Skip to main content

Cofense Intelligence v2

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the Cofense Intelligence integration to check the reputation of URLs, IP addresses, file hashes, and email addresses. This integration was integrated and tested with version 2 of Cofense Intelligence

Some changes have been made that might affect your existing content. For more information, see Breaking Changes.

Search for threats associated with an indicator. The verdict (Unknown, Benign, Suspicious, Malicious) of each threat is determined by the impact (None, Minor, Moderate, Major) of its associated web locations as detected in cofense, along with a threshold value that is being set by the user (when configuring the instance):

for each Threat, if the searched indicator is found in the report - we will use its impact as the verdict, else will use the maximal impact in the report.

Example: Threshold = Major (Default value)

Threat IDImpactDbot scoreAdjusted Verdict
1MinorSuspiciousSuspicious
2ModerateSuspiciousSuspicious
3MajorBadMalicious

Configure CofenseIntelligenceV2 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for CofenseIntelligenceV2.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URLThe Api endpoint (https://www.threathq.com)True
    Token NameCofense API Token nameTrue
    PasswordCofense API passwordTrue
    Source ReliabilityReliability of the source providing the intelligence data.False
    IP ThresholdThreshold for IP related threats' severity.False
    File ThresholdThreshold for file related threats' severity.False
    URL ThresholdThreshold for URL related threats' severity.False
    Email ThresholdThreshold for email related threats' severity.False
    Time limit for collecting dataThe maximum number of days from which to start returning data. 90 days is recomended by Cofense.
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ip#


Checks the reputation of an IP address.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipIP address to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recomended by Cofense.Optional

Context Output#

PathTypeDescription
IP.ASNunknownThe autonomous system name for the IP address.
IP.GEO.LocationunknownThe geolocation where the IP address is located, in the format of latitude: longitude.
IP.GEO.CountryunknownThe country in which the IP address is located.
IP.AddressunknownIP address.
IP.MalwareFamilyunknownThe malware family associated with the IP address.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
CofenseIntelligence.IP.DataStringThe IP address.
CofenseIntelligence.IP.Threats.idNumberThreat ID.
CofenseIntelligence.IP.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.IP.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.IP.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.IP.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.IP.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.IP.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.IP.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.IP.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.IP.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.IP.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.IP.Threats.blockSet.roleDescriptionStringDescription of infrastructure type.
CofenseIntelligence.IP.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.IP.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.IP.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.IP.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.IP.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.IP.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.IP.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.IP.Threats.domainSet.totalCountNumberTotal number of the instances of each item named.
CofenseIntelligence.IP.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.IP.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.IP.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.IP.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.IP.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.IP.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.IP.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.IP.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.IP.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.IP.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.IP.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.IP.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.IP.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.IP.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.senderIpSet.ipStringOne of possibly many IP addresses used in the delivery of the email.
CofenseIntelligence.IP.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.IP.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.IP.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.IP.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.IP.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.IP.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.IP.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.IP.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.IP.Threats.reportURLStringDirect URL to the human readable report for this campaign.
CofenseIntelligence.IP.Threats.apiReportURLStringURL to the human readable report for this campaign.
CofenseIntelligence.IP.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.IP.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.IP.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.IP.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!ip ip=8.8.8.8 using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"IP": {
"Data": "8.8.8.8",
"Threats": [
{
"apiReportURL": "https://www.threathq.com/apiv1/t3/malware/125002/html",
"blockSet": [
{
"blockType": "IPv4 Address",
"confidence": 0,
"data": "8.8.8.8",
"data_1": "8.8.8.8",
"impact": "Minor",
"ipDetail": {
"asn": 23456,
"continentCode": "AS",
"continentName": "Asia",
"countryIsoCode": "IN",
"countryName": "India",
"ip": "8.8.8.8",
"isp": "Seema Infotech",
"latitude": 20,
"longitude": 77,
"lookupOn": 1616428612903,
"organization": "Seema Infotech",
"timeZone": "Asia/Kolkata"
}
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [],
"domainSet": [],
"executableSet": [
],
"executiveSummary": "summary",
"extractedStringSet": [],
"feeds": [
],
"firstPublished": 1616428569154,
"hasReport": true,
"id": 125002,
"label": "Finance - FormGrabber",
"lastPublished": 1616428570962,
"malwareFamilySet": [
{
"description": "FormGrabber is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.",
"familyName": "FormGrabber"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "link",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "subject",
"totalCount": 1
}
],
"threatDetailURL": "",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "8.8.8.8",
"Reliability": "B - Usually reliable",
"Score": 2,
"Type": "ip",
"Vendor": "CofenseIntelligenceV2"
},
"IP": {
"ASN": 23456,
"Address": "8.8.8.8",
"Geo": {
"Country": "IN",
"Location": "20.0:77.0"
},
"MalwareFamily": "FormGrabber"
}
}

Human Readable Output#

Cofense IP Reputation for IP 8.8.8.8#

Threat IDThreat TypesVerdictExecutive SummaryCampaignLast PublishedASNCountryThreat Report
125002typeSuspicioussummaryCampaign2021-03-22 15:56:10ASNcountrylink

cofense-search#


Searches for extracted strings identified within malware campaigns.

Base Command#

cofense-search

Input#

Argument NameDescriptionRequired
strString to search.Required
limitMaximum number of strings to search. Default is 10.Optional
days_backLimit the number of days from which we should start returning data. 90 days limit is recommended by Cofense.Optional

Context Output#

PathTypeDescription
CofenseIntelligence.Threats.idNumberThreat ID.
CofenseIntelligence.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.Threats.blockSet.roleDescriptionStringDescription of infrastructure type.
CofenseIntelligence.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.Threats.executableSet.malwareFamily.familyNameStringFamily name of malware.
CofenseIntelligence.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.Threats.executiveSummaryString.Analyst written summary of the campaign.
CofenseIntelligence.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.Threats.malwareFamilySet.familyNameStringFamily name of malware.
CofenseIntelligence.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!cofense-search str=border using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"Threats": {
"apiReportURL": "url",
"blockSet": [
],
"campaignBrandSet": [
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [],
"domainSet": [
{
"domain": "szmc.goldentec.com",
"totalCount": 3
}
],
"executableSet": [],
"executiveSummary": "summary",
"extractedStringSet": [
{
"data": "border",
"malwareFamily": {
"description": "An instance of credential phishing",
"familyName": "Credential Phishing"
}
}
],
"feeds": [
{
"displayName": "Cofense",
"id": 23,
"permissions": {
"OWNER": false,
"READ": true,
"WRITE": false
}
}
],
"firstPublished": 1618498390036,
"hasReport": true,
"id": 178991,
"label": "Refund - Credential Phishing",
"lastPublished": 1618498391774,
"malwareFamilySet": [
{
"description": "An instance of credential phishing",
"familyName": "Credential Phishing"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "link",
"senderEmailSet": [
],
"senderIpSet": [],
"senderNameSet": [
],
"threatDetailURL": "link",
"threatType": "MALWARE"
}
}
}

Human Readable Output#

There are 1 threats regarding your string search#

Threat IDThreat TypesExecutive SummaryCampaignLast PublishedThreat Report
178991summaryRefund - Credential Phishing2021-04-15 14:53:11Link

file#


Checks the reputation of a file hash.

Base Command#

file

Input#

Argument NameDescriptionRequired
fileThe MD5 hash of the file to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recomended by Cofense.Optional

Context Output#

PathTypeDescription
File.ExtensionunknownThe file extension.
File.MD5unknownThe MD5 hash of the file.
File.Malicious.DescriptionunknownA description explaining why the file was determined to be malicious.
File.Malicious.VendorunknownThe vendor who reported the file as malicious.
File.MalwareFamilyunknownThe malware family associated with the file.
File.NameunknownThe full file name.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
CofenseIntelligence.File.DataStringThe file hash.
CofenseIntelligence.File.Threats.idNumberThreat ID.
CofenseIntelligence.File.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.File.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.File.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.File.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.File.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.File.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.File.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.File.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.File.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.File.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.File.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.File.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.File.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.File.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.File.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.File.Threats.campaignBrandSet.totalCountNumberNumber of individual messages associated with this brand.
CofenseIntelligence.File.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.File.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.File.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.File.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.File.Threats.executableSet.malwareFamily.familyNameStringFamily name of malware.
CofenseIntelligence.File.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.File.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.File.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.File.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.File.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.File.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.File.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.File.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.File.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.File.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.File.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.File.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.File.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.File.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.File.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.File.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.File.Threats.firstPublishedDateTimestamp of when this campaign was initially published
CofenseIntelligence.File.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.File.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.File.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.File.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.File.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.File.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.File.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.File.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.File.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!file file=9798ba6199168e6d2cf205760ea683d1 using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"File": {
"Data": "9798ba6199168e6d2cf205760ea683d1",
"Threats": [
{
"apiReportURL": "https://www.threathq.com/apiv1/t3/malware/158959/html",
"blockSet": [
{
"blockType": "Email",
"confidence": 0,
"data": "email@email.com",
"data_1": "email@email.com",
"impact": "Major",
"malwareFamily": {
"description": "Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.",
"familyName": "Agent Tesla"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
},
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [
{
"description": "Microsoft Office exploit taking advantage of flaw in Microsoft Equation Editor allowing for arbitrary code execution",
"mechanismName": "CVE-2017-11882"
}
],
"domainSet": [],
"executableSet":[
],
"executiveSummary": "summary",
"extractedStringSet": [],
"feeds": [
{
"displayName": "Cofense",
"id": 23,
"permissions": {
"OWNER": false,
"READ": true,
"WRITE": false
}
}
],
"firstPublished": 1616096866503,
"hasReport": true,
"id": 158959,
"label": "Order - CVE-2017-11882, Agent Tesla Keylogger",
"lastPublished": 1616096868262,
"malwareFamilySet": [
{
"description": "Agent Tesla collects sensitive information, such as saved credentials for web, ftp, email, and instant messaging clients. Additionally, Tesla gathers data about the victim's PC and captures keystrokes.",
"familyName": "Agent Tesla"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "link",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "RFQ ",
"totalCount": 1
}
],
"threatDetailURL": "url",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "9798ba6199168e6d2cf205760ea683d1",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "file",
"Vendor": "CofenseIntelligenceV2"
},
"File": {
"Extension": "exe",
"MD5": "9798ba6199168e6d2cf205760ea683d1",
"Malicious": {
"Description": null,
"Vendor": "CofenseIntelligenceV2"
},
"MalwareFamily": "Agent Tesla",
"Name": "bobbyx.exe"
}
}

Human Readable Output#

Cofense file Reputation for file 9798ba6199168e6d2cf205760ea683d1#

Threat IDThreat TypesVerdictExecutive SummaryCampaignLast PublishedThreat Report
158959typeMalicioussummarycampaign name2021-03-18 19:47:48Link

email#


Checks the reputation of an email address.

Base Command#

email

Input#

Argument NameDescriptionRequired
emailSender email address to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recomended by Cofense.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
CofenseIntelligence.Email.DataStringThe email address.
CofenseIntelligence.Email.Threats.idNumberThreat ID.
CofenseIntelligence.Email.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.Email.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.Email.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.Email.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.Email.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.Email.Threats.blockSet.malwareFamily.familyNameStringNames and describes the malware families.
CofenseIntelligence.Email.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.Email.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.Email.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.Email.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.Email.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.Email.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.Email.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.Email.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.Email.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.Email.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.Email.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.Email.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.Email.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.Email.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.Email.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.Email.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.Email.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.Email.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.Email.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.Email.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.Email.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.Email.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.Email.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.Email.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.Email.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.Email.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.Email.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.Email.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.Email.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.Email.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.Email.Threats.firstPublishedDateTimestamp of when this campaign was initially published
CofenseIntelligence.Email.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.Email.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.Email.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.Email.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.Email.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.Email.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.Email.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.Email.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.Email.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!email email=email@email.com using=CofenseIntelligenceV2_instance_1_copy

Context Example#

{
"CofenseIntelligence": {
"Email": {
"Data": "email@email.com",
"Threats": [
{
"apiReportURL": "report",
"blockSet": [
{
"blockType": "Email",
"confidence": 0,
"data": "email@email.com",
"data_1": "email@email.com",
"impact": "Major",
"malwareFamily": {
"familyName": "Agent Tesla"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
}
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"domainSet": [],
"executableSet": [],
"executiveSummary": "summary",
"extractedStringSet": [],
"firstPublished": 1616096866503,
"hasReport": true,
"id": 158959,
"label": "Order - CVE-2017-11882, Agent Tesla Keylogger",
"lastPublished": 1616096868262,
"malwareFamilySet": [
{
"familyName": "Agent Tesla"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "report",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"subjectSet": [
{
"subject": "RFQ ",
"totalCount": 1
}
],
"threatDetailURL": "url",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "email@email.com",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "email",
"Vendor": "CofenseIntelligenceV2"
},
"Email": {
"Address": "email@email.com",
"Domain": "sankapatrol.com"
}
}

Human Readable Output#

Cofense email Reputation for email email@email.com#

Threat IDThreat TypesVerdictExecutive SummaryCampaignLast PublishedThreat Report
158959TypeMaliciousSummaryCampaign name2021-03-18 19:47:48link

url#


Checks the reputation of a URL.

Base Command#

url

Input#

Argument NameDescriptionRequired
urlURL to check.Required
days_backThe maximum number of days from which to start returning data. 90 days is recomended by Cofense.Optional

Context Output#

PathTypeDescription
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ScorenumberThe actual score.
DBotScore.ReliabilitystringThe actual score.
URL.DatastringThe URL
URL.Malicious.DescriptionstringA description of the malicious URL.
URL.Malicious.VendorstringThe vendor who reported the URL as malicious.
CofenseIntelligence.URL.DataStringThe URL.
CofenseIntelligence.URL.Threats.idNumberThreat ID.
CofenseIntelligence.URL.Threats.feeds.idNumberInteger identifier for this feed.
CofenseIntelligence.URL.Threats.feeds.permissions.WRITEBooleanTrue if you are allowed to submit data to this feed.
CofenseIntelligence.URL.Threats.feeds.permissions.OWNERBooleanTrue if you are the original provider of the source data for this feed.
CofenseIntelligence.URL.Threats.feeds.permissions.READBooleanTrue if you are allowed to view data for this feed.
CofenseIntelligence.URL.Threats.feeds.displayNameStringHuman readable name for this feed.
CofenseIntelligence.URL.Threats.blockSet.malwareFamily.familyNameStringThe name of the malware family.
CofenseIntelligence.URL.Threats.blockSet.malwareFamily.descriptionStringBrief description of the malware family, what it does, or how it works.
CofenseIntelligence.URL.Threats.blockSet.impactStringValues borrowed from stixVocabs:ImpactRatingVocab-1.0.
CofenseIntelligence.URL.Threats.blockSet.confidenceNumberThe level of confidence in the threats block.
CofenseIntelligence.URL.Threats.blockSet.blockTypeStringData type of the watchlist item.
CofenseIntelligence.URL.Threats.blockSet.roleDescriptionStringDescription of the infrastructure type.
CofenseIntelligence.URL.Threats.blockSet.roleStringInfrastructure type.
CofenseIntelligence.URL.Threats.blockSet.infrastructureTypeSubclass.descriptionStringBrief description of the infrastructure type being used.
CofenseIntelligence.URL.Threats.blockSet.dataStringDomain name or an IP address.
CofenseIntelligence.URL.Threats.blockSet.data_1StringEither a domain name or an IP address.
CofenseIntelligence.URL.Threats.campaignBrandSet.totalCountNumberTotal number of individual messages associated with this brand.
CofenseIntelligence.URL.Threats.campaignBrandSet.brand.idNumberNumeric identifier used by Malcovery to track this brand.
CofenseIntelligence.URL.Threats.campaignBrandSet.brand.textStringString identifier used by Malcovery to track this brand.
CofenseIntelligence.URL.Threats.domainSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.domainSet.domainStringSender domain name.
CofenseIntelligence.URL.Threats.senderEmailSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.senderEmailSet.senderEmailStringThe possibly spoofed email address used in the delivery of the email.
CofenseIntelligence.URL.Threats.executableSet.malwareFamily.familyNameStringFamily name of the malware.
CofenseIntelligence.URL.Threats.executableSet.malwareFamily.descriptionStringThe name of the malware family.
CofenseIntelligence.URL.Threats.executableSet.vendorDetections.detectedBooleanWhether an executable was detected.
CofenseIntelligence.URL.Threats.executableSet.vendorDetections.threatVendorNameStringName of the antivirus vendor.
CofenseIntelligence.URL.Threats.executableSet.fileNameStringThe file name of any file discovered during a malware infection.
CofenseIntelligence.URL.Threats.executableSet.typeStringDescription of the purpose this file serves within the malware infection.
CofenseIntelligence.URL.Threats.executableSet.dateEnteredDateDate when this file was analyzed by Malcovery.
CofenseIntelligence.URL.Threats.executableSet.severityLevelStringThe malware infection severity level.
CofenseIntelligence.URL.Threats.executableSet.fileNameExtensionStringThe file extension.
CofenseIntelligence.URL.Threats.executableSet.md5HexStringThe MD5 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha384HexStringThe SHA-384 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha512HexStringThe SHA-512 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha1HexStringThe SHA-1 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha224HexStringThe SHA-224 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.sha256HexStringThe SHA-256 hash of the file.
CofenseIntelligence.URL.Threats.executableSet.executableSubtype.descriptionStringThe description of the executable file.
CofenseIntelligence.URL.Threats.senderIpSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.senderIpSet.ipStringOne of possibly many IPs used in the delivery of the email.
CofenseIntelligence.URL.Threats.senderNameSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.senderNameSet.nameStringThe friendly name of the sender of the email.
CofenseIntelligence.URL.Threats.subjectSet.totalCountNumberTotal number of instances of each item named.
CofenseIntelligence.URL.Threats.subjectSet.subjectStringEmail subject line.
CofenseIntelligence.URL.Threats.lastPublishedDateTimestamp of when this campaign was most recently updated.
CofenseIntelligence.URL.Threats.firstPublishedDateTimestamp of when this campaign was initially published.
CofenseIntelligence.URL.Threats.labelStringHuman readable name for this campaign.
CofenseIntelligence.URL.Threats.executiveSummaryStringAnalyst written summary of the campaign.
CofenseIntelligence.URL.Threats.hasReportBooleanWhether this campaign has a written report associated with it.
CofenseIntelligence.URL.Threats.reportURLStringDirect URL to human readable report for this campaign.
CofenseIntelligence.URL.Threats.apiReportURLStringURL to human readable report for this campaign.
CofenseIntelligence.URL.Threats.threatDetailURLStringT3 report URL.
CofenseIntelligence.URL.Threats.malwareFamilySet.familyNameStringFamily name of the malware.
CofenseIntelligence.URL.Threats.malwareFamilySet.descriptionStringDescription of the malware family set.
CofenseIntelligence.URL.Threats.threatTypeStringIf malware, will have value ‘malware’, otherwise it is empty.

Command Example#

!url url=url using=CofenseIntelligenceV2_instance

Context Example#

{
"CofenseIntelligence": {
"URL": {
"Data": "url",
"Threats": [
{
"apiReportURL": "report",
"blockSet": [
{
"blockType": "Domain Name",
"confidence": 0,
"data": "url",
"data_1": "url",
"impact": "Moderate",
"malwareFamily": {
"description": "description",
"familyName": "FormGrabber"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
},
{
"blockType": "URL",
"confidence": 0,
"data": "http://www.itool.group/cp5/",
"impact": "Major",
"malwareFamily": {
"familyName": "FormGrabber"
},
"role": "C2",
"roleDescription": "Command and control location used by malware"
},
],
"campaignBrandSet": [
{
"brand": {
"id": 2051,
"text": "None"
},
"totalCount": 1
}
],
"campaignLanguageSet": [
{
"languageDefinition": {
"family": "Indo-European",
"isoCode": "en",
"name": "English",
"nativeName": "English"
}
}
],
"deliveryMechanisms": [],
"domainSet": [],
"executableSet": [
],
"executiveSummary": "Finance-themed campaign delivers FormGrabber.",
"extractedStringSet": [],
"hasReport": true,
"id": 125002,
"label": "Finance - FormGrabber",
"lastPublished": 1616428570962,
"malwareFamilySet": [
{
"description": "FormGrabber is a browser focused keylogger coded in ASM/C. It can record keystrokes, form input, clipboard contents, take screenshots, and recover stored credentials from many different applications.",
"familyName": "FormGrabber"
}
],
"naicsCodes": [],
"relatedSearchTags": [],
"reportURL": "url",
"senderEmailSet": [],
"senderIpSet": [],
"senderNameSet": [],
"spamUrlSet": [],
"threatDetailURL": "url",
"threatType": "MALWARE"
}
]
}
},
"DBotScore": {
"Indicator": "url",
"Reliability": "B - Usually reliable",
"Score": 3,
"Type": "url",
"Vendor": "CofenseIntelligenceV2"
},
"URL": {
"Data": "url",
"Malicious": {
"Description": null,
"Vendor": "CofenseIntelligenceV2"
}
}
}

Human Readable Output#

Cofense URL Reputation for url url#

Threat IDThreat TypesVerdictExecutive SummaryCampaignLast PublishedThreat Report
125002threat typeMalicioussummary2021-03-22 15:56:10Link

Breaking changes from previous versions of this integration#

The following sections list the changes in this version.

Outputs#

The following outputs were removed in this version:

In the url command:

  • Cofense.URL.Data - this output was replaced by CofenseIntelligence.URL.Data.
  • Cofense.URL.Malicious.Vendor - this output was replaced by CofenseIntelligence.URL.Malicious.Vendor.
  • Cofense.URL.Malicious.Description - this output was replaced by CofenseIntelligence.URL.Malicious.Description.
  • Cofense.URL.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.URL.Cofense.ThreatIDs.

In the file command:

  • Cofense.File.MD5 - this output was replaced by CofenseIntelligence.File.MD5.
  • Cofense.File.Malicious.Vendor - this output was replaced by CofenseIntelligence.File.Malicious.Vendor.
  • Cofense.File.Malicious.Description - this output was replaced by CofenseIntelligence.File.Malicious.Description.
  • Cofense.File.ThreatIDs - this output was replaced by CofenseIntelligence.File.ThreatIDs.

In the ip command:

  • Cofense.IP.Data - this output was replaced by CofenseIntelligence.IP.Data.
  • Cofense.IP.Malicious.Vendor - this output was replaced by CofenseIntelligence.IP.Malicious.Vendor.
  • Cofense.IP.Malicious.Description - this output was replaced by CofenseIntelligence.IP.Malicious.Description.
  • Cofense.IP.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.IP.Cofense.ThreatIDs.

In the email command:

  • Account.Email.Malicious.Vendor - this output was replaced by CofenseIntelligence.Email.Malicious.Vendor.
  • Account.Email.Malicious.Description - this output was replaced by CofenseIntelligence.Email.Malicious.Description.
  • Cofense.Email.Data - this output was replaced by CofenseIntelligence.Email.Data.
  • Cofense.Email.Malicious.Vendor - this output was replaced by CofenseIntelligence.Email.Malicious.Vendor.
  • Cofense.Email.Malicious.Description - this output was replaced by CofenseIntelligence.Email.Malicious.Description.
  • Cofense.Email.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.Email.Cofense.ThreatIDs.

In the cofense-search command:

  • Cofense.NumOfThreats - this output was replaced by CofenseIntelligence.NumOfThreats.
  • Cofense.String - this output was replaced by CofenseIntelligence.String.

Additional Considerations for this Version#

  • Added an option to Limit the number of days from which we should start returning data. 90 days limit is recommended by Cofense.