Cofense Intelligence v2
Cofense Intelligence v2 Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
Use the Cofense Intelligence integration to check the reputation of domains, URLs, IP addresses, file hashes, and email addresses. This integration was integrated and tested with version 2 of Cofense Intelligence
Some changes have been made that might affect your existing content. For more information, see Breaking Changes.
Search for threats associated with an indicator. The verdict (Unknown, Benign, Suspicious, Malicious) of each threat is determined by the impact (None, Minor, Moderate, Major) of its associated web locations as detected in cofense, along with a threshold value that is being set by the user (when configuring the instance):
for each Threat, if the searched indicator is found in the report - we will use its impact as the verdict, else will use the maximal impact in the report.
Example: Threshold = Major (Default value)
Threat ID | Impact | Dbot score | Adjusted Verdict |
---|---|---|---|
1 | Minor | Suspicious | Suspicious |
2 | Moderate | Suspicious | Suspicious |
3 | Major | Bad | Malicious |
#
Configure CofenseIntelligenceV2 in CortexParameter | Description | Required |
---|---|---|
Server URL | The Api endpoint (https://www.threathq.com) | True |
Token Name | Cofense API Token name | True |
Password | Cofense API password | True |
Source Reliability | Reliability of the source providing the intelligence data. | False |
IP Threshold | Threshold for IP related threats' severity. | False |
File Threshold | Threshold for file related threats' severity. | False |
URL Threshold | Threshold for URL related threats' severity. | False |
Email Threshold | Threshold for email related threats' severity. | False |
Domain Threshold | Threshold for domain related threats' severity. | False |
Time limit for collecting data | The maximum number of days from which to start returning data. 90 days is recomended by Cofense. | |
Create relationships | Create relationships between indicators as part of Enrichment. | False |
Score Mapping | Mapping of Cofense Intelligence indicator rating to XSOAR DBOT Score standard rating. For Example-: None:0, Minor:1, Moderate:2, Major:3 Note: Cofense Indicator ratings are Major, Minor, Moderate, None. | False |
Trust any certificate (not secure) | False | |
Use system proxy settings | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ipChecks the reputation of an IP address.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | IP address to check. | Required |
days_back | The maximum number of days from which to start returning data. 90 days is recommended by Cofense. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
IP.ASN | unknown | The autonomous system name for the IP address. |
IP.GEO.Location | unknown | The geolocation where the IP address is located, in the format of latitude: longitude. |
IP.GEO.Country | unknown | The country in which the IP address is located. |
IP.Address | unknown | IP address. |
IP.MalwareFamily | unknown | The malware family associated with the IP address. |
IP.Relationships.EntityA | String | The source of the relationship. |
IP.Relationships.EntityB | String | The destination of the relationship. |
IP.Relationships.Relationship | String | The name of the relationship. |
IP.Relationships.EntityAType | String | The type of the source of the relationship. |
IP.Relationships.EntityBType | String | The type of the destination of the relationship. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
DBotScore.Reliability | string | The actual score. |
CofenseIntelligence.IP.Data | String | The IP address. |
CofenseIntelligence.IP.Threats.id | Number | Threat ID. |
CofenseIntelligence.IP.Threats.feeds.id | Number | Integer identifier for this feed. |
CofenseIntelligence.IP.Threats.feeds.permissions.WRITE | Boolean | True if you are allowed to submit data to this feed. |
CofenseIntelligence.IP.Threats.feeds.permissions.OWNER | Boolean | True if you are the original provider of the source data for this feed. |
CofenseIntelligence.IP.Threats.feeds.permissions.READ | Boolean | True if you are allowed to view data for this feed. |
CofenseIntelligence.IP.Threats.feeds.displayName | String | Human readable name for this feed. |
CofenseIntelligence.IP.Threats.blockSet.malwareFamily.familyName | String | The name of the malware family. |
CofenseIntelligence.IP.Threats.blockSet.malwareFamily.description | String | Brief description of the malware family, what it does, or how it works. |
CofenseIntelligence.IP.Threats.blockSet.impact | String | Values borrowed from stixVocabs:ImpactRatingVocab-1.0. |
CofenseIntelligence.IP.Threats.blockSet.confidence | Number | The level of confidence in the threats block. |
CofenseIntelligence.IP.Threats.blockSet.blockType | String | Data type of the watchlist item. |
CofenseIntelligence.IP.Threats.blockSet.roleDescription | String | Description of infrastructure type. |
CofenseIntelligence.IP.Threats.blockSet.role | String | Infrastructure type. |
CofenseIntelligence.IP.Threats.blockSet.infrastructureTypeSubclass.description | String | Brief description of the infrastructure type being used. |
CofenseIntelligence.IP.Threats.blockSet.data | String | Domain name or an IP address. |
CofenseIntelligence.IP.Threats.blockSet.data_1 | String | Either a domain name or an IP address. |
CofenseIntelligence.IP.Threats.campaignBrandSet.totalCount | Number | Total number of individual messages associated with this brand. |
CofenseIntelligence.IP.Threats.campaignBrandSet.brand.id | Number | Numeric identifier used by Malcovery to track this brand. |
CofenseIntelligence.IP.Threats.campaignBrandSet.brand.text | String | String identifier used by Malcovery to track this brand. |
CofenseIntelligence.IP.Threats.domainSet.totalCount | Number | Total number of the instances of each item named. |
CofenseIntelligence.IP.Threats.domainSet.domain | String | Sender domain name. |
CofenseIntelligence.IP.Threats.senderEmailSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.IP.Threats.senderEmailSet.senderEmail | String | The possibly spoofed email address used in the delivery of the email. |
CofenseIntelligence.IP.Threats.executableSet.malwareFamily.familyName | String | Family name of the malware. |
CofenseIntelligence.IP.Threats.executableSet.malwareFamily.description | String | The name of the malware family. |
CofenseIntelligence.IP.Threats.executableSet.vendorDetections.detected | Boolean | Whether an executable was detected. |
CofenseIntelligence.IP.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. |
CofenseIntelligence.IP.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. |
CofenseIntelligence.IP.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. |
CofenseIntelligence.IP.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. |
CofenseIntelligence.IP.Threats.executableSet.severityLevel | String | The malware infection severity level. |
CofenseIntelligence.IP.Threats.executableSet.fileNameExtension | String | The file extension. |
CofenseIntelligence.IP.Threats.executableSet.md5Hex | String | The MD5 hash of the file. |
CofenseIntelligence.IP.Threats.executableSet.sha384Hex | String | The SHA-384 hash of the file. |
CofenseIntelligence.IP.Threats.executableSet.sha512Hex | String | The SHA-512 hash of the file. |
CofenseIntelligence.IP.Threats.executableSet.sha1Hex | String | The SHA-1 hash of the file. |
CofenseIntelligence.IP.Threats.executableSet.sha224Hex | String | The SHA-224 hash of the file. |
CofenseIntelligence.IP.Threats.executableSet.sha256Hex | String | The SHA-256 hash of the file. |
CofenseIntelligence.IP.Threats.executableSet.executableSubtype.description | String | The description of the executable file. |
CofenseIntelligence.IP.Threats.senderIpSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.IP.Threats.senderIpSet.ip | String | One of possibly many IP addresses used in the delivery of the email. |
CofenseIntelligence.IP.Threats.senderNameSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.IP.Threats.senderNameSet.name | String | The friendly name of the sender of the email. |
CofenseIntelligence.IP.Threats.subjectSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.IP.Threats.subjectSet.subject | String | Email subject line. |
CofenseIntelligence.IP.Threats.lastPublished | Date | Timestamp of when this campaign was most recently updated. |
CofenseIntelligence.IP.Threats.firstPublished | Date | Timestamp of when this campaign was initially published. |
CofenseIntelligence.IP.Threats.label | String | Human readable name for this campaign. |
CofenseIntelligence.IP.Threats.executiveSummary | String | Analyst written summary of the campaign. |
CofenseIntelligence.IP.Threats.hasReport | Boolean | Whether this campaign has a written report associated with it. |
CofenseIntelligence.IP.Threats.reportURL | String | Direct URL to the human readable report for this campaign. |
CofenseIntelligence.IP.Threats.apiReportURL | String | URL to the human readable report for this campaign. |
CofenseIntelligence.IP.Threats.threatDetailURL | String | T3 report URL. |
CofenseIntelligence.IP.Threats.malwareFamilySet.familyName | String | Family name of the malware. |
CofenseIntelligence.IP.Threats.malwareFamilySet.description | String | Description of the malware family set. |
CofenseIntelligence.IP.Threats.threatType | String | If malware, will have value ‘malware’, otherwise it is empty. |
#
Command Example!ip ip=8.8.8.8 using=CofenseIntelligenceV2_instance
#
Context Example#
Human Readable Output#
Cofense IP Reputation for IP 8.8.8.8
Threat ID Threat Type Verdict Executive Summary Campaign Malware Family Description Last Published ASN Country Threat Report 125002 type Suspicious summary Campaign Family Description 2021-03-22 15:56:10 ASN country link
#
cofense-searchRetrieves a specific threat or a list of threats based on the filter values provided in the command arguments.
#
Base Commandcofense-search
#
InputArgument Name | Description | Required |
---|---|---|
str | String to search. | Optional |
limit | Maximum number of strings to search. Default is 10. | Optional |
days_back | Limit the number of days from which we should start returning data. 90 days limit is recommended by Cofense. | Optional |
malware_family | The malware family associated with a malware campaign. | Optional |
malware_file | The filename associated with a phishing or malware campaign. | Optional |
malware_subject | Search the message subject associated with malware campaigns. | Optional |
url | A specific url to search for. Note: This supports exact and partial matching of urls. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
CofenseIntelligence.Threats.id | Number | Threat ID. |
CofenseIntelligence.Threats.feeds.id | Number | Integer identifier for this feed. |
CofenseIntelligence.Threats.feeds.permissions.WRITE | Boolean | True if you are allowed to submit data to this feed. |
CofenseIntelligence.Threats.feeds.permissions.OWNER | Boolean | True if you are the original provider of the source data for this feed. |
CofenseIntelligence.Threats.feeds.permissions.READ | Boolean | True if you are allowed to view data for this feed. |
CofenseIntelligence.Threats.feeds.displayName | String | Human readable name for this feed. |
CofenseIntelligence.Threats.blockSet.malwareFamily.familyName | String | The name of the malware family. |
CofenseIntelligence.Threats.blockSet.malwareFamily.description | String | Brief description of the malware family, what it does, or how it works. |
CofenseIntelligence.Threats.blockSet.impact | String | Values borrowed from stixVocabs:ImpactRatingVocab-1.0. |
CofenseIntelligence.Threats.blockSet.confidence | Number | The level of confidence in the threats block. |
CofenseIntelligence.Threats.blockSet.blockType | String | Data type of the watchlist item. |
CofenseIntelligence.Threats.blockSet.roleDescription | String | Description of infrastructure type. |
CofenseIntelligence.Threats.blockSet.role | String | Infrastructure type. |
CofenseIntelligence.Threats.blockSet.infrastructureTypeSubclass.description | String | Brief description of the infrastructure type being used. |
CofenseIntelligence.Threats.blockSet.data | String | Domain name or an IP address. |
CofenseIntelligence.Threats.blockSet.data_1 | String | Either a domain name or an IP address. |
CofenseIntelligence.Threats.campaignBrandSet.totalCount | Number | Total number of individual messages associated with this brand. |
CofenseIntelligence.Threats.campaignBrandSet.brand.id | Number | Numeric identifier used by Malcovery to track this brand. |
CofenseIntelligence.Threats.campaignBrandSet.brand.text | String | String identifier used by Malcovery to track this brand. |
CofenseIntelligence.Threats.domainSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Threats.domainSet.domain | String | Sender domain name. |
CofenseIntelligence.Threats.senderEmailSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Threats.senderEmailSet.senderEmail | String | The possibly spoofed email address used in the delivery of the email. |
CofenseIntelligence.Threats.executableSet.malwareFamily.familyName | String | Family name of malware. |
CofenseIntelligence.Threats.executableSet.malwareFamily.description | String | The name of the malware family. |
CofenseIntelligence.Threats.executableSet.vendorDetections.detected | Boolean | Whether an executable was detected. |
CofenseIntelligence.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. |
CofenseIntelligence.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. |
CofenseIntelligence.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. |
CofenseIntelligence.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. |
CofenseIntelligence.Threats.executableSet.severityLevel | String | The malware infection severity level. |
CofenseIntelligence.Threats.executableSet.fileNameExtension | String | The file extension. |
CofenseIntelligence.Threats.executableSet.md5Hex | String | The MD5 hash of the file. |
CofenseIntelligence.Threats.executableSet.sha384Hex | String | The SHA-384 hash of the file. |
CofenseIntelligence.Threats.executableSet.sha512Hex | String | The SHA-512 hash of the file. |
CofenseIntelligence.Threats.executableSet.sha1Hex | String | The SHA-1 hash of the file. |
CofenseIntelligence.Threats.executableSet.sha224Hex | String | The SHA-224 hash of the file. |
CofenseIntelligence.Threats.executableSet.sha256Hex | String | The SHA-256 hash of the file. |
CofenseIntelligence.Threats.executableSet.executableSubtype.description | String | The description of the executable file. |
CofenseIntelligence.Threats.senderIpSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Threats.senderIpSet.ip | String | One of possibly many IPs used in the delivery of the email. |
CofenseIntelligence.Threats.senderNameSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Threats.senderNameSet.name | String | The friendly name of the sender of the email. |
CofenseIntelligence.Threats.subjectSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Threats.subjectSet.subject | String | Email subject line. |
CofenseIntelligence.Threats.lastPublished | Date | Timestamp of when this campaign was most recently updated. |
CofenseIntelligence.Threats.firstPublished | Date | Timestamp of when this campaign was initially published. |
CofenseIntelligence.Threats.label | String | Human readable name for this campaign. |
CofenseIntelligence.Threats.executiveSummary | String | .Analyst written summary of the campaign. |
CofenseIntelligence.Threats.hasReport | Boolean | Whether this campaign has a written report associated with it. |
CofenseIntelligence.Threats.reportURL | String | Direct URL to human readable report for this campaign. |
CofenseIntelligence.Threats.apiReportURL | String | URL to human readable report for this campaign. |
CofenseIntelligence.Threats.threatDetailURL | String | T3 report URL. |
CofenseIntelligence.Threats.malwareFamilySet.familyName | String | Family name of malware. |
CofenseIntelligence.Threats.malwareFamilySet.description | String | Description of the malware family set. |
CofenseIntelligence.Threats.threatType | String | If malware, will have value ‘malware’, otherwise it is empty. |
#
Command Example!cofense-search str=border using=CofenseIntelligenceV2_instance
#
Context Example#
Human Readable Output#
There are 1 threats regarding your string search
Threat ID Threat Type Executive Summary Campaign Malware Family Malware File Malware Subject Malware Family Description Last Published Threat Report 178991 type summary Refund - Credential Phishing Family File Subject Family Description 2021-04-15 14:53:11 Link
#
fileChecks the reputation of a file hash.
#
Base Commandfile
#
InputArgument Name | Description | Required |
---|---|---|
file | The hash of the file to check. | Required |
days_back | The maximum number of days from which to start returning data. 90 days is recommended by Cofense. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.Extension | Unknown | The file extension. |
File.MD5 | Unknown | The MD5 hash of the file. |
File.sha1 | String | The SHA-1 hash of the file. |
File.sha256 | String | The SHA-256 hash of the file. |
File.sha512 | String | The SHA-512 hash of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.Type | String | The file type. |
File.Hashes.type | String | The hash type. |
File.Hashes.value | String | The hash value. |
File.Malicious.Description | Unknown | A description explaining why the file was determined to be malicious. |
File.Malicious.Vendor | Unknown | The vendor who reported the file as malicious. |
File.MalwareFamily | Unknown | The malware family associated with the file. |
File.Name | Unknown | The full file name. |
File.Relationships.EntityA | String | The source of the relationship. |
File.Relationships.EntityB | String | The destination of the relationship. |
File.Relationships.Relationship | String | The name of the relationship. |
File.Relationships.EntityAType | String | The type of the source of the relationship. |
File.Relationships.EntityBType | String | The type of the destination of the relationship. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
DBotScore.Reliability | string | The actual score. |
CofenseIntelligence.File.Data | String | The file hash. |
CofenseIntelligence.File.Threats.id | Number | Threat ID. |
CofenseIntelligence.File.Threats.feeds.id | Number | Integer identifier for this feed. |
CofenseIntelligence.File.Threats.feeds.permissions.WRITE | Boolean | True if you are allowed to submit data to this feed. |
CofenseIntelligence.File.Threats.feeds.permissions.OWNER | Boolean | True if you are the original provider of the source data for this feed. |
CofenseIntelligence.File.Threats.feeds.permissions.READ | Boolean | True if you are allowed to view data for this feed. |
CofenseIntelligence.File.Threats.feeds.displayName | String | Human readable name for this feed. |
CofenseIntelligence.File.Threats.blockSet.malwareFamily.familyName | String | The name of the malware family. |
CofenseIntelligence.File.Threats.blockSet.malwareFamily.description | String | Brief description of the malware family, what it does, or how it works. |
CofenseIntelligence.File.Threats.blockSet.impact | String | Values borrowed from stixVocabs:ImpactRatingVocab-1.0. |
CofenseIntelligence.File.Threats.blockSet.confidence | Number | The level of confidence in the threats block. |
CofenseIntelligence.File.Threats.blockSet.blockType | String | Data type of the watchlist item. |
CofenseIntelligence.File.Threats.blockSet.roleDescription | String | Description of the infrastructure type. |
CofenseIntelligence.File.Threats.blockSet.role | String | Infrastructure type. |
CofenseIntelligence.File.Threats.blockSet.infrastructureTypeSubclass.description | String | Brief description of the infrastructure type being used. |
CofenseIntelligence.File.Threats.blockSet.data | String | Domain name or an IP address. |
CofenseIntelligence.File.Threats.blockSet.data_1 | String | Either a domain name or an IP address. |
CofenseIntelligence.File.Threats.campaignBrandSet.totalCount | Number | Number of individual messages associated with this brand. |
CofenseIntelligence.File.Threats.campaignBrandSet.brand.id | Number | Numeric identifier used by Malcovery to track this brand. |
CofenseIntelligence.File.Threats.campaignBrandSet.brand.text | String | String identifier used by Malcovery to track this brand. |
CofenseIntelligence.File.Threats.domainSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.File.Threats.domainSet.domain | String | Sender domain name. |
CofenseIntelligence.File.Threats.senderEmailSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.File.Threats.senderEmailSet.senderEmail | String | The possibly spoofed email address used in the delivery of the email. |
CofenseIntelligence.File.Threats.executableSet.malwareFamily.familyName | String | Family name of malware. |
CofenseIntelligence.File.Threats.executableSet.malwareFamily.description | String | The name of the malware family. |
CofenseIntelligence.File.Threats.executableSet.vendorDetections.detected | Boolean | Whether an executable was detected. |
CofenseIntelligence.File.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. |
CofenseIntelligence.File.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. |
CofenseIntelligence.File.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. |
CofenseIntelligence.File.Threats.executableSet.ssdeep | String | The ssdeep hash of the file. |
CofenseIntelligence.File.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. |
CofenseIntelligence.File.Threats.executableSet.severityLevel | String | The malware infection severity level. |
CofenseIntelligence.File.Threats.executableSet.fileNameExtension | String | The file extension. |
CofenseIntelligence.File.Threats.executableSet.md5Hex | String | The MD5 hash of the file. |
CofenseIntelligence.File.Threats.executableSet.sha384Hex | String | The SHA-384 hash of the file. |
CofenseIntelligence.File.Threats.executableSet.sha512Hex | String | The SHA-512 hash of the file. |
CofenseIntelligence.File.Threats.executableSet.sha1Hex | String | The SHA-1 hash of the file. |
CofenseIntelligence.File.Threats.executableSet.sha224Hex | String | The SHA-224 hash of the file. |
CofenseIntelligence.File.Threats.executableSet.sha256Hex | String | The SHA-256 hash of the file. |
CofenseIntelligence.File.Threats.executableSet.executableSubtype.description | String | The description of the executable file. |
CofenseIntelligence.File.Threats.senderIpSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.File.Threats.senderIpSet.ip | String | One of possibly many IPs used in the delivery of the email. |
CofenseIntelligence.File.Threats.senderNameSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.File.Threats.senderNameSet.name | String | The friendly name of the sender of the email. |
CofenseIntelligence.File.Threats.subjectSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.File.Threats.subjectSet.subject | String | Email subject line. |
CofenseIntelligence.File.Threats.lastPublished | Date | Timestamp of when this campaign was most recently updated. |
CofenseIntelligence.File.Threats.firstPublished | Date | Timestamp of when this campaign was initially published |
CofenseIntelligence.File.Threats.label | String | Human readable name for this campaign. |
CofenseIntelligence.File.Threats.executiveSummary | String | Analyst written summary of the campaign. |
CofenseIntelligence.File.Threats.hasReport | Boolean | Whether this campaign has a written report associated with it. |
CofenseIntelligence.File.Threats.reportURL | String | Direct URL to human readable report for this campaign. |
CofenseIntelligence.File.Threats.apiReportURL | String | URL to human readable report for this campaign. |
CofenseIntelligence.File.Threats.threatDetailURL | String | T3 report URL. |
CofenseIntelligence.File.Threats.malwareFamilySet.familyName | String | Family name of the malware. |
CofenseIntelligence.File.Threats.malwareFamilySet.description | String | Description of the malware family set. |
CofenseIntelligence.File.Threats.threatType | String | If malware, will have value 'malware', otherwise it is empty. |
#
Command Example!file file=9798ba6199168e6d2cf205760ea683d1 using=CofenseIntelligenceV2_instance
#
Context Example#
Human Readable Output#
Cofense file Reputation for file 9798ba6199168e6d2cf205760ea683d1
Threat ID Threat Type Verdict Executive Summary Campaign Malware Family Description Last Published Threat Report 158959 type Malicious summary campaign name Family Description 2021-03-18 19:47:48 Link
#
emailChecks the reputation of an email address.
#
Base Commandemail
#
InputArgument Name | Description | Required |
---|---|---|
Sender email address to check. | Required | |
days_back | The maximum number of days from which to start returning data. 90 days is recommended by Cofense. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
DBotScore.Reliability | string | The actual score. |
Email.Relationships.EntityA | String | The source of the relationship. |
Email.Relationships.EntityB | String | The destination of the relationship. |
Email.Relationships.Relationship | String | The name of the relationship. |
Email.Relationships.EntityAType | String | The type of the source of the relationship. |
Email.Relationships.EntityBType | String | The type of the destination of the relationship. |
CofenseIntelligence.Email.Data | String | The email address. |
CofenseIntelligence.Email.Threats.id | Number | Threat ID. |
CofenseIntelligence.Email.Threats.feeds.id | Number | Integer identifier for this feed. |
CofenseIntelligence.Email.Threats.feeds.permissions.WRITE | Boolean | True if you are allowed to submit data to this feed. |
CofenseIntelligence.Email.Threats.feeds.permissions.OWNER | Boolean | True if you are the original provider of the source data for this feed. |
CofenseIntelligence.Email.Threats.feeds.permissions.READ | Boolean | True if you are allowed to view data for this feed. |
CofenseIntelligence.Email.Threats.feeds.displayName | String | Human readable name for this feed. |
CofenseIntelligence.Email.Threats.blockSet.malwareFamily.familyName | String | Names and describes the malware families. |
CofenseIntelligence.Email.Threats.blockSet.malwareFamily.description | String | Brief description of the malware family, what it does, or how it works. |
CofenseIntelligence.Email.Threats.blockSet.impact | String | Values borrowed from stixVocabs:ImpactRatingVocab-1.0. |
CofenseIntelligence.Email.Threats.blockSet.confidence | Number | The level of confidence in the threats block. |
CofenseIntelligence.Email.Threats.blockSet.blockType | String | Data type of the watchlist item. |
CofenseIntelligence.Email.Threats.blockSet.roleDescription | String | Description of the infrastructure type. |
CofenseIntelligence.Email.Threats.blockSet.role | String | Infrastructure type. |
CofenseIntelligence.Email.Threats.blockSet.infrastructureTypeSubclass.description | String | Brief description of the infrastructure type being used. |
CofenseIntelligence.Email.Threats.blockSet.data | String | Domain name or an IP address. |
CofenseIntelligence.Email.Threats.blockSet.data_1 | String | Either a domain name or an IP address. |
CofenseIntelligence.Email.Threats.campaignBrandSet.totalCount | Number | Total number of individual messages associated with this brand. |
CofenseIntelligence.Email.Threats.campaignBrandSet.brand.id | Number | Numeric identifier used by Malcovery to track this brand. |
CofenseIntelligence.Email.Threats.campaignBrandSet.brand.text | String | String identifier used by Malcovery to track this brand. |
CofenseIntelligence.Email.Threats.domainSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Email.Threats.domainSet.domain | String | Sender domain name. |
CofenseIntelligence.Email.Threats.senderEmailSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Email.Threats.senderEmailSet.senderEmail | String | The possibly spoofed email address used in the delivery of the email. |
CofenseIntelligence.Email.Threats.executableSet.malwareFamily.familyName | String | Family name of the malware. |
CofenseIntelligence.Email.Threats.executableSet.malwareFamily.description | String | The name of the malware family. |
CofenseIntelligence.Email.Threats.executableSet.vendorDetections.detected | Boolean | Whether an executable was detected. |
CofenseIntelligence.Email.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. |
CofenseIntelligence.Email.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. |
CofenseIntelligence.Email.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. |
CofenseIntelligence.Email.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. |
CofenseIntelligence.Email.Threats.executableSet.severityLevel | String | The malware infection severity level. |
CofenseIntelligence.Email.Threats.executableSet.fileNameExtension | String | The file extension. |
CofenseIntelligence.Email.Threats.executableSet.md5Hex | String | The MD5 hash of the file. |
CofenseIntelligence.Email.Threats.executableSet.sha384Hex | String | The SHA-384 hash of the file. |
CofenseIntelligence.Email.Threats.executableSet.sha512Hex | String | The SHA-512 hash of the file. |
CofenseIntelligence.Email.Threats.executableSet.sha1Hex | String | The SHA-1 hash of the file. |
CofenseIntelligence.Email.Threats.executableSet.sha224Hex | String | The SHA-224 hash of the file. |
CofenseIntelligence.Email.Threats.executableSet.sha256Hex | String | The SHA-256 hash of the file. |
CofenseIntelligence.Email.Threats.executableSet.executableSubtype.description | String | The description of the executable file. |
CofenseIntelligence.Email.Threats.senderIpSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Email.Threats.senderIpSet.ip | String | One of possibly many IPs used in the delivery of the email. |
CofenseIntelligence.Email.Threats.senderNameSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Email.Threats.senderNameSet.name | String | The friendly name of the sender of the email. |
CofenseIntelligence.Email.Threats.subjectSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Email.Threats.subjectSet.subject | String | Email subject line. |
CofenseIntelligence.Email.Threats.lastPublished | Date | Timestamp of when this campaign was most recently updated. |
CofenseIntelligence.Email.Threats.firstPublished | Date | Timestamp of when this campaign was initially published |
CofenseIntelligence.Email.Threats.label | String | Human readable name for this campaign. |
CofenseIntelligence.Email.Threats.executiveSummary | String | Analyst written summary of the campaign. |
CofenseIntelligence.Email.Threats.hasReport | Boolean | Whether this campaign has a written report associated with it. |
CofenseIntelligence.Email.Threats.reportURL | String | Direct URL to human readable report for this campaign. |
CofenseIntelligence.Email.Threats.apiReportURL | String | URL to human readable report for this campaign. |
CofenseIntelligence.Email.Threats.threatDetailURL | String | T3 report URL. |
CofenseIntelligence.Email.Threats.malwareFamilySet.familyName | String | Family name of the malware. |
CofenseIntelligence.Email.Threats.malwareFamilySet.description | String | Description of the malware family set. |
CofenseIntelligence.Email.Threats.threatType | String | If malware, will have value ‘malware’, otherwise it is empty. |
#
Command Example!email email=email@email.com using=CofenseIntelligenceV2_instance_1_copy
#
Context Example#
Human Readable Outputemail@email.com#
Cofense email Reputation for email
Threat ID Threat Type Verdict Executive Summary Campaign Malware Family Description Last Published Threat Report 158959 Type Malicious Summary Campaign name Family Description 2021-03-18 19:47:48 link
#
urlChecks the reputation of a URL.
#
Base Commandurl
#
InputArgument Name | Description | Required |
---|---|---|
url | URL to check. | Required |
days_back | The maximum number of days from which to start returning data. 90 days is recommended by Cofense. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
DBotScore.Score | number | The actual score. |
DBotScore.Reliability | string | The actual score. |
URL.Data | string | The URL |
URL.Malicious.Description | string | A description of the malicious URL. |
URL.Malicious.Vendor | string | The vendor who reported the URL as malicious. |
URL.Relationships.EntityA | String | The source of the relationship. |
URL.Relationships.EntityB | String | The destination of the relationship. |
URL.Relationships.Relationship | String | The name of the relationship. |
URL.Relationships.EntityAType | String | The type of the source of the relationship. |
URL.Relationships.EntityBType | String | The type of the destination of the relationship. |
CofenseIntelligence.URL.Data | String | The URL. |
CofenseIntelligence.URL.Threats.id | Number | Threat ID. |
CofenseIntelligence.URL.Threats.feeds.id | Number | Integer identifier for this feed. |
CofenseIntelligence.URL.Threats.feeds.permissions.WRITE | Boolean | True if you are allowed to submit data to this feed. |
CofenseIntelligence.URL.Threats.feeds.permissions.OWNER | Boolean | True if you are the original provider of the source data for this feed. |
CofenseIntelligence.URL.Threats.feeds.permissions.READ | Boolean | True if you are allowed to view data for this feed. |
CofenseIntelligence.URL.Threats.feeds.displayName | String | Human readable name for this feed. |
CofenseIntelligence.URL.Threats.blockSet.malwareFamily.familyName | String | The name of the malware family. |
CofenseIntelligence.URL.Threats.blockSet.malwareFamily.description | String | Brief description of the malware family, what it does, or how it works. |
CofenseIntelligence.URL.Threats.blockSet.impact | String | Values borrowed from stixVocabs:ImpactRatingVocab-1.0. |
CofenseIntelligence.URL.Threats.blockSet.confidence | Number | The level of confidence in the threats block. |
CofenseIntelligence.URL.Threats.blockSet.blockType | String | Data type of the watchlist item. |
CofenseIntelligence.URL.Threats.blockSet.roleDescription | String | Description of the infrastructure type. |
CofenseIntelligence.URL.Threats.blockSet.role | String | Infrastructure type. |
CofenseIntelligence.URL.Threats.blockSet.infrastructureTypeSubclass.description | String | Brief description of the infrastructure type being used. |
CofenseIntelligence.URL.Threats.blockSet.data | String | Domain name or an IP address. |
CofenseIntelligence.URL.Threats.blockSet.data_1 | String | Either a domain name or an IP address. |
CofenseIntelligence.URL.Threats.campaignBrandSet.totalCount | Number | Total number of individual messages associated with this brand. |
CofenseIntelligence.URL.Threats.campaignBrandSet.brand.id | Number | Numeric identifier used by Malcovery to track this brand. |
CofenseIntelligence.URL.Threats.campaignBrandSet.brand.text | String | String identifier used by Malcovery to track this brand. |
CofenseIntelligence.URL.Threats.domainSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.URL.Threats.domainSet.domain | String | Sender domain name. |
CofenseIntelligence.URL.Threats.senderEmailSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.URL.Threats.senderEmailSet.senderEmail | String | The possibly spoofed email address used in the delivery of the email. |
CofenseIntelligence.URL.Threats.executableSet.malwareFamily.familyName | String | Family name of the malware. |
CofenseIntelligence.URL.Threats.executableSet.malwareFamily.description | String | The name of the malware family. |
CofenseIntelligence.URL.Threats.executableSet.vendorDetections.detected | Boolean | Whether an executable was detected. |
CofenseIntelligence.URL.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. |
CofenseIntelligence.URL.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. |
CofenseIntelligence.URL.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. |
CofenseIntelligence.URL.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. |
CofenseIntelligence.URL.Threats.executableSet.severityLevel | String | The malware infection severity level. |
CofenseIntelligence.URL.Threats.executableSet.fileNameExtension | String | The file extension. |
CofenseIntelligence.URL.Threats.executableSet.md5Hex | String | The MD5 hash of the file. |
CofenseIntelligence.URL.Threats.executableSet.sha384Hex | String | The SHA-384 hash of the file. |
CofenseIntelligence.URL.Threats.executableSet.sha512Hex | String | The SHA-512 hash of the file. |
CofenseIntelligence.URL.Threats.executableSet.sha1Hex | String | The SHA-1 hash of the file. |
CofenseIntelligence.URL.Threats.executableSet.sha224Hex | String | The SHA-224 hash of the file. |
CofenseIntelligence.URL.Threats.executableSet.sha256Hex | String | The SHA-256 hash of the file. |
CofenseIntelligence.URL.Threats.executableSet.executableSubtype.description | String | The description of the executable file. |
CofenseIntelligence.URL.Threats.senderIpSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.URL.Threats.senderIpSet.ip | String | One of possibly many IPs used in the delivery of the email. |
CofenseIntelligence.URL.Threats.senderNameSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.URL.Threats.senderNameSet.name | String | The friendly name of the sender of the email. |
CofenseIntelligence.URL.Threats.subjectSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.URL.Threats.subjectSet.subject | String | Email subject line. |
CofenseIntelligence.URL.Threats.lastPublished | Date | Timestamp of when this campaign was most recently updated. |
CofenseIntelligence.URL.Threats.firstPublished | Date | Timestamp of when this campaign was initially published. |
CofenseIntelligence.URL.Threats.label | String | Human readable name for this campaign. |
CofenseIntelligence.URL.Threats.executiveSummary | String | Analyst written summary of the campaign. |
CofenseIntelligence.URL.Threats.hasReport | Boolean | Whether this campaign has a written report associated with it. |
CofenseIntelligence.URL.Threats.reportURL | String | Direct URL to human readable report for this campaign. |
CofenseIntelligence.URL.Threats.apiReportURL | String | URL to human readable report for this campaign. |
CofenseIntelligence.URL.Threats.threatDetailURL | String | T3 report URL. |
CofenseIntelligence.URL.Threats.malwareFamilySet.familyName | String | Family name of the malware. |
CofenseIntelligence.URL.Threats.malwareFamilySet.description | String | Description of the malware family set. |
CofenseIntelligence.URL.Threats.threatType | String | If malware, will have value ‘malware’, otherwise it is empty. |
#
Command Example!url url=url using=CofenseIntelligenceV2_instance
#
Context Example#
Human Readable Output#
Cofense URL Reputation for url url
Threat ID Threat Type Verdict Executive Summary Campaign Malware Family Description Last Published Threat Report 125002 threat type Malicious summary Campaign name Family Description 2021-03-22 15:56:10 Link
#
domainChecks the reputation of the domain.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain to check. | Required |
days_back | The maximum number of days from which to start returning data. 90 days is recommended by Cofense. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | The actual score. |
Domain.Name | String | The Domain. |
Domain.Malicious.Description | String | A description of the malicious URL. |
Domain.Malicious.Vendor | String | The vendor who reported the Domain as malicious. |
Domain.Relationships.EntityA | String | The source of the relationship. |
Domain.Relationships.EntityB | String | The destination of the relationship. |
Domain.Relationships.Relationship | String | The name of the relationship. |
Domain.Relationships.EntityAType | String | The type of the source of the relationship. |
Domain.Relationships.EntityBType | String | The type of the destination of the relationship. |
CofenseIntelligence.Domain.Data | String | The Domain. |
CofenseIntelligence.Domain.Threats.id | Number | Threat ID. |
CofenseIntelligence.Domain.Threats.feeds.id | Number | Integer identifier for this feed. |
CofenseIntelligence.Domain.Threats.feeds.permissions.WRITE | Boolean | True if you are allowed to submit data to this feed. |
CofenseIntelligence.Domain.Threats.feeds.permissions.OWNER | Boolean | True if you are the original provider of the source data for this feed. |
CofenseIntelligence.Domain.Threats.feeds.permissions.READ | Boolean | True if you are allowed to view data for this feed. |
CofenseIntelligence.Domain.Threats.feeds.displayName | String | Human readable name for this feed. |
CofenseIntelligence.Domain.Threats.blockSet.malwareFamily.familyName | String | The name of the malware family. |
CofenseIntelligence.Domain.Threats.blockSet.malwareFamily.description | String | Brief description of the malware family, what it does, or how it works. |
CofenseIntelligence.Domain.Threats.blockSet.impact | String | Values borrowed from stixVocabs:ImpactRatingVocab-1.0. |
CofenseIntelligence.Domain.Threats.blockSet.confidence | Number | The level of confidence in the threats block. |
CofenseIntelligence.Domain.Threats.blockSet.blockType | String | Data type of the watchlist item. |
CofenseIntelligence.Domain.Threats.blockSet.roleDescription | String | Description of the infrastructure type. |
CofenseIntelligence.Domain.Threats.blockSet.role | String | Infrastructure type. |
CofenseIntelligence.Domain.Threats.blockSet.infrastructureTypeSubclass.description | String | Brief description of the infrastructure type being used. |
CofenseIntelligence.Domain.Threats.blockSet.data | String | Domain name or an IP address. |
CofenseIntelligence.Domain.Threats.blockSet.data_1 | String | Either a domain name or an IP address. |
CofenseIntelligence.Domain.Threats.campaignBrandSet.totalCount | Number | Total number of individual messages associated with this brand. |
CofenseIntelligence.Domain.Threats.campaignBrandSet.brand.id | Number | Numeric identifier used by Malcovery to track this brand. |
CofenseIntelligence.Domain.Threats.campaignBrandSet.brand.text | String | String identifier used by Malcovery to track this brand. |
CofenseIntelligence.Domain.Threats.domainSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Domain.Threats.domainSet.domain | String | Sender domain name. |
CofenseIntelligence.Domain.Threats.senderEmailSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Domain.Threats.senderEmailSet.senderEmail | String | The possibly spoofed email address used in the delivery of the email. |
CofenseIntelligence.Domain.Threats.executableSet.malwareFamily.familyName | String | Family name of the malware. |
CofenseIntelligence.Domain.Threats.executableSet.malwareFamily.description | String | The name of the malware family. |
CofenseIntelligence.Domain.Threats.executableSet.vendorDetections.detected | Boolean | Whether an executable was detected. |
CofenseIntelligence.Domain.Threats.executableSet.vendorDetections.threatVendorName | String | Name of the antivirus vendor. |
CofenseIntelligence.Domain.Threats.executableSet.fileName | String | The file name of any file discovered during a malware infection. |
CofenseIntelligence.Domain.Threats.executableSet.type | String | Description of the purpose this file serves within the malware infection. |
CofenseIntelligence.Domain.Threats.executableSet.dateEntered | Date | Date when this file was analyzed by Malcovery. |
CofenseIntelligence.Domain.Threats.executableSet.severityLevel | String | The malware infection severity level. |
CofenseIntelligence.Domain.Threats.executableSet.fileNameExtension | String | The file extension. |
CofenseIntelligence.Domain.Threats.executableSet.md5Hex | String | The MD5 hash of the file. |
CofenseIntelligence.Domain.Threats.executableSet.sha384Hex | String | The SHA-384 hash of the file. |
CofenseIntelligence.Domain.Threats.executableSet.sha512Hex | String | The SHA-512 hash of the file. |
CofenseIntelligence.Domain.Threats.executableSet.sha1Hex | String | The SHA-1 hash of the file. |
CofenseIntelligence.Domain.Threats.executableSet.sha224Hex | String | The SHA-224 hash of the file. |
CofenseIntelligence.Domain.Threats.executableSet.sha256Hex | String | The SHA-256 hash of the file. |
CofenseIntelligence.Domain.Threats.executableSet.executableSubtype.description | String | The description of the executable file. |
CofenseIntelligence.Domain.Threats.senderIpSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Domain.Threats.senderIpSet.ip | String | One of possibly many IPs used in the delivery of the email. |
CofenseIntelligence.Domain.Threats.senderNameSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Domain.Threats.senderNameSet.name | String | The friendly name of the sender of the email. |
CofenseIntelligence.Domain.Threats.subjectSet.totalCount | Number | Total number of instances of each item named. |
CofenseIntelligence.Domain.Threats.subjectSet.subject | String | Email subject line. |
CofenseIntelligence.Domain.Threats.lastPublished | Date | Timestamp of when this campaign was most recently updated. |
CofenseIntelligence.Domain.Threats.firstPublished | Date | Timestamp of when this campaign was initially published. |
CofenseIntelligence.Domain.Threats.label | String | Human readable name for this campaign. |
CofenseIntelligence.Domain.Threats.executiveSummary | String | Analyst written summary of the campaign. |
CofenseIntelligence.Domain.Threats.hasReport | Boolean | Whether this campaign has a written report associated with it. |
CofenseIntelligence.Domain.Threats.reportDomain | String | Direct URL to human readable report for this campaign. |
CofenseIntelligence.Domain.Threats.apiReportURL | String | URL to human readable report for this campaign. |
CofenseIntelligence.Domain.Threats.threatDetailURL | String | T3 report URL. |
CofenseIntelligence.Domain.Threats.malwareFamilySet.familyName | String | Family name of the malware. |
CofenseIntelligence.Domain.Threats.malwareFamilySet.description | String | Description of the malware family set. |
CofenseIntelligence.Domain.Threats.threatType | String | If malware, will have value 'malware', otherwise it is empty. |
#
Command Example!domain domain=www.sutomoresmestaj.net days_back=20000 using=CofenseIntelligenceV2_instance
#
Context Example#
Human Readable Outputwww.sutomoresmestaj.net#
Cofense Domain Reputation for domain
Threat ID Threat Type Verdict Executive Summary Campaign Malware Family Description Last Published Threat Report 55110 MALWARE Suspicious This report is part of our Emotet/Geodo series. Emotet is a malware family that was initially formed as a banking trojan but today often downloads additional malware payloads. We process very large Emotet campaigns containing thousands of stage one documents and we often find there are a small number of unique URLs and stage two payloads in each campaign. As such, you may notice these lists contain mostly document-specific IOCs, compared with fewer unique URLs and unique stage two payloads. Finance or Response Themed - OfficeMacro, Emotet/Geodo Adaptable financial crimes botnet trojan with email worm and malware delivery capabilities, also known as Emotet 2020-08-28 13:52:25 https://www.threathq.com/api/l/activethreatreport/55110/html
#
cofense-threat-report-getDownloads threat report provided by cofense intelligence of an indicator for the given unique report id.
#
Base Commandcofense-threat-report-get
#
InputArgument Name | Description | Required |
---|---|---|
report_id | Unique id to download the specified threat report. | Required |
report_format | Report format to download. Allowed types are html and pdf. Possible values are: html, pdf. Default is html. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | Number | The size of the file. |
File.SHA1 | String | The SHA1 hash of the file. |
File.SHA256 | String | The SHA256 hash of the file. |
File.SHA512 | String | The SHA512 hash of the file. |
File.Name | String | The name of the file. |
File.SSDeep | String | The SSDeep hash of the file. |
File.EntryID | String | The entry ID of the file. |
File.Info | String | File information. |
File.Type | String | The file type. |
File.MD5 | String | The MD5 hash of the file. |
File.Extension | String | The file extension. |
#
Command example!cofense-threat-report-get report_id=290367
#
Context Example#
Human Readable OutputUploaded file: 290367.html Download
EntryID Info MD5 Name SHA1 SHA256 SHA512 SSDeep Size Type 17353@2f1342cd-06b5-4b3f-8c20-fe27a087f3a8 text/html; charset=utf-8 e61fc1a2b206650a3eb48f7856126291 290367.html bb419100bd5319a43f4f5640075f22a7716ed5f8 d5da427907395fc8cf0e2942465990486e9bdb016ff820c89511599a0ec0b86a aad5ffa7e291bb1f1528f2ed805307a8dfe9bdfae13b766e4fdbd7b9605008a2bc7eb9b177b3306de9fc113eda7c5c632f27446956394f601713cdeeaa075a43 1536:TVsXVrOaM0uEcFrlsd21G33VRxQFsUKRFdLeo0sw/x7W:4OapOlOXLisUybLeoO/4 79669 HTML document, ASCII text, with very long lines, with CRLF line terminators
#
Breaking changes from previous versions of this integrationThe following sections list the changes in this version.
#
OutputsThe following outputs were removed in this version:
In the url command:
- Cofense.URL.Data - this output was replaced by CofenseIntelligence.URL.Data.
- Cofense.URL.Malicious.Vendor - this output was replaced by CofenseIntelligence.URL.Malicious.Vendor.
- Cofense.URL.Malicious.Description - this output was replaced by CofenseIntelligence.URL.Malicious.Description.
- Cofense.URL.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.URL.Cofense.ThreatIDs.
In the file command:
- Cofense.File.MD5 - this output was replaced by CofenseIntelligence.File.MD5.
- Cofense.File.Malicious.Vendor - this output was replaced by CofenseIntelligence.File.Malicious.Vendor.
- Cofense.File.Malicious.Description - this output was replaced by CofenseIntelligence.File.Malicious.Description.
- Cofense.File.ThreatIDs - this output was replaced by CofenseIntelligence.File.ThreatIDs.
In the ip command:
- Cofense.IP.Data - this output was replaced by CofenseIntelligence.IP.Data.
- Cofense.IP.Malicious.Vendor - this output was replaced by CofenseIntelligence.IP.Malicious.Vendor.
- Cofense.IP.Malicious.Description - this output was replaced by CofenseIntelligence.IP.Malicious.Description.
- Cofense.IP.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.IP.Cofense.ThreatIDs.
In the email command:
- Account.Email.Malicious.Vendor - this output was replaced by CofenseIntelligence.Email.Malicious.Vendor.
- Account.Email.Malicious.Description - this output was replaced by CofenseIntelligence.Email.Malicious.Description.
- Cofense.Email.Data - this output was replaced by CofenseIntelligence.Email.Data.
- Cofense.Email.Malicious.Vendor - this output was replaced by CofenseIntelligence.Email.Malicious.Vendor.
- Cofense.Email.Malicious.Description - this output was replaced by CofenseIntelligence.Email.Malicious.Description.
- Cofense.Email.Cofense.ThreatIDs - this output was replaced by CofenseIntelligence.Email.Cofense.ThreatIDs.
In the cofense-search command:
- Cofense.NumOfThreats - this output was replaced by CofenseIntelligence.NumOfThreats.
- Cofense.String - this output was replaced by CofenseIntelligence.String.
#
Additional Considerations for this Version- Added an option to Limit the number of days from which we should start returning data. 90 days limit is recommended by Cofense.