616096866503,
"hasReport": true,
"id": 158959,
"label": "Order - CVE-2017-11882, Agent Tesla Keylogger",
"lastPublished": 1616096868262,
"malwareFamilySet": [
{
"description": "Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.",
"familyName": "Agent Tesla"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "link",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "RFQ ",
"totalCount": 1
}
],
"threatDetailURL": "url",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "9798ba6199168e6d2cf205760ea683d1",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "file",
"Vendor": "CofenseIntelligenceV2"
},
"File": {
"Extension": "exe",
"MD5": "9798ba6199168e6d2cf205760ea683d1",
"sha1": "dcfad03686e029646d6118a5edd18a3b56a2c358",
"sha256": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a",
"sha512": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03",
"SSDeep": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp",
"Type": "Attachment",
"Malicious": {
"Description": null,
"Vendor": "CofenseIntelligenceV2"
},
"Hashes": [
{
"type": "MD5",
"value": "9798ba6199168e6d2cf205760ea683d1"
},
{
"type": "sha1",
"value": "dcfad03686e029646d6118a5edd18a3b56a2c358"
},
{
"type": "sha256",
"value": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a"
},
{
"type": "sha512",
"value": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03"
},
{
"type": "SSDeep",
"value": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp"
}
],
"MalwareFamily": "Agent Tesla",
"Name": "bobbyx.exe"
}
}

Human Readable Output#

Cofense file Reputation for file 9798ba6199168e6d2cf205760ea683d1#

Threat IDThreat TypeVerdictExecutive SummaryCampaignMalware Family DescriptionLast PublishedThreat Report
158959typeMalicioussummarycampaign nameFamily Description2021-03-18 19:47:48Link

email#


Checks the reputation of an email address.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailSender email address to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recommended by Cofense.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
Email.Relationships.EntityAStringThe source of the relationship.
Email.Relationships.EntityBStringThe destination of the relationship.
Email.Relationships.RelationshipStringThe name of the relationship.
Email.Relationships.EntityATypeStringThe type of the source of the relationship.
Email.Relationships.EntityBTypeStringThe type of the destination of the relationship.
CofenseIntelligence.Email.DataStringThe email address.
CofenseIntelligence.Email.Threats.idNumberThreat ID.
CofenseIntelligence.Email.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.Email.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.Email.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.Email.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.Email.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.Email.Threats.blockSet.malwareFamily.familyNameStringNames and describes the malware families.
CofenseIntelligence.Email.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.Email.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.Email.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.Email.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.Email.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.Email.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.Email.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.Email.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.Email.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.Email.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.Email.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.Email.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.Email.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.Email.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.Email.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.Email.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.Email.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.Email.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.Email.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.Email.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.Email.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.Email.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.Email.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.Email.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.Email.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.Email.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.Email.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.Email.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.Email.Threats.firstPublishedDateTimestamp of when this campaign was initially published
CofenseIntelligence.Email.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.Email.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.Email.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.Email.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.Email.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.Email.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.Email.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.Email.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.Email.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!email email=email@email.com using=CofenseIntelligenceV2_instance_1_copy

Context Example#

{
"CofenseIntelligence": {
"Email": {
"Data": "email@email.com",
"Threats": [
{
"apiReportURL": "report",
"blockSet": [
{
"blockType": "Email",
"confidence": 0,
"data": "email@email.com",
"data_1": "email@email.com",
"impact": "Major",
"malwareFamily": {
"familyName": "Agent Tesla"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
}
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"domainSet": [],
"executableSet": [],
"executiveSummary": "summary",
"extractedStringSet": [],
"firstPublished": 1616096866503,
"hasReport": true,
"id": 158959,
"label": "Order - CVE-2017-11882, Agent Tesla Keylogger",
"lastPublished": 1616096868262,
"malwareFamilySet": [
{
"familyName": "Agent Tesla"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "report",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "RFQ ",
"totalCount": 1
}
],
"threatDetailURL": "url",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "email@email.com",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "email",
"Vendor": "CofenseIntelligenceV2"
},
"Email": {
"Address": "email@email.com",
"Domain": "sankapatrol.com"
}
}

Human Readable Output#

Cofense email Reputation for email email@email.com#

Threat IDThreat TypeVerdictExecutive SummaryCampaignMalware Family DescriptionLast PublishedThreat Report
158959TypeMaliciousSummaryCampaign nameFamily Description2021-03-18 19:47:48link

url#


Checks the reputation of a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recommended by Cofense.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
URL.DatastringThe URL
URL.Malicious.DescriptionstringA description of the malicious URL.
URL.Malicious.VendorstringThe vendor who reported the URL as malicious.
URL.Relationships.EntityAStringThe source of the relationship.
URL.Relationships.EntityBStringThe destination of the relationship.
URL.Relationships.RelationshipStringThe name of the relationship.
URL.Relationships.EntityATypeStringThe type of the source of the relationship.
URL.Relationships.EntityBTypeStringThe type of the destination of the relationship.
CofenseIntelligence.URL.DataStringThe URL.
CofenseIntelligence.URL.Threats.idNumberThreat ID.
CofenseIntelligence.URL.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.URL.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.URL.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.URL.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.URL.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.URL.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.URL.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.URL.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.URL.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.URL.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.URL.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.URL.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.URL.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.URL.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.URL.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.URL.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.URL.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.URL.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.URL.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.URL.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.URL.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.URL.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.URL.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.URL.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.URL.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.URL.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.URL.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.URL.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.URL.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.URL.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.URL.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.URL.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.URL.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.URL.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.URL.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.URL.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.URL.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.URL.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.URL.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.URL.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.URL.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.URL.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.URL.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.URL.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!url url=url using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"URL": {
"Data": "url",
"Threats": [
{
"apiReportURL": "report",
"blockSet": [
{
"blockType": "Domain Name",
"confidence": 0,
"data": "url",
"data_1": "url",
"impact": "Moderate",
"malwareFamily": {
"description": "description",
"familyName": "FormGrabber"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
},
{
"blockType": "URL",
"confidence": 0,
"data": "http://www.itool.group/cp5/",
"impact": "Major",
"malwareFamily": {
"familyName": "FormGrabber"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
},
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [],
"domainSet": [],
"executableSet": [
],
"executiveSummary": "Finance-themed campaign delivers FormGrabber.",
"extractedStringSet": [],
"hasReport": true,
"id": 125002,
"label": "Finance - FormGrabber",
"lastPublished": 1616428570962,
"malwareFamilySet": [
{
"description": "FormGrabber is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.",
"familyName": "FormGrabber"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "url",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"threatDetailURL": "url",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "url",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "url",
"Vendor": "CofenseIntelligenceV2"
},
"URL": {
"Data": "url",
"Malicious": {
"Description": null,
"Vendor": "CofenseIntelligenceV2"
}
}
}

Human Readable Output#

Cofense URL Reputation for url url#

Threat IDThreat TypeVerdictExecutive SummaryCampaignMalware Family DescriptionLast PublishedThreat Report
125002threat typeMalicioussummaryCampaign nameFamily Description2021-03-22 15:56:10Link

domain#


Checks the reputation of the domain.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recommended by Cofense.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringThe actual score.
Domain.NameStringThe Domain.
Domain.Malicious.DescriptionStringA description of the malicious URL.
Domain.Malicious.VendorStringThe vendor who reported the Domain as malicious.
Domain.Relationships.EntityAStringThe source of the relationship.
Domain.Relationships.EntityBStringThe destination of the relationship.
Domain.Relationships.RelationshipStringThe name of the relationship.
Domain.Relationships.EntityATypeStringThe type of the source of the relationship.
Domain.Relationships.EntityBTypeStringThe type of the destination of the relationship.
CofenseIntelligence.Domain.DataStringThe Domain.
CofenseIntelligence.Domain.Threats.idNumberThreat ID.
CofenseIntelligence.Domain.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.Domain.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.Domain.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.Domain.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.Domain.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.Domain.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.Domain.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.Domain.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.Domain.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.Domain.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.Domain.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.Domain.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.Domain.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.Domain.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.Domain.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.Domain.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.Domain.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.Domain.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.Domain.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Domain.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.Domain.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Domain.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.Domain.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.Domain.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.Domain.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.Domain.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.Domain.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.Domain.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.Domain.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.Domain.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.Domain.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.Domain.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.Domain.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.Domain.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.Domain.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.Domain.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.Domain.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.Domain.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.Domain.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Domain.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.Domain.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Domain.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.Domain.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Domain.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.Domain.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.Domain.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.Domain.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.Domain.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.Domain.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.Domain.Threats.reportDomainStringDirect URL to human readable report for this campaign.
CofenseIntelligence.Domain.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.Domain.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.Domain.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.Domain.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.Domain.Threats.threatTypeStringIf malware, will have value 'malware', otherwise it is empty.

Command Example#

!domain domain=www.sutomoresmestaj.net days_back=20000 using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"Domain": {
"Data": "www.sutomoresmestaj.net",
"Threats": [
{
"apiReportURL": "https://www.threathq.com/apiv1/t3/malware/55110/html",
"blockSet": [
{
"blockType": "URL",
"confidence": 100,
"data": "http://tamymakeup.com/myclassapp/Rt/",
"data_1": {
"domain": "tamymakeup.com",
"host": "tamymakeup.com",
"path": "/myclassapp/Rt/",
"protocol": "http",
"url": "http://tamymakeup.com/myclassapp/Rt/"
},
"deliveryMechanism": {
"description": "Microsoft Office documents with macro scripting for malware delivery",
"mechanismName": "OfficeMacro"
},
"impact": "Major",
"role": "Payload",
"roleDescription": "Location from which a payload is obtained"
},
{
"blockType": "Domain Name",
"confidence": 100,
"data": "www.sutomoresmestaj.net",
"data_1": "www.sutomoresmestaj.net",
"deliveryMechanism": {
"description": "Microsoft Office documents with macro scripting for malware delivery",
"mechanismName": "OfficeMacro"
},
"impact": "Moderate",
"role": "Payload",
"roleDescription": "Location from which a payload is obtained"
}
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"campaignScreenshotSet": [],
"deliveryMechanisms": [
{
"description": "Microsoft Office documents with macro scripting for malware delivery",
"mechanismName": "OfficeMacro"
}
],
"domainSet": [],
"executableSet": [
{
"dateEntered": 1598576136841,
"deliveryMechanism": {
"description": "Microsoft Office documents with macro scripting for malware delivery",
"mechanismName": "OfficeMacro"
},
"fileName": "000685.doc",
"fileNameExtension": "doc",
"md5Hex": "28c311de9ab487265c0846487e528423",
"severityLevel": "Major",
"sha1Hex": "dcfad03686e029646d6118a5edd18a3b56a2c358",
"sha224Hex": "78c4f0f7f8c90d137fcb633b6c2c24e2a9f6b9c6054e5de1157d1bed",
"sha256Hex": "5eb93964840290b1a5e35577b2e7ed1c0f212ef275113d5ecdb4a85c127ae57a",
"sha384Hex": "9bd5ab8d458cf2bd64e6942dd586b5456f4a37d73ae788e4acbef666332c7ed00672fa4bc714d1f5b1b826f8e32ca6fe",
"sha512Hex": "4be7710c5d25b94861ace0a7ad83459163c6e294a511c41876e0d29a69d715a805bc859ad3f06a100141e245975893719a089c98cdffb60b3432119b66586f03",
"ssdeep": "3072:2vYy0u8YGgjv+ZvchmkHcI/o1/Vb6//////////////////////////////////p:S0uXnWFchmmcI/o1/3Jwnp",
"type": "Attachment",
"vendorDetections": []
}
],
"executiveSummary": "This report is part of our Emotet/Geodo series. Emotet is a malware family that was initially formed as a banking trojan but today often downloads additional malware payloads. We process very large Emotet campaigns containing thousands of stage one documents and we often find there are a small number of unique URLs and stage two payloads in each campaign. As such, you may notice these lists contain mostly document-specific IOCs, compared with fewer unique URLs and unique stage two payloads.",
"extractedStringSet": [],
"feeds": [
{
"displayName": "Cofense",
"id": 23,
"permissions": {
"OWNER": false,
"READ": true,
"WRITE": false
}
}
],
"firstPublished": 1598622645803,
"hasReport": true,
"id": 55110,
"label": "Finance or Response Themed - OfficeMacro, Emotet/Geodo",
"lastPublished": 1598622745988,
"malwareFamilySet": [
{
"description": "Adaptable financial crimes botnet trojan with email worm and malware delivery capabilities, also known as Emotet",
"familyName": "Emotet/Geodo"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "https://www.threathq.com/api/l/activethreatreport/55110/html",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "Invoice",
"totalCount": 1
},
{
"subject": "Notice",
"totalCount": 1
},
{
"subject": "Purchase Order",
"totalCount": 1
},
{
"subject": "Report",
"totalCount": 1
},
{
"subject": "Response",
"totalCount": 1
},
{
"subject": "Scanned Document",
"totalCount": 1
}
],
"threatDetailURL": "https://www.threathq.com/p42/search/default?m=55110",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "www.sutomoresmestaj.net",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "domain",
"Vendor": "CofenseIntelligenceV2"
},
"Domain": {
"Name": "www.sutomoresmestaj.net",
"Relationships": [
{
"EntityA": "www.sutomoresmestaj.net",
"EntityAType": "Domain",
"EntityB": "http://tamymakeup.com/myclassapp/Rt/",
"EntityBType": "URL",
"Relationship": "related-to"
},
{
"EntityA": "www.sutomoresmestaj.net",
"EntityAType": "Domain",
"EntityB": "www.sutomoresmestaj.net",
"EntityBType": "Domain Name",
"Relationship": "related-to"
}
]
}
}

Human Readable Output#

Cofense Domain Reputation for domain www.sutomoresmestaj.net#

Threat IDThreat TypeVerdictExecutive SummaryCampaignMalware Family DescriptionLast PublishedThreat Report
55110MALWARESuspiciousThis report is part of our Emotet/Geodo series. Emotet is a malware family that was initially formed as a banking trojan but today often downloads additional malware payloads. We process very large Emotet campaigns containing thousands of stage one documents and we often find there are a small number of unique URLs and stage two payloads in each campaign. As such, you may notice these lists contain mostly document-specific IOCs, compared with fewer unique URLs and unique stage two payloads.Finance or Response Themed - OfficeMacro, Emotet/GeodoAdaptable financial crimes botnet trojan with email worm and malware delivery capabilities, also known as Emotet2020-08-28 13:52:25https://www.threathq.com/api/l/activethreatreport/55110/html

cofense-threat-report-get#


Downloads threat report provided by cofense intelligence of an indicator for the given unique report id.

Base Command#

cofense-threat-report-get

Input#

Argument NameDescriptionRequired
report_idUnique id to download the specified threat report.Required
report_formatReport format to download.
Allowed types are html and pdf. Possible values are: html, pdf. Default is html.
Optional

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!cofense-threat-report-get report_id=290367

Context Example#

{
"File": {
"EntryID": "17353@2f1342cd-06b5-4b3f-8c20-fe27a087f3a8",
"Extension": "html",
"Info": "text/html; charset=utf-8",
"MD5": "e61fc1a2b206650a3eb48f7856126291",
"Name": "290367.html",
"SHA1": "bb419100bd5319a43f4f5640075f22a7716ed5f8",
"SHA256": "d5da427907395fc8cf0e2942465990486e9bdb016ff820c89511599a0ec0b86a",
"SHA512": "aad5ffa7e291bb1f1528f2ed805307a8dfe9bdfae13b766e4fdbd7b9605008a2bc7eb9b177b3306de9fc113eda7c5c632f27446956394f601713cdeeaa075a43",
"SSDeep": "1536:TVsXVrOaM0uEcFrlsd21G33VRxQFsUKRFdLeo0sw/x7W:4OapOlOXLisUybLeoO/4",
"Size": 79669,
"Type": "HTML document, ASCII text, with very long lines, with CRLF line terminators"
}
}

Human Readable Output#

Uploaded file: 290367.html Download

EntryIDInfoMD5NameSHA1SHA256SHA512SSDeepSizeType
17353@2f1342cd-06b5-4b3f-8c20-fe27a087f3a8text/html; charset=utf-8e61fc1a2b206650a3eb48f7856126291290367.htmlbb419100bd5319a43f4f5640075f22a7716ed5f8d5da427907395fc8cf0e2942465990486e9bdb016ff820c89511599a0ec0b86aaad5ffa7e291bb1f1528f2ed805307a8dfe9bdfae13b766e4fdbd7b9605008a2bc7eb9b177b3306de9fc113eda7c5c632f27446956394f601713cdeeaa075a431536:TVsXVrOaM0uEcFrlsd21G33VRxQFsUKRFdLeo0sw/x7W:4OapOlOXLisUybLeoO/479669HTML document, ASCII text, with very long lines, with CRLF line terminators

Breaking changes from previous versions of this integration#

The following sections list the changes in this version.

Outputs#

The following outputs were removed in this version:

In the url command:

  • Cofense.URL.Data - this output was replaced by CofenseIntelligence.URL.Data.
  • Cofense.URL.Malicious.Vendor - this output was replaced by CofenseIntelligence.URL.Malicious.Vendor.
  • Cofense.URL.Malicious.Description - this output was replaced by CofenseIntelligence.URL.Malicious.Description.
  • Cofense.URL.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.URL.Cofense.ThreatIDs.

In the file command:

  • Cofense.File.MD5 - this output was replaced by CofenseIntelligence.File.MD5.
  • Cofense.File.Malicious.Vendor - this output was replaced by CofenseIntelligence.File.Malicious.Vendor.
  • Cofense.File.Malicious.Description - this output was replaced by CofenseIntelligence.File.Malicious.Description.
  • Cofense.File.ThreatIDs - this output was replaced by CofenseIntelligence.File.ThreatIDs.

In the ip command:

  • Cofense.IP.Data - this output was replaced by CofenseIntelligence.IP.Data.
  • Cofense.IP.Malicious.Vendor - this output was replaced by CofenseIntelligence.IP.Malicious.Vendor.
  • Cofense.IP.Malicious.Description - this output was replaced by CofenseIntelligence.IP.Malicious.Description.
  • Cofense.IP.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.IP.Cofense.ThreatIDs.

In the email command:

  • Account.Email.Malicious.Vendor - this output was replaced by CofenseIntelligence.Email.Malicious.Vendor.
  • Account.Email.Malicious.Description - this output was replaced by CofenseIntelligence.Email.Malicious.Description.
  • Cofense.Email.Data - this output was replaced by CofenseIntelligence.Email.Data.
  • Cofense.Email.Malicious.Vendor - this output was replaced by CofenseIntelligence.Email.Malicious.Vendor.
  • Cofense.Email.Malicious.Description - this output was replaced by CofenseIntelligence.Email.Malicious.Description.
  • Cofense.Email.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.Email.Cofense.ThreatIDs.

In the cofense-search command:

  • Cofense.NumOfThreats - this output was replaced by CofenseIntelligence.NumOfThreats.
  • Cofense.String - this output was replaced by CofenseIntelligence.String.

Additional Considerations for this Version#

  • Added an option to Limit the number of days from which we should start returning data. 90 days limit is recommended by Cofense.