Skip to main content

Cofense Triage v3

This Integration is part of the Cofense Triage Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

The Cofense Triage v3 integration uses the Cofense Triage v2 API (previous integrations were limited to Triage v1 API) that allows users to ingest phishing reports as incident alerts and execute commands.

Security teams can ingest data from Triage such as email reporters, email reports and clusters, threat indicators, and rule matching to name a few. In addition, ingest and create threat indicators, categorize reports, and obtain second stage threat indicators from malicious emails. This integration was integrated and tested with version 1.22.0 of Cofense Triage.

This is the default integration for this content pack when configured by the Data Onboarder in Cortex XSIAM.

Some changes have been made that might affect your existing content. If you are upgrading from a previous of this integration, see Breaking Changes.

Configure Cofense Triage v3 in Cortex#

ParameterDescriptionRequired
Server URLServer URL to connect to Cofense Triage.True
Client IDClient ID and Client Secret associated with the Server URL to connect to Cofense Triage.True
Maximum number of incidents per fetchThe maximum limit is 200.False
First fetch time intervalDate or relative timestamp to start fetching incidents from. (Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc)False
Report LocationFetches the report based on the location within Cofense Triage. If not specified, it fetches all the reports.False
Match PriorityFetches reports based on the priority of the rules that match the reports. If not specified, it fetches all the reports.False
Category IDFetches reports based on the unique identifier of the category. If not specified, it fetches all the reports. Note: Only the reports that have been processed will be retrieved.False
TagsFetches reports based on the tags associated with the reports. If not specified, it fetches all the reports. Supports comma separated values. Note: Tags are associated with reports which are in Reconnaissance.False
Categorization TagsFetches reports based on the tags assigned when the reported email was processed. If not specified, it fetches all the reports. Supports comma separated values. Note: Categorization tags are associated with the reports which are processed.False
Incident Mirroring DirectionChoose the direction to mirror the incident: Incoming (from Cofens Triage to XSOAR).False
Advanced FiltersFetches incidents based on the advanced filters and type of the incident to be fetched. Specify the filters to filter the incidents by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Format accepted: {"attribute1_operator": "value1, value2", "attribute2_operator" : "value3, value4"} For example: {"updated_at_gt":"2020-10-26T10:48:16.834Z","categorization_tags_any":"test, snow"}False
Use system proxy settingsFalse
Trust any certificate (not secure)False
Incident typeFalse
Fetch incidentsFalse

Integration Settings Preferences#

If Inbox or Reconnaissance is provided as a filter for Report Location:

  • Category ID filter cannot be used.
  • Categorization Tags filter cannot be used.

If only Processed is provided as a filter for Report Location:

  • Tags filter cannot be used.

If Category ID is used as a filter for fetch incidents:

  • The Report Location cannot be Inbox or Reconnaissance.
  • Tags filter cannot be used.

If Categorization tags are provided in fetch incident parameters:

  • The Report Location must be Processed.

If Tags are provided in fetch incident parameters:

  • The Report Location must be Reconnaissance.

Filtering#

For all the list commands provided filter_by argument to filter list by attribute values. The general filtering syntax is as follows:

{\"attribute_operator\": \"value1, value2\"}

  • attribute is the name of the attribute that the filter will be applied against.
  • operator is the comparison operator to use when comparing the attribute to the specified value. The default is EQ. You can omit this parameter if you want to use the default. See Comparison Operators for the expected syntax for other comparison operators.
  • value is the value being checked for. You can specify multiple values as a comma-separated list. Doing so returns records that match ANY of the supplied values.
  • To specify multiple filters, use the comma ( , ) to separate them (for example, {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"}). Doing so returns only those records that match ALL the filters.
  • A filter can be applied against the same attribute (and operator) multiple times.

Comparison Operators#

Standard Comparison Operators#

  • eq: This is the default comparison operator if no operator is specified. Returns results when an attribute is equal to the supplied value.
  • not_eq: Returns results when an attribute is not equal to the supplied value.
  • lt: Returns results when an attribute is less than the supplied value.
  • lteq: Returns results when an attribute is less than or equal to the supplied value.
  • gt: Returns results when an attribute is greater than the supplied value.
  • gteq: Returns results when an attribute is greater than or equal to the supplied value.

String Comparison Operators#

In addition to the standard comparison operators, string attributes can also use the following comparison operators:

  • start: Returns results when an attribute starts with the supplied value.
  • not_start: Returns results when an attribute does not start with the supplied value.
  • end: Returns results when an attribute ends with the supplied value.
  • not_end: Returns results when an attribute does not end with the supplied value.
  • cont: Returns results when an attribute contains the supplied value.
  • not_cont: Returns results when an attribute does not contain the supplied value.

Array Comparison Operators#

Some resources have an array attribute that contains a list of values. Array attributes follow a common usage pattern, but the filters supported will vary.

  • any_OP: Returns resources where any value in the array matches the standard or string comparison operator (OP).

Tag List Comparison Operators#

Some resources have a tag_list attribute that contains a list of Triage tags that were applied to that resource. Tag List attributes do not support the standard or string comparison operators. Attributes of this type support the following comparison operators:

  • any: Returns results when a resource is tagged with any of the specified tags.
  • all: Returns results when a resource is tagged with all of the specified tags.
  • none: Returns results when a resource is not tagged with any of the specified tags.

Mirroring#

The data in Cofense Triage Report can be mirrored to Cortex XSOAR to view the modifications when the report is updated.

For example: When the report is processed, the fields like Report Category ID and Report location get modified, and hence the user will be able to see the modified field's value in XSOAR.

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cofense-threat-indicator-list#


Retrieves the list of threat indicators based on the provided parameters. Threat indicators identify the threat level of an email's subject, sender, domains, URLs, and MD5 and SHA256 attachment hash signatures.

Base Command#

cofense-threat-indicator-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the threat indicator to retrieve a specific threat indicator. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of threat indicators to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the threat indicators. Default is 1.Optional
sort_bySpecify the attributes to sort the threat indicators. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: threat_level, -created_at.Optional
filter_bySpecify the filters to filter the list of threat indicators by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"threat_level_eq\":\"Malicious,Benign\", \"updated_at_gt\":\"2020-10-26T10:48:16.834Z\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: threat_level, threat_type, threat_value.Optional
threat_levelSpecify the level of the threat to retrieve the threat indicators. Some possible values are: Malicious, Suspicious, Benign.Optional
threat_typeSpecify the type of the threat to retrieve the threat indicators. Some possible values are: Sender, Subject, Domain, URL, MD5, SHA256, Hostname, or Header.Optional
threat_valueSpecify the value corresponding to the type of threat indicated in threat_type to retrieve the threat indicators.Optional
threat_sourceSpecify the value corresponding to the source of the threat indicator.Optional
created_atSpecify the date and time of creation, from when to retrieve the threat indicators. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the threat indicators. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.ThreatIndicator.idStringUnique identifier of the threat indicator.
Cofense.ThreatIndicator.typeStringType of the resource of Cofense Triage.
Cofense.ThreatIndicator.links.selfStringLink of the resource.
Cofense.ThreatIndicator.attributes.threat_levelStringThe level of the threat.
Cofense.ThreatIndicator.attributes.threat_typeStringThe type of the threat.
Cofense.ThreatIndicator.attributes.threat_valueStringValue corresponding to the type of threat indicated in the type of the threat.
Cofense.ThreatIndicator.attributes.threat_sourceStringValue corresponding to the source of the threat.
Cofense.ThreatIndicator.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.ThreatIndicator.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.ThreatIndicator.relationships.owner.links.selfStringLink to retrieve the owner of the threat indicator.
Cofense.ThreatIndicator.relationships.owner.links.relatedStringLink to retrieve the detailed information of the owner of the threat indicator.
Cofense.ThreatIndicator.relationships.owner.data.typeStringType of the owner associated with the threat indicator.
Cofense.ThreatIndicator.relationships.owner.data.idStringUnique identifier of the owner associated with the threat indicator.
Cofense.ThreatIndicator.relationships.reports.links.selfStringLink to retrieve the reports containing the threat indicator.
Cofense.ThreatIndicator.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports containing the threat indicator.
Cofense.ThreatIndicator.relationships.comments.links.selfStringLink to retrieve the comments containing the threat indicator.
Cofense.ThreatIndicator.relationships.comments.links.relatedStringLink to retrieve the detailed information of the comments containing the threat indicator.

Command Example#

!cofense-threat-indicator-list page_size=2

Context Example#

{
"Cofense": {
"ThreatIndicator": [
{
"attributes": {
"created_at": "2020-10-26T10:47:09.675Z",
"threat_level": "Malicious",
"threat_source": "URL",
"threat_type": "SHA256",
"threat_value": "dummy_hash",
"updated_at": "2021-06-22T05:52:10.016Z"
},
"id": "1",
"links": {
"self": "https://triage.example.com/api/public/v2/threat_indicators/1"
},
"relationships": {
"comments": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/1/comments",
"self": "https://triage.example.com/api/public/v2/threat_indicators/1/relationships/comments"
}
},
"owner": {
"data": {
"id": "3",
"type": "api_applications"
},
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/1/owner",
"self": "https://triage.example.com/api/public/v2/threat_indicators/1/relationships/owner"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/1/reports",
"self": "https://triage.example.com/api/public/v2/threat_indicators/1/relationships/reports"
}
}
},
"type": "threat_indicators"
},
{
"attributes": {
"created_at": "2020-10-26T13:46:47.553Z",
"threat_level": "Malicious",
"threat_source": "Triage-UI",
"threat_type": "URL",
"threat_value": "dummy_url",
"updated_at": "2020-10-26T13:46:47.559Z"
},
"id": "2",
"links": {
"self": "https://triage.example.com/api/public/v2/threat_indicators/2"
},
"relationships": {
"comments": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/2/comments",
"self": "https://triage.example.com/api/public/v2/threat_indicators/2/relationships/comments"
}
},
"owner": {
"data": {
"id": "2",
"type": "operators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/2/owner",
"self": "https://triage.example.com/api/public/v2/threat_indicators/2/relationships/owner"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/2/reports",
"self": "https://triage.example.com/api/public/v2/threat_indicators/2/relationships/reports"
}
}
},
"type": "threat_indicators"
}
]
}
}

Human Readable Output#

Threat Indicator(s)#

Threat Indicator IDThreat LevelThreat TypeThreat ValueThreat SourceCreated AtUpdated At
1MaliciousSHA256dummy_hashURL2020-10-26T10:47:09.675Z2021-06-22T05:52:10.016Z
2MaliciousURLdummy_urlTriage-UI2020-10-26T13:46:47.553Z2020-10-26T13:46:47.559Z

cofense-report-list#


Retrieves a report or a list of reports based on the filter values provided in the command arguments.

Base Command#

cofense-report-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the report to retrieve a specific report. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of reports to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the reports. Default is 1.Optional
sort_bySpecify the attributes to sort the reports. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: -received_at, match_priority.Optional
filter_bySpecify the filters to filter the list of reports by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"updated_at_gt\":\"2020-10-26T10:48:16.834Z\",\"categorization_tags_any\":\"test, snow\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: location, from_address.Optional
match_prioritySpecify the priority to retrieve the reports based on the priority of the rules that match the reports. Possible values are: 0, 1, 2, 3, 4, 5.Optional
tagsSpecify the tags to retrieve the reports based on the tags associated with the reports.Optional
categorization_tagsSpecify the categorization tags to retrieve the reports based on the tags assigned when the reported email was processed.Optional
report_locationSpecify the location to retrieve the reports based on the location of the reported email within Cofense Triage. Some possible values are: inbox, reconnaissance, processed.Optional
category_idSpecify the ID of the category to retrieve the reports based on the category of the reports. Note: When both category_id and cluster_id are provided, higher priority will be given to category_id. Note: To retrieve category_id, execute cofense-category-list command.Optional
created_atSpecify the date and time of creation, from when to retrieve the reports. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the reports. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
cluster_idSpecify the ID of the cluster to retrieve the reports present in the specific cluster. Note: When both category_id and cluster_id are provided, higher priority will be given to category_id. Note: To retrieve cluster_id, execute cofense-cluster-list command.Optional

Context Output#

PathTypeDescription
Cofense.Report.idStringUnique identifier of the report.
Cofense.Report.typeStringType of the resource of Cofense Triage.
Cofense.Report.links.selfStringLink of the resource.
Cofense.Report.attributes.locationStringLocation of the reported email within Triage. (Inbox, Reconnaissance, or Processed).
Cofense.Report.attributes.risk_scoreNumberRisk score of the report.
Cofense.Report.attributes.from_addressStringSender email address of the reported email.
Cofense.Report.attributes.subjectStringSubject of the reported email.
Cofense.Report.attributes.received_atDateDate and time, in ISO 8601 format, when the reporter received the email.
Cofense.Report.attributes.reported_atDateDate and time, in ISO 8601 format, when the reporter reported the email.
Cofense.Report.attributes.raw_headersStringHeaders of the reported email.
Cofense.Report.attributes.text_bodyStringText body of the reported email.
Cofense.Report.attributes.html_bodyStringHTML body of the reported email.
Cofense.Report.attributes.md5StringMD5 hash signature of the reported email.
Cofense.Report.attributes.sha256StringSHA256 hash signature of the reported email.
Cofense.Report.attributes.match_priorityNumberHighest priority of a rule matching the reported email.
Cofense.Report.attributes.tagsUnknownTags associated with the report.
Cofense.Report.attributes.categorization_tagsUnknownTags assigned when the reported email was processed.
Cofense.Report.attributes.processed_atDateDate and time, in ISO 8601 format, when the reported email was processed. If the reported email is still in Inbox or Recon, the response contains a null value.
Cofense.Report.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Report.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Report.relationships.assignee.links.selfStringLink to retrieve the operator assigned to the report.
Cofense.Report.relationships.assignee.links.relatedStringLink to retrieve the detailed information of the operator assigned to the report.
Cofense.Report.relationships.assignee.data.typeStringType of the assignee associated with the report.
Cofense.Report.relationships.assignee.data.idStringUnique identifier of the assignee associated with the report.
Cofense.Report.relationships.category.links.selfStringLink to retrieve the category assigned to the report.
Cofense.Report.relationships.category.links.relatedStringLink to retrieve the detailed information of the category assigned to the report.
Cofense.Report.relationships.category.data.typeStringType of the category associated with the report.
Cofense.Report.relationships.category.data.idStringUnique identifier of the category associated with the report.
Cofense.Report.relationships.cluster.links.selfStringLink to retrieve the cluster of the report.
Cofense.Report.relationships.cluster.links.relatedStringLink to retrieve the detailed information of the cluster of the report.
Cofense.Report.relationships.cluster.data.typeStringType of the cluster context associated with the report.
Cofense.Report.relationships.cluster.data.idStringUnique identifier of the cluster context associated with the report.
Cofense.Report.relationships.reporter.links.selfStringLink to retrieve the reporter of the report.
Cofense.Report.relationships.reporter.links.relatedStringLink to retrieve the detailed information of the reporter of the report.
Cofense.Report.relationships.reporter.data.typeStringType of the reporter associated with the report.
Cofense.Report.relationships.reporter.data.idStringUnique identifier of the reporter associated with the report.
Cofense.Report.relationships.attachment_payloads.links.selfStringLink to retrieve the payloads of attachments associated with the report.
Cofense.Report.relationships.attachment_payloads.links.relatedStringLink to retrieve the detailed information of the payloads of attachments associated with the report.
Cofense.Report.relationships.attachments.links.selfStringLink to retrieve the attachments to the reported email.
Cofense.Report.relationships.attachments.links.relatedStringLink to retrieve the detailed information of the attachments to the reported email.
Cofense.Report.relationships.domains.links.selfStringLink to retrieve the domain of the report.
Cofense.Report.relationships.domains.links.relatedStringLink to retrieve the detailed information of the domain of the report.
Cofense.Report.relationships.headers.links.selfStringLink to retrieve the headers of the report.
Cofense.Report.relationships.headers.links.relatedStringLink to retrieve the detailed information of the headers of the report.
Cofense.Report.relationships.hostnames.links.selfStringLink to retrieve the hostnames of URLs associated with the report.
Cofense.Report.relationships.hostnames.links.relatedStringLink to retrieve the detailed information of the hostnames of URLs associated with the report.
Cofense.Report.relationships.urls.links.selfStringLink to retrieve the URLs associated with the report.
Cofense.Report.relationships.urls.links.relatedStringLink to retrieve the detailed information of the URLs associated with the report.
Cofense.Report.relationships.rules.links.selfStringLink to retrieve the rules matching the report.
Cofense.Report.relationships.rules.links.relatedStringLink to retrieve the detailed information of the rules matching the report.
Cofense.Report.relationships.threat_indicators.links.selfStringLink to retrieve the threat indicators identified the report.
Cofense.Report.relationships.threat_indicators.links.relatedStringLink to retrieve the detailed information of the threat indicators identified the report.
Cofense.Report.relationships.comments.links.selfStringLink to retrieve the comments of the report.
Cofense.Report.relationships.comments.links.relatedStringLink to retrieve the detailed information of the comments of the report.
Cofense.Report.meta.risk_score_summary.integrationsNumberNumber of integrations associated with the report.
Cofense.Report.meta.risk_score_summary.vipNumberNumber of VIP reporters of the report.
Cofense.Report.meta.risk_score_summary.reporterNumberNumber of reporters of the report.
Cofense.Report.meta.risk_score_summary.rulesNumberNumber of the rules associated with the report.

Command Example#

!cofense-report-list page_size=2

Context Example#

{
"Cofense": {
"Report": [
{
"attributes": {
"created_at": "2020-10-21T20:54:23.444Z",
"html_body": "dummy html body",
"location": "Processed",
"match_priority": 0,
"md5": "12345727a75f1231be55c9d47513f510",
"processed_at": "2021-06-22T05:56:04.472Z",
"raw_headers": "dummy raw headers",
"received_at": "2019-11-08T17:28:19.000Z",
"reported_at": "2019-11-08T17:17:05.000Z",
"risk_score": 15,
"sha256": "123c12345c3131479335d5d118da42118e802a48f4bc91992b8e93f87ec95f5c",
"subject": "IBM X-Force Exchange Notifications",
"text_body": "dummy text body",
"updated_at": "2021-06-22T05:44:47.075Z"
},
"id": "4",
"links": {
"self": "https://triage.example.com/api/public/v2/reports/4"
},
"meta": {
"risk_score_summary": {
"integrations": 0,
"reporter": 15,
"rules": 0,
"vip": 0
}
},
"relationships": {
"assignee": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/assignee",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/assignee"
}
},
"attachment_payloads": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/attachment_payloads",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/attachment_payloads"
}
},
"attachments": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/attachments",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/attachments"
}
},
"category": {
"data": {
"id": "1",
"type": "categories"
},
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/category",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/category"
}
},
"cluster": {
"data": {
"id": "1",
"type": "clusters"
},
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/cluster",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/cluster"
}
},
"comments": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/comments",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/comments"
}
},
"domains": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/domains",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/domains"
}
},
"headers": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/headers",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/headers"
}
},
"hostnames": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/hostnames",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/hostnames"
}
},
"reporter": {
"data": {
"id": "4",
"type": "reporters"
},
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/reporter",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/reporter"
}
},
"rules": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/rules",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/rules"
}
},
"threat_indicators": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/threat_indicators",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/threat_indicators"
}
},
"urls": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/4/urls",
"self": "https://triage.example.com/api/public/v2/reports/4/relationships/urls"
}
}
},
"type": "reports"
},
{
"attributes": {
"categorization_tags": [
"testingPhantom"
],
"created_at": "2020-10-21T20:54:25.974Z",
"html_body": "dummy html body",
"location": "Processed",
"match_priority": 0,
"md5": "123456f87ce51c42ef80b74e96a3b161",
"processed_at": "2021-06-15T10:03:02.941Z",
"raw_headers": "dummy raw header",
"received_at": "2019-11-08T20:00:25.000Z",
"reported_at": "2019-11-08T19:50:17.000Z",
"risk_score": 8,
"sha256": "f1d4ff19af66c7e04c5ac123456c961b2e2b0e837ddd33461fa3730e4f5ceab1",
"subject": "(Hey), Developer!",
"text_body": "dummy text body",
"updated_at": "2021-06-15T10:03:03.739Z"
},
"id": "6",
"links": {
"self": "https://triage.example.com/api/public/v2/reports/6"
},
"meta": {
"risk_score_summary": {
"integrations": 0,
"reporter": 8,
"rules": 0,
"vip": 0
}
},
"relationships": {
"assignee": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/assignee",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/assignee"
}
},
"attachment_payloads": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/attachment_payloads",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/attachment_payloads"
}
},
"attachments": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/attachments",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/attachments"
}
},
"category": {
"data": {
"id": "1",
"type": "categories"
},
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/category",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/category"
}
},
"cluster": {
"data": {
"id": "2",
"type": "clusters"
},
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/cluster",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/cluster"
}
},
"comments": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/comments",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/comments"
}
},
"domains": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/domains",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/domains"
}
},
"headers": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/headers",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/headers"
}
},
"hostnames": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/hostnames",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/hostnames"
}
},
"reporter": {
"data": {
"id": "6",
"type": "reporters"
},
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/reporter",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/reporter"
}
},
"rules": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/rules",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/rules"
}
},
"threat_indicators": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/threat_indicators",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/threat_indicators"
}
},
"urls": {
"links": {
"related": "https://triage.example.com/api/public/v2/reports/6/urls",
"self": "https://triage.example.com/api/public/v2/reports/6/relationships/urls"
}
}
},
"type": "reports"
}
]
}
}

Human Readable Output#

Report(s)#

Report IDSubjectMatch PriorityLocationMD5SHA256Created At
4IBM X-Force Exchange Notifications0Processed12345727a75f1231be55c9d47513f510123c12345c3131479335d5d118da42118e802a48f4bc91992b8e93f87ec95f5c2020-10-21T20:54:23.444Z
6(Hey), Developer!0Processed123456f87ce51c42ef80b74e96a3b161f1d4ff19af66c7e04c5ac123456c961b2e2b0e837ddd33461fa3730e4f5ceab12020-10-21T20:54:25.974Z

cofense-report-download#


Downloads the raw email for the report that matches the specified report ID.

Base Command#

cofense-report-download

Input#

Argument NameDescriptionRequired
idSpecify the ID of the report to download the email file. Note: To retrieve id, execute cofense-report-list command.Required

Context Output#

PathTypeDescription
File.SizeStringFile size in bytes.
File.SHA1StringSHA1 hash of file.
File.SHA256StringSHA256 hash of file.
File.SHA512StringSHA512 hash of file.
File.NameStringFile name.
File.SSDeepStringSSDeep hash of the file.
File.EntryIDUnknownThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringMD5 hash of the file.
File.ExtensionStringThe file extension.

Command Example#

!cofense-report-download id=4

Context Example#

{
"File": {
"EntryID": "12345@24e2b8bb-acd8-4ad6-8f7c-5140d65ea600",
"Extension": "eml",
"Info": "eml",
"MD5": "12345727a75f1231be55c9d47513f510",
"Name": "Report ID - 4.eml",
"SHA1": "3db21fa900493764134a0fb93867cd712086ad1c",
"SHA256": "123c12345c3131479335d5d118da42118e802a48f4bc91992b8e93f87ec95f5c",
"SHA512": "d2e415d721796901ed9867570b62604ac5ee48e0c4a4541a0e5e12345678eaa89a2873ffff61b024ec867f9f0c4a45ddf6534be718393e087e6da017a071a723",
"SSDeep": "12:sentTp60+VqTKBV+VUllVDVSm+s1C1609QfzYxVNtMt7JvVNtMtZTRVNtMtO6hFC:smVp6DJV+6ku8QfzYr",
"Size": 10069,
"Type": "HTML document, ASCII text, with CRLF line terminators"
}
}

Human Readable Output#

Uploaded file: Report ID - 4.eml Download

PropertyValue
Typeeml
Size10,069 bytes
InfoHTML document, ASCII text, with CRLF line terminators
MD512345727a75f1231be55c9d47513f510
SHA13db21fa900493764134a0fb93867cd712086ad1c
SHA256123c12345c3131479335d5d118da42118e802a48f4bc91992b8e93f87ec95f5c
SHA512d2e415d721796901ed9867570b62604ac5ee48e0c4a4541a0e5e12345678eaa89a2873ffff61b024ec867f9f0c4a45ddf6534be718393e087e6da017a071a723
SSDeep12:sentTp60+VqTKBV+VUllVDVSm+s1C1609QfzYxVNtMt7JvVNtMtZTRVNtMtO6hFC:smVp6DJV+6ku8QfzYr

cofense-report-categorize#


Categorizes a report into a specific category provided by the user.

Base Command#

cofense-report-categorize

Input#

Argument NameDescriptionRequired
idSpecify the ID of the report to be categorized. Note: To retrieve id, execute cofense-report-list command.Required
category_idSpecify the ID of the category in which report is to be categorized. Note: To retrieve category_id, execute cofense-category-list command.Required
categorization_tagsSpecify the tags that are to be assigned to the report.Optional

Context Output#

There is no context output for this command.

Command Example#

!cofense-report-categorize category_id=1 id=4

Human Readable Output#

Report with ID = 4 is categorized successfully.

cofense-report-attachment-payload-list#


Retrieves attachment payloads based on provided report id in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email attachment.

Base Command#

cofense-report-attachment-payload-list

Input#

Argument NameDescriptionRequired
idSpecify ID of the report to retrieve the attachment payloads.Required
page_sizeSpecify the number of attachment payloads to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the attachment payloads. Default is 1.Optional
created_atSpecify the date and time of creation, from when to retrieve the attachment payloads. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the attachment payloads. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.AttachmentPayload.idStringUnique identifier of the attachment payload.
Cofense.AttachmentPayload.typeStringType of the resource of Cofense Triage.
Cofense.AttachmentPayload.links.selfStringLink of the resource.
Cofense.AttachmentPayload.attributes.mime_typeStringMIME type of the payload.
Cofense.AttachmentPayload.attributes.md5StringMD5 hash of the payload.
Cofense.AttachmentPayload.attributes.sha256StringSHA256 hash of the payload.
Cofense.AttachmentPayload.attributes.risk_scoreNumberRisk score of the payload.
Cofense.AttachmentPayload.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.AttachmentPayload.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.AttachmentPayload.relationships.attachments.links.selfStringLink to retrieve the attachment containing the payload.
Cofense.AttachmentPayload.relationships.attachments.links.relatedStringLink to retrieve the detailed information of the attachment containing the payload.
Cofense.AttachmentPayload.relationships.clusters.links.selfStringLink to retrieve the cluster of reports containing the payload.
Cofense.AttachmentPayload.relationships.clusters.links.relatedStringLink to retrieve the detailed information of the cluster of reports containing the payload.
Cofense.AttachmentPayload.relationships.integration_submissions.links.selfStringLink to retrieve the integration submissions related to attachment.
Cofense.AttachmentPayload.relationships.integration_submissions.links.relatedStringLink to retrieve the detailed information of the integration submissions related to attachment.
Cofense.AttachmentPayload.relationships.reports.links.selfStringLink to retrieve the report with attachments containing the payload.
Cofense.AttachmentPayload.relationships.reports.links.relatedStringLink to retrieve the detailed information of the report with attachments containing the payload.

Command Example#

!cofense-report-attachment-payload-list id=47024 page_size=2

Context Example#

{
"Cofense": {
"AttachmentPayload": [
{
"attributes": {
"created_at": "2020-10-21T20:57:56.750Z",
"md5": "99a9eb2612d7e84c5402fde1114c53ee",
"mime_type": "application/xml; charset=us-ascii",
"risk_score": 0,
"sha256": "22b3e2a4f41a0a0b6c93cd0da7b28b84a2375b815f787624e81acaaf32a5d191",
"updated_at": "2022-03-08T20:20:32.561Z"
},
"id": "74",
"links": {
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74"
},
"relationships": {
"attachments": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/attachments",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/relationships/attachments"
}
},
"clusters": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/clusters",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/relationships/clusters"
}
},
"integration_submissions": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/integration_submissions",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/relationships/integration_submissions"
}
},
"reports": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/reports",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/74/relationships/reports"
}
}
},
"type": "attachment_payloads"
},
{
"attributes": {
"created_at": "2020-10-21T20:57:56.940Z",
"md5": "61da9c47fff9b04e59b951aa700c7980",
"mime_type": "image/png; charset=binary",
"sha256": "7757f5392a8971b280464ae0d760b04980b82a9a2a3105c2bd6c9293ff7f9b9a",
"updated_at": "2020-10-21T20:57:56.940Z"
},
"id": "78",
"links": {
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78"
},
"relationships": {
"attachments": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/attachments",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/relationships/attachments"
}
},
"clusters": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/clusters",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/relationships/clusters"
}
},
"integration_submissions": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/integration_submissions",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/relationships/integration_submissions"
}
},
"reports": {
"links": {
"related": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/reports",
"self": "https://reltest6.phishmecloud.com/api/public/v2/attachment_payloads/78/relationships/reports"
}
}
},
"type": "attachment_payloads"
}
]
}
}

Human Readable Output#

Attachment Payload(s)#

Attachment Payload IDMime TypeMD5SHA256Risk ScoreCreated AtUpdated At
74application/xml; charset=us-ascii99a9eb2612d7e84c5402fde1114c53ee22b3e2a4f41a0a0b6c93cd0da7b28b84a2375b815f787624e81acaaf32a5d19102020-10-21T20:57:56.750Z2022-03-08T20:20:32.561Z
78image/png; charset=binary61da9c47fff9b04e59b951aa700c79807757f5392a8971b280464ae0d760b04980b82a9a2a3105c2bd6c9293ff7f9b9a2020-10-21T20:57:56.940Z2020-10-21T20:57:56.940Z

cofense-report-attachment-list#


Retrieves attachments based on provided report id in the command arguments. For reported emails that contain attachments, Cofense Triage captures the attachment's filename and size.

Base Command#

cofense-report-attachment-list

Input#

Argument NameDescriptionRequired
idSpecify ID of the report to retrieve the attachments.Required
page_sizeSpecify the number of attachments to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the attachments. Default is 1.Optional
created_atSpecify the date and time of creation, from when to retrieve the attachments. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the attachments. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Attachment.idStringUnique identifier of the attachment.
Cofense.Attachment.typeStringType of the resource of Cofense Triage.
Cofense.Attachment.links.selfStringLink of the resource.
Cofense.Attachment.attributes.filenameStringName of the attachment file.
Cofense.Attachment.attributes.sizeNumberAttachment size in bytes.
Cofense.Attachment.attributes.is_childBooleanBoolean value indicating that attachment is child or not.
Cofense.Attachment.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Attachment.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Attachment.relationships.attachment_payload.links.selfStringLink to retrieve the attachment payload associated with the attachment.
Cofense.Attachment.relationships.attachment_payload.links.relatedStringLink to retrieve the detailed information of the attachment payload associated with the attachment.
Cofense.Attachment.relationships.attachment_payload.data.typeStringType indicating attachment payload.
Cofense.Attachment.relationships.attachment_payload.data.idStringUnique identifier of the attachment payload associated with the attachment.
Cofense.Attachment.relationships.parent.links.selfStringLink to retrieve the parent of the attachment.
Cofense.Attachment.relationships.parent.links.relatedStringLink to retrieve the detailed information of the parent of the attachment.
Cofense.Attachment.relationships.parent.data.typeStringType indicating the parent of the attachment.
Cofense.Attachment.relationships.parent.data.idStringUnique identifier of the parent of the attachment.
Cofense.Attachment.relationships.reports.links.selfStringLink to retrieve the report associated with the attachment.
Cofense.Attachment.relationships.reports.links.relatedStringLink to retrieve the detailed information of the report associated with the attachment.
Cofense.Attachment.relationships.reports.data.typeStringType indicating report.
Cofense.Attachment.relationships.reports.data.idStringUnique identifier of the report associated with the attachment.

Command Example#

!cofense-report-attachment-list id=30339 page_size=2

Context Example#

{
"Cofense": {
"Attachment": [
{
"id": "30339",
"type": "attachments",
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30339"
},
"attributes": {
"filename": "Invoice.xlsm",
"size": 100000,
"is_child": false,
"created_at": "2023-04-09T13:25:28.540Z",
"updated_at": "2023-04-09T13:25:28.540Z"
},
"relationships": {
"attachment_payload": {
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30339/relationships/attachment_payload",
"related": "https://triage.example.com/api/public/v2/attachments/30339/attachment_payload"
},
"data": {
"type": "attachment_payloads",
"id": "1452"
}
},
"parent": {
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30339/relationships/parent",
"related": "https://triage.example.com/api/public/v2/attachments/30339/parent"
}
},
"report": {
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30339/relationships/report",
"related": "https://triage.example.com/api/public/v2/attachments/30339/report"
},
"data": {
"type": "reports",
"id": "47024"
}
}
}
},
{
"id": "30340",
"type": "attachments",
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30340"
},
"attributes": {
"filename": "docProps/app.xml",
"size": 700,
"is_child": true,
"created_at": "2023-04-09T13:25:29.249Z",
"updated_at": "2023-04-09T13:25:29.249Z"
},
"relationships": {
"attachment_payload": {
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30340/relationships/attachment_payload",
"related": "https://triage.example.com/api/public/v2/attachments/30340/attachment_payload"
},
"data": {
"type": "attachment_payloads",
"id": "74"
}
},
"parent": {
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30340/relationships/parent",
"related": "https://triage.example.com/api/public/v2/attachments/30340/parent"
},
"data": {
"type": "attachments",
"id": "30339"
}
},
"report": {
"links": {
"self": "https://triage.example.com/api/public/v2/attachments/30340/relationships/report",
"related": "https://triage.example.com/api/public/v2/attachments/30340/report"
},
"data": {
"type": "reports",
"id": "47024"
}
}
}
}
]
}
}

Human Readable Output#

Attachment(s)#

Attachment IDFile NameFile Size in BytesIs ChildCreated AtUpdated At
30339Invoice.xlsm100000false2023-04-09T13:25:28.540Z2023-04-09T13:25:28.540Z
30340docProps/app.xml700true2023-04-09T13:25:29.249Z2023-04-09T13:25:29.249Z

cofense-report-attachment-download#


Downloads the attachment for the specified attachment ID.

Base Command#

cofense-report-attachment-download

Input#

Argument NameDescriptionRequired
idSpecify the ID of the attachment to download the attachment file.
Note: To retrieve id, execute cofense-report-attachment-list command.
Required

Context Output#

PathTypeDescription
File.SizeStringFile size in bytes.
File.SHA1StringSHA1 hash of file.
File.SHA256StringSHA256 hash of file.
File.SHA512StringSHA512 hash of file.
File.NameStringFile name.
File.SSDeepStringSSDeep hash of the file.
File.EntryIDUnknownThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringMD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!cofense-report-attachment-download id=30

Context Example#

{
"File": {
"EntryID": "3000@80068006-8006-8006-8006-800680068006",
"Extension": "xml",
"Type": "text/xml; charset=utf-8",
"MD5": "11111111111111111111111111111111",
"Name": "xl/sharedStrings.xml",
"SHA1": "1111111111111111111111111111111111111111",
"SHA256": "1111111111111111111111111111111111111111111111111111111111111111",
"SHA512": "11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111",
"SSDeep": "3:111111111111111111111111111111111111111111111111111111111111:111111111111111111111111",
"Size": 206,
"Info": "XML 1.0 document, ASCII text, with CRLF line terminators"
}
}

Human Readable Output#

Uploaded file: xl/sharedStrings.xml Download

PropertyValue
Typetext/xml; charset=utf-8
Size206 bytes
InfoXML 1.0 document, ASCII text, with CRLF line terminators
MD511111111111111111111111111111111
SHA11111111111111111111111111111111111111111
SHA2561111111111111111111111111111111111111111111111111111111111111111
SHA51211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
SSDeep3:111111111111111111111111111111111111111111111111111111111111:111111111111111111111111

cofense-category-list#


Retrieves categories based on the provided parameters. Categories are applied while processing the email to indicate the type of threat (or non-threat) that reports and clusters pose to the organization.

Base Command#

cofense-category-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the category to retrieve a specific category. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of categories to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the categories. Default is 1.Optional
sort_bySpecify the attributes to sort the categories. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: score, -name.Optional
filter_bySpecify the filters to filter the list of categories by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"score_gteq\":\"2,10\", \"updated_at_gt\":\"2020-10-26T10:48:16.834Z\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: name, score.Optional
nameSpecify the name of the category to retrieve the category accordingly.Optional
is_maliciousSpecify that the categories to be retrieved should be malicious or not. Possible values are: true, false.Optional
scoreSpecify the score of the categories to be retrieved.Optional
created_atSpecify the date and time of creation, from when to retrieve the categories. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the categories. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Category.idStringUnique identifier of the category.
Cofense.Category.typeStringType of the resource of Cofense Triage.
Cofense.Category.links.selfStringLink of the resource.
Cofense.Category.attributes.nameStringDisplay name of the category.
Cofense.Category.attributes.scoreNumberValue to add to a reporter's reputation score when a report is processed with the category.
Cofense.Category.attributes.maliciousBooleanWhether the category is used to classify malicious reports (true) or not (false). The default is true.
Cofense.Category.attributes.colorStringColor, represented as a hexadecimal value, to assign to the category.
Cofense.Category.attributes.archivedBooleanWhether the category is archived (true) or not (false). The default is false.
Cofense.Category.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Category.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Category.relationships.one_clicks.links.selfStringLink to retrieve the one-click categorizations that process reports with the category.
Cofense.Category.relationships.one_clicks.links.relatedStringLink to retrieve the detailed information of the one-click categorizations that process reports with the category.
Cofense.Category.relationships.reports.links.selfStringLink to retrieve the reports processed with the category.
Cofense.Category.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports processed with the category.

Command Example#

!cofense-category-list page_size=2

Context Example#

{
"Cofense": {
"Category": [
{
"attributes": {
"archived": false,
"color": "#739d75",
"created_at": "2020-10-21T15:30:56.280Z",
"malicious": false,
"name": "Non-Malicious",
"score": -5,
"updated_at": "2020-10-21T15:30:56.280Z"
},
"id": "1",
"links": {
"self": "https://triage.example.com/api/public/v2/categories/1"
},
"relationships": {
"one_clicks": {
"links": {
"related": "https://triage.example.com/api/public/v2/categories/1/one_clicks",
"self": "https://triage.example.com/api/public/v2/categories/1/relationships/one_clicks"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/categories/1/reports",
"self": "https://triage.example.com/api/public/v2/categories/1/relationships/reports"
}
}
},
"type": "categories"
},
{
"attributes": {
"archived": false,
"color": "#58899a",
"created_at": "2020-10-21T15:30:56.280Z",
"malicious": false,
"name": "Spam",
"score": 0,
"updated_at": "2020-10-21T15:30:56.280Z"
},
"id": "2",
"links": {
"self": "https://triage.example.com/api/public/v2/categories/2"
},
"relationships": {
"one_clicks": {
"links": {
"related": "https://triage.example.com/api/public/v2/categories/2/one_clicks",
"self": "https://triage.example.com/api/public/v2/categories/2/relationships/one_clicks"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/categories/2/reports",
"self": "https://triage.example.com/api/public/v2/categories/2/relationships/reports"
}
}
},
"type": "categories"
}
]
}
}

Human Readable Output#

Categories#

Category IDNameMaliciousArchivedCreated AtUpdated At
1Non-Maliciousfalsefalse2020-10-21T15:30:56.280Z2020-10-21T15:30:56.280Z
2Spamfalsefalse2020-10-21T15:30:56.280Z2020-10-21T15:30:56.280Z

cofense-rule-list#


Retrieves rules based on the filter values provided in the command arguments. Rules identify specific characteristics for categorizing the reported emails.

Base Command#

cofense-rule-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the rule to retrieve a specific rule. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of rules to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the rules. Default is 1.Optional
sort_bySpecify the attributes to sort the rules. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: -name, priority.Optional
filter_bySpecify the filters to filter the list of rules by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"priority_eq\":\"2,3\", \"name_cont\":\"Test\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: name, description.Optional
nameSpecify the name of the rule to retrieve the rule.Optional
prioritySpecify the priority of the rule to retrieve the rule. Some possible values are: 1, 2, 3, 4, 5.Optional
tagsSpecify the tags associated with the rule to retrieve the rule.Optional
scopeSpecify the scope of the rule to retrieve the rule. Some possible values are: email, attachment, header, reporter email.Optional
activeSpecify if the rule is active or not. Possible values are: true, false.Optional
author_nameSpecify the author name of the rule to retrieve the rule.Optional
rule_contextSpecify the rule context of the rule to retrieve the rule. Some possible values are: internal safe, unwanted, threat hunting, phishing tactic, cleanup, unknown.Optional
created_atSpecify the date and time of creation, from when to retrieve the rules. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the rules. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Rule.idStringUnique identifier of the rule.
Cofense.Rule.typeStringType of the resource of Cofense Triage.
Cofense.Rule.links.selfStringLink of the resource.
Cofense.Rule.attributes.nameStringShort display name of the rule.
Cofense.Rule.attributes.descriptionStringExpanded name or description of the rule.
Cofense.Rule.attributes.priorityNumberPriority of the rule. Priorities in Cofense Triage go from 1 to 5. Priority 5 is the highest, or most critical.
Cofense.Rule.attributes.tagsUnknownTags assigned to the rule.
Cofense.Rule.attributes.scopeStringScope to determine which part of a report to apply the rule to (Email, Attachment, Header, or Reporter Email).
Cofense.Rule.attributes.author_nameStringName of the author of the rule.
Cofense.Rule.attributes.rule_contextStringDescription that best represents what the user wants the rule to do (Internal Safe, Unwanted, Threat Hunting, Phishing Tactic, or Cleanup).
Cofense.Rule.attributes.activeBooleanWhether the rule is active (true) or not active (false).
Cofense.Rule.attributes.contentStringYARA-compliant meta, strings, and conditions that define the contents of the rule.
Cofense.Rule.attributes.time_to_liveStringTime period that best represents the useful lifespan of the rule (Forever, 1 Week, 1 Month, 1 Year).
Cofense.Rule.attributes.share_with_cofenseBooleanWhether to share the rule content with the Cofense Triage Community Exchange (true) or not (false).
Cofense.Rule.attributes.reports_countNumberNumber of reports the rule matched.
Cofense.Rule.attributes.imported_atDateDate and time, in ISO 8601 format, when the rule was imported. If the rule was not imported, the response contains a null value.
Cofense.Rule.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Rule.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Rule.relationships.cluster_context.links.selfStringLink to retrieve the cluster from which the rule was created.
Cofense.Rule.relationships.cluster_context.links.relatedStringLink to retrieve the detailed information of the cluster from which the rule was created.
Cofense.Rule.relationships.cluster_context.data.typeStringType of the cluster context associated with the rule.
Cofense.Rule.relationships.cluster_context.data.idStringUnique identifier of the cluster context associated with the rule.
Cofense.Rule.relationships.report_context.links.selfStringLink to retrieve the report from which the rule was created.
Cofense.Rule.relationships.report_context.links.relatedStringLink to retrieve the detailed information of the report from which the rule was created.
Cofense.Rule.relationships.report_context.data.typeStringType of the report context associated with the rule.
Cofense.Rule.relationships.report_context.data.idStringUnique identifier of the report context associated with the rule.
Cofense.Rule.relationships.owner.links.selfStringLink to retrieve the owner who created the rule.
Cofense.Rule.relationships.owner.links.relatedStringLink to retrieve the detailed information of the owner who created the rule.
Cofense.Rule.relationships.owner.data.typeStringType of the owner associated with the rule.
Cofense.Rule.relationships.owner.data.idStringUnique identifier of the owner associated with the rule.
Cofense.Rule.relationships.clusters.links.selfStringLink to retrieve the clusters that match the rule.
Cofense.Rule.relationships.clusters.links.relatedStringLink to retrieve the detailed information of the clusters that match the rule.
Cofense.Rule.relationships.reports.links.selfStringLink to retrieve the reports that match the rule.
Cofense.Rule.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports that match the rule.

Command Example#

!cofense-rule-list page_size=2

Context Example#

{
"Cofense": {
"Rule": [
{
"attributes": {
"active": true,
"author_name": "Thor",
"content": "meta:\n time_to_live=\"Forever\"\n rule_context=\"Phishing Tactic\"\nstrings: \n $Body1=\"Due within the next 30 days\" nocase\n $Subject1=\"Aging\" nocase\ncondition:\n all of them\n",
"created_at": "2020-11-24T15:19:12.616Z",
"description": "Testing customer-created rule",
"name": "MX_Testing",
"priority": 5,
"reports_count": 0,
"rule_context": "Phishing Tactic",
"scope": "Email",
"share_with_cofense": false,
"time_to_live": "Forever",
"updated_at": "2020-11-24T15:19:12.616Z"
},
"id": "1690",
"links": {
"self": "https://triage.example.com/api/public/v2/rules/1690"
},
"relationships": {
"cluster_context": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/1690/cluster_context",
"self": "https://triage.example.com/api/public/v2/rules/1690/relationships/cluster_context"
}
},
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/1690/clusters",
"self": "https://triage.example.com/api/public/v2/rules/1690/relationships/clusters"
}
},
"owner": {
"data": {
"id": "2",
"type": "operators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/rules/1690/owner",
"self": "https://triage.example.com/api/public/v2/rules/1690/relationships/owner"
}
},
"report_context": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/1690/report_context",
"self": "https://triage.example.com/api/public/v2/rules/1690/relationships/report_context"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/1690/reports",
"self": "https://triage.example.com/api/public/v2/rules/1690/relationships/reports"
}
}
},
"type": "rules"
},
{
"attributes": {
"active": true,
"author_name": "Thanos",
"content": "meta:\n time_to_live=\"Forever\"\n rule_context=\"Unknown\"\nstrings: \n $link=\"www.cnn.com\" nocase\n $url1=\"www.cnn.com\" nocase\n $url2=\"www.cnn.com\" nocase\n $sub=\"REPLACE_WITH_SUBJECT\" nocase\ncondition:\n any of ($url*) or ($link and $sub)\n",
"created_at": "2021-04-19T10:31:44.773Z",
"description": "Its is a test rule",
"name": "test_rule1",
"priority": 1,
"reports_count": 5,
"rule_context": "Unknown",
"scope": "Email",
"share_with_cofense": false,
"tags": [
"test_tag",
"TEST"
],
"time_to_live": "Forever",
"updated_at": "2021-04-29T07:21:30.634Z"
},
"id": "2534",
"links": {
"self": "https://triage.example.com/api/public/v2/rules/2534"
},
"relationships": {
"cluster_context": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/2534/cluster_context",
"self": "https://triage.example.com/api/public/v2/rules/2534/relationships/cluster_context"
}
},
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/2534/clusters",
"self": "https://triage.example.com/api/public/v2/rules/2534/relationships/clusters"
}
},
"owner": {
"data": {
"id": "9",
"type": "operators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/rules/2534/owner",
"self": "https://triage.example.com/api/public/v2/rules/2534/relationships/owner"
}
},
"report_context": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/2534/report_context",
"self": "https://triage.example.com/api/public/v2/rules/2534/relationships/report_context"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/rules/2534/reports",
"self": "https://triage.example.com/api/public/v2/rules/2534/relationships/reports"
}
}
},
"type": "rules"
}
]
}
}

Human Readable Output#

Rule(s)#

Rule IDRule NameDescriptionActivePriorityScopeAuthor NameRule ContextCreated AtUpdated At
1690MX_TestingTesting customer-created ruletrue5EmailThorPhishing Tactic2020-11-24T15:19:12.616Z2020-11-24T15:19:12.616Z
2534test_rule1Its is a test ruletrue1EmailThanosUnknown2021-04-19T10:31:44.773Z2021-04-29T07:21:30.634Z

cofense-url-list#


Retrieves URLs based on the filter values provided in the command arguments. URLs are the threats (or non-threat) that are detected in the reported emails.

Base Command#

cofense-url-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the URL to retrieve a specific URL. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of URLs to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the URLs. Default is 1.Optional
sort_bySpecify the attributes to sort the URLs. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: -created_at, -updated_at.Optional
filter_bySpecify the filters to filter the list of urls by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"risk_score_eq\":\"1,2\", \"updated_at_gt\":\"2020-10-26T10:48:16.834Z\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: url, risk_score.Optional
risk_scoreSpecify the risk scores to retrieve the urls.Optional
created_atSpecify the date and time of creation, from when to retrieve the URLs. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the URLs. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Url.idStringUnique identifier of the URL.
Cofense.Url.typeStringType of the resource of Cofense Triage.
Cofense.Url.links.selfStringLink of the resource.
Cofense.Url.attributes.urlStringValue of the URL.
Cofense.Url.attributes.risk_scoreUnknownRisk score of the URL.
Cofense.Url.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Url.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource details were last updated.
Cofense.Url.relationships.domain.links.selfStringLink to retrieve the domain of the URL.
Cofense.Url.relationships.domain.links.relatedStringLink to retrieve the detailed information of the domain of the URL.
Cofense.Url.relationships.hostname.links.selfStringLink to retrieve the hostname of the URL.
Cofense.Url.relationships.hostname.links.relatedStringLink to retrieve the detailed information of the hostname of the URL.
Cofense.Url.relationships.hostname.data.typeStringType of the hostname associated with the URL.
Cofense.Url.relationships.hostname.data.idStringUnique identifier of the hostname associated with the URL.
Cofense.Url.relationships.clusters.links.selfStringLink to retrieve the clusters containing the reports with the URL.
Cofense.Url.relationships.clusters.links.relatedStringLink to retrieve the detailed information of the clusters containing the reports with the URL.
Cofense.Url.relationships.integration_submissions.links.selfStringLink to retrieve the integration submissions containing the URL.
Cofense.Url.relationships.integration_submissions.links.relatedStringLink to retrieve the detailed information of the integration submissions containing the URL.
Cofense.Url.relationships.reports.links.selfStringLink to retrieve the reports containing the URL.
Cofense.Url.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports containing the URL.

Command Example#

!cofense-url-list page_size=2

Context Example#

{
"Cofense": {
"Url": [
{
"attributes": {
"created_at": "2020-10-21T20:54:24.185Z",
"updated_at": "2020-10-21T20:54:24.185Z",
"url": "http://dummy.com/servlet/MailView?ms=MTE4NDM1ODgS1&r=LTMyMjA1MjQ1ODcS1&j=MTc2MDQ3MTQ4MwS2&mt=1&rt=0"
},
"id": "15",
"links": {
"self": "https://triage.example.com/api/public/v2/urls/15"
},
"relationships": {
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/15/clusters",
"self": "https://triage.example.com/api/public/v2/urls/15/relationships/clusters"
}
},
"domain": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/15/domain",
"self": "https://triage.example.com/api/public/v2/urls/15/relationships/domain"
}
},
"hostname": {
"data": {
"id": "6",
"type": "hostnames"
},
"links": {
"related": "https://triage.example.com/api/public/v2/urls/15/hostname",
"self": "https://triage.example.com/api/public/v2/urls/15/relationships/hostname"
}
},
"integration_submissions": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/15/integration_submissions",
"self": "https://triage.example.com/api/public/v2/urls/15/relationships/integration_submissions"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/15/reports",
"self": "https://triage.example.com/api/public/v2/urls/15/relationships/reports"
}
}
},
"type": "urls"
},
{
"attributes": {
"created_at": "2020-10-21T20:54:24.204Z",
"updated_at": "2020-10-21T20:54:24.204Z",
"url": "http://dummy.com/ctt?kn=3&ms=MTE4NDM1ODgS1&r=LTMyMjA1MjQ1ODcS1&b=0&j=MTc2MDQ3MTQ4MwS2&mt=1&rt=0"
},
"id": "16",
"links": {
"self": "https://triage.example.com/api/public/v2/urls/16"
},
"relationships": {
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/16/clusters",
"self": "https://triage.example.com/api/public/v2/urls/16/relationships/clusters"
}
},
"domain": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/16/domain",
"self": "https://triage.example.com/api/public/v2/urls/16/relationships/domain"
}
},
"hostname": {
"data": {
"id": "6",
"type": "hostnames"
},
"links": {
"related": "https://triage.example.com/api/public/v2/urls/16/hostname",
"self": "https://triage.example.com/api/public/v2/urls/16/relationships/hostname"
}
},
"integration_submissions": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/16/integration_submissions",
"self": "https://triage.example.com/api/public/v2/urls/16/relationships/integration_submissions"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/urls/16/reports",
"self": "https://triage.example.com/api/public/v2/urls/16/relationships/reports"
}
}
},
"type": "urls"
}
]
}
}

Human Readable Output#

URL(s)#

URL IDURLCreated AtUpdated At
15http://dummy.com/servlet/MailView?ms=MTE4NDM1ODgS1&r=LTMyMjA1MjQ1ODcS1&j=MTc2MDQ3MTQ4MwS2&mt=1&rt=02020-10-21T20:54:24.185Z2020-10-21T20:54:24.185Z
16http://dummy.com/ctt?kn=3&ms=MTE4NDM1ODgS1&r=LTMyMjA1MjQ1ODcS1&b=0&j=MTc2MDQ3MTQ4MwS2&mt=1&rt=02020-10-21T20:54:24.204Z2020-10-21T20:54:24.204Z

cofense-threat-indicator-create#


Creates a threat indicator based on the values provided in the command arguments.

Base Command#

cofense-threat-indicator-create

Input#

Argument NameDescriptionRequired
threat_levelSpecify the level of the threat indicator that is to be created. Some possible values are: Malicious, Suspicious, Benign.Required
threat_typeSpecify the type of the threat indicator that is to be created. Some possible values are: Sender, Subject, Domain, URL, MD5, SHA256, Hostname, or Header.Required
threat_valueSpecify the value corresponding to the type of threat indicated in threat_type that is to be created. Note: It should have at least 3 characters. It must be unique and valid.Required
threat_sourceSpecify the value corresponding to the source of the threat indicator that is to be created. Note: This attribute supports only one threat_type/threat_value pair per source. Default is XSOAR-UI.Optional

Context Output#

PathTypeDescription
Cofense.ThreatIndicator.idStringUnique identifier of the threat indicator.
Cofense.ThreatIndicator.typeStringType of the resource of Cofense Triage.
Cofense.ThreatIndicator.links.selfStringLink of the resource.
Cofense.ThreatIndicator.attributes.threat_levelStringThe level of the threat.
Cofense.ThreatIndicator.attributes.threat_typeStringThe type of the threat.
Cofense.ThreatIndicator.attributes.threat_valueStringValue corresponding to the type of threat indicated in the type of the threat.
Cofense.ThreatIndicator.attributes.threat_sourceStringValue corresponding to the source of the threat.
Cofense.ThreatIndicator.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.ThreatIndicator.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.ThreatIndicator.relationships.owner.links.selfStringLink to retrieve the owner of the threat indicator.
Cofense.ThreatIndicator.relationships.owner.links.relatedStringLink to retrieve the detailed information of the owner of the threat indicator.
Cofense.ThreatIndicator.relationships.owner.data.typeStringType of the owner associated with the threat indicator.
Cofense.ThreatIndicator.relationships.owner.data.idStringUnique identifier of the owner associated with the threat indicator.
Cofense.ThreatIndicator.relationships.reports.links.selfStringLink to retrieve the reports containing the threat indicator.
Cofense.ThreatIndicator.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports containing the threat indicator.
Cofense.ThreatIndicator.relationships.comments.links.selfStringLink to retrieve the comments containing the threat indicator.
Cofense.ThreatIndicator.relationships.comments.links.relatedStringLink to retrieve the detailed information of the comments containing the threat indicator.

Command Example#

!cofense-threat-indicator-create threat_level=Benign threat_type=Hostname threat_value="abc.com"

Context Example#

{
"Cofense": {
"ThreatIndicator": {
"attributes": {
"created_at": "2021-06-22T06:11:57.462Z",
"threat_level": "Benign",
"threat_source": "XSOAR-UI",
"threat_type": "Hostname",
"threat_value": "abc.com",
"updated_at": "2021-06-22T06:11:57.462Z"
},
"id": "393",
"links": {
"self": "https://triage.example.com/api/public/v2/threat_indicators/393"
},
"relationships": {
"comments": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/393/comments",
"self": "https://triage.example.com/api/public/v2/threat_indicators/393/relationships/comments"
}
},
"owner": {
"data": {
"id": "3",
"type": "api_applications"
},
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/393/owner",
"self": "https://triage.example.com/api/public/v2/threat_indicators/393/relationships/owner"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/393/reports",
"self": "https://triage.example.com/api/public/v2/threat_indicators/393/relationships/reports"
}
}
},
"type": "threat_indicators"
}
}
}

Human Readable Output#

Threat Indicator(s)#

Threat Indicator IDThreat LevelThreat TypeThreat ValueThreat SourceCreated AtUpdated At
393BenignHostnameabc.comXSOAR-UI2021-06-22T06:11:57.462Z2021-06-22T06:11:57.462Z

cofense-reporter-list#


Retrieves the reporters that match the provided parameters. Reporters are employees of an organization who send, or report, suspicious emails to Cofense Triage.

Base Command#

cofense-reporter-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the reporter to retrieve a specific reporter. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of reporters to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the reporters. Default is 1.Optional
sort_bySpecify the attributes to sort the reporters. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: reports_count, -email.Optional
filter_bySpecify the filters to filter the list of reporters by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"reputation_score_eq\":\"1,2\", \"reports_count_gt\":\"3\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: email, reports_count.Optional
reputation_scoreSpecify reputation score to retrieve the reporters.Optional
vipSpecify that the reporter to be retrieved is VIP or non-VIP. Possible values are: true, false.Optional
emailSpecify emails of the reporter to retrieve the reporter.Optional
created_atSpecify the date and time of creation, from when to retrieve the reporters. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the reporters. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Reporter.idStringUnique identifier of the reporter.
Cofense.Reporter.typeStringType of the resource of Cofense Triage.
Cofense.Reporter.links.selfStringLink of the resource.
Cofense.Reporter.attributes.emailStringEmail address of the reporter.
Cofense.Reporter.attributes.reports_countNumberNumber of emails reported by the reporter.
Cofense.Reporter.attributes.last_reported_atDateDate and time, in ISO 8601 format, when the reporter last reported an email.
Cofense.Reporter.attributes.reputation_scoreNumberReputation score of the reporter.
Cofense.Reporter.attributes.vipBooleanWhether the reporter is a VIP (true) or not (false). The default is true.
Cofense.Reporter.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Reporter.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Reporter.relationships.clusters.links.selfStringLink to retrieve the clusters containing reports the individual reported.
Cofense.Reporter.relationships.clusters.links.relatedStringLink to retrieve the detailed information of the clusters containing reports the individual reported.
Cofense.Reporter.relationships.reports.links.selfStringLink to retrieve the reports the individual reported.
Cofense.Reporter.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports the individual reported.

Command Example#

!cofense-reporter-list page_size=2

Context Example#

{
"Cofense": {
"Reporter": [
{
"attributes": {
"created_at": "2020-10-21T20:54:23.383Z",
"email": "no-reply@xyz.com",
"last_reported_at": "2020-12-11T05:46:39.000Z",
"reports_count": 10,
"reputation_score": 8,
"updated_at": "2021-05-30T11:51:00.170Z",
"vip": false
},
"id": "4",
"links": {
"self": "https://triage.example.com/api/public/v2/reporters/4"
},
"relationships": {
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/reporters/4/clusters",
"self": "https://triage.example.com/api/public/v2/reporters/4/relationships/clusters"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/reporters/4/reports",
"self": "https://triage.example.com/api/public/v2/reporters/4/relationships/reports"
}
}
},
"type": "reporters"
},
{
"attributes": {
"created_at": "2020-10-21T20:54:25.915Z",
"email": "devcomm@xyz.com",
"last_reported_at": "2020-05-05T18:44:01.000Z",
"reports_count": 2,
"reputation_score": -5,
"updated_at": "2020-12-03T10:51:25.482Z",
"vip": true
},
"id": "6",
"links": {
"self": "https://triage.example.com/api/public/v2/reporters/6"
},
"relationships": {
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/reporters/6/clusters",
"self": "https://triage.example.com/api/public/v2/reporters/6/relationships/clusters"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/reporters/6/reports",
"self": "https://triage.example.com/api/public/v2/reporters/6/relationships/reports"
}
}
},
"type": "reporters"
}
]
}
}

Human Readable Output#

Reporter(s)#

Reporter IDReporter EmailReports CountReputation ScoreVIPLast Reported AtCreated AtUpdated At
4no-reply@xyz.com108false2020-12-11T05:46:39.000Z2020-10-21T20:54:23.383Z2021-05-30T11:51:00.170Z
6devcomm@xyz.com2-5true2020-05-05T18:44:01.000Z2020-10-21T20:54:25.915Z2020-12-03T10:51:25.482Z

cofense-integration-submission-get#


Retrieves integration submission based on the filter values provided in the command arguments.

Note:

  • When the user provides incorrect values in arguments, the user will be getting a 500 internal error.
  • When the user provides any value in kind argument, the user will be getting a 500 internal error.

Base Command#

cofense-integration-submission-get

Input#

Argument NameDescriptionRequired
idSpecify URL ID or attachment payload ID to retrieve an integration submission. Note: To retrieve URL ID, execute cofense-url-list command. To retrieve attachment ID, execute cofense-attachment-payload-list command.Required
typeType of the integration submission the user wants to retrieve. Possible values are: urls, attachment_payloads. Default is urls.Optional
page_sizeSpecify the number of integration submissions to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the integration submissions.Optional
sort_bySpecify the attributes to sort the integration submissions. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: status, -id.Optional
filter_bySpecify the filters to filter the list of integration submissions by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"status_eq\":\"complete\", \"risk_score_eq\":\"0,1\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: status, kind.Optional
statusSpecify the status to retrieve the integration submission. Some possible values are: ending, complete, target_not_found, error, running, or hash_not_found.Optional
kindSpecify the kind to retrieve the integration submission. Some possible values are: File, Hash, URL.Optional
risk_scoreSpecify the risk scores to retrieve the attachment payloads.Optional
created_atSpecify the date and time of creation, from when to retrieve the integration submissions. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the integration submissions. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.IntegrationSubmission.idStringUnique identifier of the integration submission.
Cofense.IntegrationSubmission.typeStringType of the resource of Cofense Triage.
Cofense.IntegrationSubmission.links.selfStringLink of the resource.
Cofense.IntegrationSubmission.attributes.statusStringStatus of the integration submission.
Cofense.IntegrationSubmission.attributes.resultStringResult of the integration submission.
Cofense.IntegrationSubmission.attributes.kindStringKind of the integration submission.
Cofense.IntegrationSubmission.attributes.risk_scoreNumberRisk score of the integration submission.
Cofense.IntegrationSubmission.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.IntegrationSubmission.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.IntegrationSubmission.relationships.integration.links.selfStringLink to retrieve the integration associated with the integration submission.
Cofense.IntegrationSubmission.relationships.integration.links.relatedStringLink to retrieve the detailed information of integration associated with the integration submission.
Cofense.IntegrationSubmission.relationships.integration.data.typeStringType of the integration associated with the integration submission.
Cofense.IntegrationSubmission.relationships.integration.data.idStringUnique Identifier of the integration associated with the integration submission.
Cofense.IntegrationSubmission.relationships.target.links.selfStringLink to retrieve the target associated with the integration submission.
Cofense.IntegrationSubmission.relationships.target.links.relatedStringLink to retrieve the detailed information of the target associated with the integration submission.
Cofense.IntegrationSubmission.relationships.target.data.typeStringType of the target associated with the integration submission.
Cofense.IntegrationSubmission.relationships.target.data.idStringUnique Identifier of the target associated with the integration submission.

Command Example#

!cofense-integration-submission-get id=4879 type=urls

Context Example#

{
"Cofense": {
"IntegrationSubmission": [
{
"attributes": {
"created_at": "2021-04-02T16:32:43.525Z",
"kind": "URL",
"result": "{\"success\":0,\"error_code\":117,\"error\":\"Invalid URL\"}",
"status": "error",
"updated_at": "2021-04-02T16:34:11.016Z"
},
"id": "155",
"links": {
"self": "https://triage.example.com/api/public/v2/integration_submissions/155"
},
"relationships": {
"integration": {
"data": {
"id": "5",
"type": "integrations"
},
"links": {
"related": "https://triage.example.com/api/public/v2/integration_submissions/155/integration",
"self": "https://triage.example.com/api/public/v2/integration_submissions/155/relationships/integration"
}
},
"target": {
"data": {
"id": "4879",
"type": "urls"
},
"links": {
"related": "https://triage.example.com/api/public/v2/integration_submissions/155/target",
"self": "https://triage.example.com/api/public/v2/integration_submissions/155/relationships/target"
}
}
},
"type": "integration_submissions"
},
{
"attributes": {
"created_at": "2021-04-02T16:31:51.713Z",
"kind": "URL",
"result": "{\"success\":0,\"error_code\":117,\"error\":\"Invalid URL\"}",
"status": "error",
"updated_at": "2021-04-02T16:32:11.093Z"
},
"id": "154",
"links": {
"self": "https://triage.example.com/api/public/v2/integration_submissions/154"
},
"relationships": {
"integration": {
"data": {
"id": "5",
"type": "integrations"
},
"links": {
"related": "https://triage.example.com/api/public/v2/integration_submissions/154/integration",
"self": "https://triage.example.com/api/public/v2/integration_submissions/154/relationships/integration"
}
},
"target": {
"data": {
"id": "4879",
"type": "urls"
},
"links": {
"related": "https://triage.example.com/api/public/v2/integration_submissions/154/target",
"self": "https://triage.example.com/api/public/v2/integration_submissions/154/relationships/target"
}
}
},
"type": "integration_submissions"
},
{
"attributes": {
"created_at": "2021-04-02T16:27:42.094Z",
"kind": "URL",
"result": "{\"success\":0,\"error_code\":117,\"error\":\"Invalid URL\"}",
"status": "error",
"updated_at": "2021-04-02T16:28:11.300Z"
},
"id": "153",
"links": {
"self": "https://triage.example.com/api/public/v2/integration_submissions/153"
},
"relationships": {
"integration": {
"data": {
"id": "5",
"type": "integrations"
},
"links": {
"related": "https://triage.example.com/api/public/v2/integration_submissions/153/integration",
"self": "https://triage.example.com/api/public/v2/integration_submissions/153/relationships/integration"
}
},
"target": {
"data": {
"id": "4879",
"type": "urls"
},
"links": {
"related": "https://triage.example.com/api/public/v2/integration_submissions/153/target",
"self": "https://triage.example.com/api/public/v2/integration_submissions/153/relationships/target"
}
}
},
"type": "integration_submissions"
}
]
}
}

Human Readable Output#

Integration Submission(s)#

Integration Submission IDStatusKindCreated AtUpdated At
155errorURL2021-04-02T16:32:43.525Z2021-04-02T16:34:11.016Z
154errorURL2021-04-02T16:31:51.713Z2021-04-02T16:32:11.093Z
153errorURL2021-04-02T16:27:42.094Z2021-04-02T16:28:11.300Z

cofense-attachment-payload-list#


Retrieves attachment payloads based on the filter values provided in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email.

Base Command#

cofense-attachment-payload-list

Input#

Argument NameDescriptionRequired
idSpecify ID of the attachment payload to retrieve a specific attachment payload. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of attachment payloads to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the attachment payloads. Default is 1.Optional
sort_bySpecify the attributes to sort the attachment payloads. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: risk_score, -id.Optional
filter_bySpecify the filters to filter the list of attachment payloads by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"risk_score\":\"0,1\", \"created_at_gteq\":\"2020-04-13T10:48:16.834Z\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: md5, risk_score.Optional
risk_scoreSpecify the risk scores to retrieve the attachment payloads.Optional
created_atSpecify the date and time of creation, from when to retrieve the attachment payloads. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the attachment payloads. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.AttachmentPayload.idStringUnique identifier of the attachment payload.
Cofense.AttachmentPayload.typeStringType of the resource of Cofense Triage.
Cofense.AttachmentPayload.links.selfStringLink of the resource.
Cofense.AttachmentPayload.attributes.mime_typeStringMIME type of the payload.
Cofense.AttachmentPayload.attributes.md5StringMD5 hash of the payload.
Cofense.AttachmentPayload.attributes.sha256StringSHA256 hash of the payload.
Cofense.AttachmentPayload.attributes.risk_scoreNumberRisk score of the payload.
Cofense.AttachmentPayload.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.AttachmentPayload.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.AttachmentPayload.relationships.attachments.links.selfStringLink to retrieve the attachment containing the payload.
Cofense.AttachmentPayload.relationships.attachments.links.relatedStringLink to retrieve the detailed information of the attachment containing the payload.
Cofense.AttachmentPayload.relationships.clusters.links.selfStringLink to retrieve the cluster of reports containing the payload.
Cofense.AttachmentPayload.relationships.clusters.links.relatedStringLink to retrieve the detailed information of the cluster of reports containing the payload.
Cofense.AttachmentPayload.relationships.integration_submissions.links.selfStringLink to retrieve the integration submissions related to attachment.
Cofense.AttachmentPayload.relationships.integration_submissions.links.relatedStringLink to retrieve the detailed information of the integration submissions related to attachment.
Cofense.AttachmentPayload.relationships.reports.links.selfStringLink to retrieve the report with attachments containing the payload.
Cofense.AttachmentPayload.relationships.reports.links.relatedStringLink to retrieve the detailed information of the report with attachments containing the payload.

Command Example#

!cofense-attachment-payload-list page_size=2

Context Example#

{
"Cofense": {
"AttachmentPayload": [
{
"attributes": {
"created_at": "2020-10-21T20:54:36.450Z",
"md5": "123456789ec6d4a936ef02d4042a93c2",
"mime_type": "image/png; charset=binary",
"sha256": "123456789f8c56c47f9a481c919eb869af09f9fff0c1551781aa77e8674377b9",
"updated_at": "2020-10-21T20:54:36.450Z"
},
"id": "8",
"links": {
"self": "https://triage.example.com/api/public/v2/attachment_payloads/8"
},
"relationships": {
"attachments": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/8/attachments",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/8/relationships/attachments"
}
},
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/8/clusters",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/8/relationships/clusters"
}
},
"integration_submissions": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/8/integration_submissions",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/8/relationships/integration_submissions"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/8/reports",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/8/relationships/reports"
}
}
},
"type": "attachment_payloads"
},
{
"attributes": {
"created_at": "2020-10-21T20:54:36.531Z",
"md5": "9f16385db56b9429fc210b19df012345",
"mime_type": "image/png; charset=binary",
"sha256": "7609ec052a3834f0ac822001837d7b25dea34bd38143a13ea6a187c192212345",
"updated_at": "2020-10-21T20:54:36.531Z"
},
"id": "9",
"links": {
"self": "https://triage.example.com/api/public/v2/attachment_payloads/9"
},
"relationships": {
"attachments": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/9/attachments",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/9/relationships/attachments"
}
},
"clusters": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/9/clusters",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/9/relationships/clusters"
}
},
"integration_submissions": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/9/integration_submissions",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/9/relationships/integration_submissions"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/attachment_payloads/9/reports",
"self": "https://triage.example.com/api/public/v2/attachment_payloads/9/relationships/reports"
}
}
},
"type": "attachment_payloads"
}
]
}
}

Human Readable Output#

Attachment Payload(s)#

Attachment Payload IDMime TypeMD5SHA256Created AtUpdated At
8image/png; charset=binary123456789ec6d4a936ef02d4042a93c2123456789f8c56c47f9a481c919eb869af09f9fff0c1551781aa77e8674377b92020-10-21T20:54:36.450Z2020-10-21T20:54:36.450Z
9image/png; charset=binary9f16385db56b9429fc210b19df0123457609ec052a3834f0ac822001837d7b25dea34bd38143a13ea6a187c1922123452020-10-21T20:54:36.531Z2020-10-21T20:54:36.531Z

cofense-comment-list#


Retrieves comments based on the filter values provided in the command arguments.

Base Command#

cofense-comment-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the comment to retrieve a specific comment. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of comments to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the comments. Default is 1.Optional
sort_bySpecify the attributes to sort the comments. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: -created_at, body.Optional
filter_bySpecify the filters to filter the list of comments by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"body_format_eq\":\"json\", \"created_at_gteq\":\"2021-04-13T10:48:16.834Z\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: body, body_format.Optional
body_formatSpecify the format of the comment body to retrieve the comments. Possible values are: text, json.Optional
tagsSpecify the tags to retrieve the comments based on the tags associated with the comments.Optional
report_idSpecify the ID of the report to retrieve the comments specific to the report. Note: When both report_id and threat_indicator_id are provided, higher priority will be given to report_id. Note: To retrieve report_id, execute cofense-report-list command.Optional
threat_indicator_idSpecify the ID of the threat indicator to retrieve the comments specific to the threat indicator. Note: When both report_id and threat_indicator_id are provided, higher priority will be given to report_id. Note: To retrieve threat_indicator_id, execute cofense-threat-indicator-list command.Optional
created_atSpecify the date and time of creation, from when to retrieve the comments. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the comments. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Comment.idStringUnique identifier of the comment.
Cofense.Comment.typeStringType of the resource of Cofense Triage.
Cofense.Comment.links.selfStringLink of the resource.
Cofense.Comment.attributes.body_formatStringFormat of the comment body.
Cofense.Comment.attributes.bodyStringBody of the comment.
Cofense.Comment.attributes.tagsUnknownTags assigned to the comment.
Cofense.Comment.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Comment.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Comment.attributes.body.typeStringType of the comment.
Cofense.Comment.attributes.body.properties.reported_time.typeDateReported time of the comment.
Cofense.Comment.attributes.body.properties.srctag.typeUnknownSource tags associated with the comments.
Cofense.Comment.attributes.body.properties.received_time.typeDateReceived time for the comments.
Cofense.Comment.attributes.body.properties.from.typeStringEmail ID of the user who added the comment.
Cofense.Comment.attributes.body.properties.reported_by.typeStringEmail ID of the reporter who reported the comment.
Cofense.Comment.attributes.body.properties.notes.typeStringNotes of the comment.
Cofense.Comment.attributes.body.properties.summary.typeStringSummary of the comment.
Cofense.Comment.attributes.body.properties.malware_families.typeStringMalware families for the comment.
Cofense.Comment.attributes.body.properties.phenotypes.typeStringPhenotypes of the comment.
Cofense.Comment.attributes.body.properties.message_id.typeStringMessage ID for the comment.
Cofense.Comment.attributes.body.properties.reply_to.typeStringReplied to email ID for the comment.
Cofense.Comment.attributes.body.properties.report_url.typeStringReport URL for the comment.
Cofense.Comment.attributes.body.properties.escalation_type.typeStringEscalation type of the comment.
Cofense.Comment.attributes.body.properties.stage_1_iocs.typeStringType of the stage 1 IOCs.
Cofense.Comment.attributes.body.properties.stage_1_iocs.properties.files.typeStringFile ioc available in the comment.
Cofense.Comment.attributes.body.properties.stage_1_iocs.properties.infection_ips.typeStringType of the infection IPs.
Cofense.Comment.attributes.body.properties.stage_1_iocs.properties.infection_ips.items.typeStringType of the infection IP available in the comment.
Cofense.Comment.attributes.body.properties.stage_1_iocs.properties.infection_urls.items.typeStringInfection URL available in the comment.
Cofense.Comment.attributes.body.properties.stage_1_iocs.properties.infection_urls.typeStringType of the infection URL.
Cofense.Comment.attributes.body.properties.brands.typeStringType of the brands.
Cofense.Comment.attributes.body.properties.brands.items.typeStringBrands of the comment.
Cofense.Comment.attributes.body.properties.vision_results.typeStringType of the vision result.
Cofense.Comment.attributes.body.properties.vision_results.properties.results_idStringResult ID of the vision result.
Cofense.Comment.attributes.body.properties.vision_results.properties.query_created.typeDateQuery created date for the vision result.
Cofense.Comment.attributes.body.properties.vision_results.properties.messages_removedStringNumber of messages removed from the comment.
Cofense.Comment.attributes.body.properties.vision_results.properties.messages_foundStringNumber of messages found from the comment.
Cofense.Comment.attributes.body.properties.subject.typeStringSubject of the comment.
Cofense.Comment.attributes.body.properties.sent_to.typeStringReceiver email ID.
Cofense.Comment.attributes.body.properties.stage_2_iocs.typeStringType of the stage 2 IOCs.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.files.typeStringFile IOCs available in the comment.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.md5.typeStringMD5 IOCs available in the comment.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.size.typeStringSize of the stage 2 IOCs.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.payload_ips.typeStringType of the payload IPs.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.payload_ips.items.typeStringPayload IPs available in the comment.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.payload_urls.typeStringType of the payload URLs.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.payload_urls.items.typeStringPayload URLs available in the comment.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.c2_ips.typeStringC2 IPs available in the comment.
Cofense.Comment.attributes.body.properties.stage_2_iocs.properties.c2_urls.typeUnknownC2 URLs available in the comment.
Cofense.Comment.attributes.body.properties.report_id.typeStringID of the report associated with the comment.
Cofense.Comment.relationships.commentable.links.selfStringLink to retrieve the commentable comments.
Cofense.Comment.relationships.commentable.links.relatedStringLink to retrieve the detailed information of the commentable comments.
Cofense.Comment.relationships.commentable.data.typeStringType of the commentable comment associated with the comment.
Cofense.Comment.relationships.commentable.data.idStringUnique identifier of the commentable comment associated with the comment.
Cofense.Comment.relationships.owner.links.selfStringLink to retrieve the owner of the comment.
Cofense.Comment.relationships.owner.links.relatedStringLink to retrieve the detailed information of the owner of the comment.
Cofense.Comment.relationships.owner.data.typeStringType of the owner associated with the comment.
Cofense.Comment.relationships.owner.data.idStringUnique identifier of the owner associated with the comment.

Command Example#

!cofense-comment-list page_size=2

Context Example#

{
"Cofense": {
"Comment": [
{
"attributes": {
"body": "www.xyz.com",
"body_format": "text",
"created_at": "2021-04-01T20:52:59.342Z",
"updated_at": "2021-04-01T20:52:59.342Z"
},
"id": "1",
"links": {
"self": "https://triage.example.com/api/public/v2/comments/1"
},
"relationships": {
"commentable": {
"data": {
"id": "216",
"type": "threat_indicators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/comments/1/commentable",
"self": "https://triage.example.com/api/public/v2/comments/1/relationships/commentable"
}
},
"owner": {
"data": {
"id": "2",
"type": "operators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/comments/1/owner",
"self": "https://triage.example.com/api/public/v2/comments/1/relationships/owner"
}
}
},
"type": "comments"
},
{
"attributes": {
"body": "www.abc.com",
"body_format": "text",
"created_at": "2021-04-02T12:58:25.496Z",
"updated_at": "2021-04-02T12:58:25.496Z"
},
"id": "2",
"links": {
"self": "https://triage.example.com/api/public/v2/comments/2"
},
"relationships": {
"commentable": {
"data": {
"id": "207",
"type": "threat_indicators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/comments/2/commentable",
"self": "https://triage.example.com/api/public/v2/comments/2/relationships/commentable"
}
},
"owner": {
"data": {
"id": "2",
"type": "operators"
},
"links": {
"related": "https://triage.example.com/api/public/v2/comments/2/owner",
"self": "https://triage.example.com/api/public/v2/comments/2/relationships/owner"
}
}
},
"type": "comments"
}
]
}
}

Human Readable Output#

Comment(s)#

Comment IDBody FormatBodyCreated AtUpdated AtAssociated ToAssociated To ID
1textwww.xyz.com2021-04-01T20:52:59.342Z2021-04-01T20:52:59.342Zthreat_indicators216
2textwww.abc.com2021-04-02T12:58:25.496Z2021-04-02T12:58:25.496Zthreat_indicators207

cofense-cluster-list#


Retrieves clusters based on the filter values provided in the command arguments.

Base Command#

cofense-cluster-list

Input#

Argument NameDescriptionRequired
idSpecify the ID of the cluster to retrieve a specific cluster. Note: If 'id' argument is provided, then apart from 'fields_to_retrieve', all arguments will be neglected.Optional
page_sizeSpecify the number of clusters to retrieve per page. Note: Possible values are between 1 and 200. Default is 20.Optional
page_numberSpecify a page number to retrieve the clusters. Default is 1.Optional
sort_bySpecify the attributes to sort the clusters. Note: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. For example: created_at, -updated_at.Optional
filter_bySpecify the filters to filter the list of clusters by attribute values. Note: Enter values in key-value JSON format. To separate multiple values of a single attribute, use commas. Add backslash(\) before quotes. Format accepted: {\"attribute1_operator \": \"value1, value2\", \"attribute2_operator\" : \"value3, value4\"} For example: {\"risk_score_eq\":\"1,2\", \"updated_at_gt\":\"2020-10-26T10:48:16.834Z\"}.Optional
fields_to_retrieveSpecify the fields to retrieve the mentioned attributes only. For example: unprocessed_reports_count, processed_reports_count.Optional
tagsSpecify the tags to retrieve the cluster.Optional
match_prioritySpecify the priority to retrieve the cluster based on the priority of the rules that match the reports in the cluster. Possible values are: 0, 1, 2, 3, 4, 5.Optional
total_reports_countSpecify the number of reports to be present in the cluster.Optional
created_atSpecify the date and time of creation, from when to retrieve the clusters. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional
updated_atSpecify the date and time of updation, from when to retrieve the clusters. Formats accepted: 2 minutes, 2 hours, 2 days, 2 weeks, 2 months, 2 years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ, etc.Optional

Context Output#

PathTypeDescription
Cofense.Cluster.idStringUnique identifier of the cluster.
Cofense.Cluster.typeStringType of the resource of Cofense Triage.
Cofense.Cluster.links.selfStringLink of the resource.
Cofense.Cluster.attributes.risk_scoreNumberRisk score of the cluster.
Cofense.Cluster.attributes.first_reported_atDateDate and time, in ISO 8601 format, when the first report in the cluster was reported.
Cofense.Cluster.attributes.oldest_unprocessed_reported_atDateDate and time, in ISO 8601 format, when the oldest unprocessed report in the cluster was reported.
Cofense.Cluster.attributes.last_received_atDateDate and time, in ISO 8601 format, when the suspect email associated with the last report in the cluster was received.
Cofense.Cluster.attributes.last_reported_atDateDate and time, in ISO 8601 format, when the last report in the cluster was reported to Triage.
Cofense.Cluster.attributes.last_from_addressStringSender email address for the suspect email associated with the last report added to the cluster.
Cofense.Cluster.attributes.last_subjectStringSubject of the last received report.
Cofense.Cluster.attributes.average_reporter_reputationStringAverage reporter reputation score across all reports in the cluster.
Cofense.Cluster.attributes.match_priorityNumberHighest priority of the rules that match the reports in the cluster.
Cofense.Cluster.attributes.host_sourceStringSemicolon-separated list of URL domains in the cluster.
Cofense.Cluster.attributes.tagsUnknownTags assigned to the cluster.
Cofense.Cluster.attributes.attachments_countNumberCount of attachments in the cluster.
Cofense.Cluster.attributes.unprocessed_reports_countNumberCount of unprocessed reports in the cluster.
Cofense.Cluster.attributes.processed_reports_countNumberCount of processed reports in the cluster.
Cofense.Cluster.attributes.total_reports_countNumberCount of all reports in the cluster.
Cofense.Cluster.attributes.rules_countNumberCount of unique rules that match one or more reports in the cluster.
Cofense.Cluster.attributes.urls_countNumberCount of URLs in the cluster.
Cofense.Cluster.attributes.vip_reporters_countNumberCount of VIP reporters.
Cofense.Cluster.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.Cluster.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.Cluster.relationships.attachment_payloads.links.selfStringLink to retrieve the payloads of attachments associated with the reports in the cluster.
Cofense.Cluster.relationships.attachment_payloads.links.relatedStringLink to retrieve the detailed information of the payloads of attachments associated with the reports in the cluster.
Cofense.Cluster.relationships.domains.links.selfStringLink to retrieve the domain of the reports in the cluster.
Cofense.Cluster.relationships.domains.links.relatedStringLink to retrieve the detailed information of the domain of the reports in the cluster.
Cofense.Cluster.relationships.hostnames.links.selfStringLink to retrieve the hostnames of URLs associated with the reports in the cluster.
Cofense.Cluster.relationships.hostnames.links.relatedStringLink to retrieve the detailed information of the hostnames of URLs associated with the report in the cluster.
Cofense.Cluster.relationships.reports.links.selfStringLink to retrieve reports in the cluster.
Cofense.Cluster.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports in the cluster.
Cofense.Cluster.relationships.reporters.links.selfStringLink to retrieve the reporters of reports in the cluster.
Cofense.Cluster.relationships.reporters.links.relatedStringLink to retrieve the detailed information of the reporters of reports in the cluster.
Cofense.Cluster.relationships.rules.links.selfStringLink to retrieve the rules matching the cluster.
Cofense.Cluster.relationships.rules.links.relatedStringLink to retrieve the detailed information of the rules matching the cluster.
Cofense.Cluster.relationships.urls.links.selfStringLink to retrieve the URLs associated with reports in the cluster.
Cofense.Cluster.relationships.urls.links.relatedStringLink to retrieve the detailed information of the URLs associated with reports in the cluster.

Command Example#

!cofense-cluster-list page_size=2

Context Example#

{
"Cofense": {
"Cluster": [
{
"attributes": {
"attachments_count": 0,
"average_reporter_reputation": "0.0",
"created_at": "2020-10-21T20:54:25.644Z",
"first_reported_at": "2019-11-08T17:17:05.000Z",
"host_source": "dummy.xyz.com;dummy.com",
"match_priority": 0,
"processed_reports_count": 11,
"risk_score": 34,
"rules_count": 0,
"total_reports_count": 11,
"unprocessed_reports_count": 0,
"updated_at": "2021-06-02T11:05:02.806Z",
"urls_count": 3,
"vip_reporters_count": 0
},
"id": "1",
"links": {
"self": "https://triage.example.com/api/public/v2/clusters/1"
},
"relationships": {
"attachment_payloads": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/attachment_payloads",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/attachment_payloads"
}
},
"domains": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/domains",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/domains"
}
},
"hostnames": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/hostnames",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/hostnames"
}
},
"reporters": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/reporters",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/reporters"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/reports",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/reports"
}
},
"rules": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/rules",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/rules"
}
},
"urls": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/1/urls",
"self": "https://triage.example.com/api/public/v2/clusters/1/relationships/urls"
}
}
},
"type": "clusters"
},
{
"attributes": {
"attachments_count": 0,
"average_reporter_reputation": "0.0",
"created_at": "2020-10-21T20:54:28.227Z",
"first_reported_at": "2019-11-08T19:50:17.000Z",
"host_source": "content.xyz.com;dummy.pages03.net",
"match_priority": 0,
"processed_reports_count": 1,
"risk_score": 8,
"rules_count": 0,
"total_reports_count": 1,
"unprocessed_reports_count": 0,
"updated_at": "2020-11-23T13:17:43.492Z",
"urls_count": 3,
"vip_reporters_count": 0
},
"id": "2",
"links": {
"self": "https://triage.example.com/api/public/v2/clusters/2"
},
"relationships": {
"attachment_payloads": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/attachment_payloads",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/attachment_payloads"
}
},
"domains": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/domains",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/domains"
}
},
"hostnames": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/hostnames",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/hostnames"
}
},
"reporters": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/reporters",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/reporters"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/reports",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/reports"
}
},
"rules": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/rules",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/rules"
}
},
"urls": {
"links": {
"related": "https://triage.example.com/api/public/v2/clusters/2/urls",
"self": "https://triage.example.com/api/public/v2/clusters/2/relationships/urls"
}
}
},
"type": "clusters"
}
]
}
}

Human Readable Output#

Cluster(s)#

Cluster IDUnprocessed ReportTotal Report CountMatch PriorityHost SourceAverage Reporter Reputation ScoreVIP Reporter countCreated AtUpdated At
10110dummy.xyz.com;dummy.com0.002020-10-21T20:54:25.644Z2021-06-02T11:05:02.806Z
2010content.xyz.com;dummy.pages03.net0.002020-10-21T20:54:28.227Z2020-11-23T13:17:43.492Z

cofense-threat-indicator-update#


Updates a threat indicator based on the values provided in the command arguments.

Base Command#

cofense-threat-indicator-update

Input#

Argument NameDescriptionRequired
idSpecify ID of the threat indicator that is to be updated. Note: To retrieve id, execute cofense-threat-indicator-list command.Required
threat_levelSpecify the level of the threat indicator that is to be updated. Some possible values are: Malicious, Suspicious, Benign.Required
threat_sourceSpecify the value corresponding to the source of the threat indicator that is to be updated.Optional

Context Output#

PathTypeDescription
Cofense.ThreatIndicator.idStringUnique identifier of the threat indicator.
Cofense.ThreatIndicator.typeStringType of the resource of Cofense Triage.
Cofense.ThreatIndicator.links.selfStringLink of the resource.
Cofense.ThreatIndicator.attributes.threat_levelStringThe level of the threat.
Cofense.ThreatIndicator.attributes.threat_typeStringThe type of the threat.
Cofense.ThreatIndicator.attributes.threat_valueStringValue corresponding to the type of threat indicated in the type of the threat.
Cofense.ThreatIndicator.attributes.threat_sourceStringValue corresponding to the source of the threat.
Cofense.ThreatIndicator.attributes.created_atDateDate and time, in ISO 8601 format, when the resource was created.
Cofense.ThreatIndicator.attributes.updated_atDateDate and time, in ISO 8601 format, when the resource was last updated.
Cofense.ThreatIndicator.relationships.owner.links.selfStringLink to retrieve the owner of the threat indicator.
Cofense.ThreatIndicator.relationships.owner.links.relatedStringLink to retrieve the detailed information of the owner of the threat indicator.
Cofense.ThreatIndicator.relationships.owner.data.typeStringType of the owner associated with the threat indicator.
Cofense.ThreatIndicator.relationships.owner.data.idStringUnique identifier of the owner associated with the threat indicator.
Cofense.ThreatIndicator.relationships.reports.links.selfStringLink to retrieve the reports containing the threat indicator.
Cofense.ThreatIndicator.relationships.reports.links.relatedStringLink to retrieve the detailed information of the reports containing the threat indicator.
Cofense.ThreatIndicator.relationships.comments.links.selfStringLink to retrieve the comments containing the threat indicator.
Cofense.ThreatIndicator.relationships.comments.links.relatedStringLink to retrieve the detailed information of the comments containing the threat indicator.

Command Example#

!cofense-threat-indicator-update id=1 threat_level=Suspicious

Context Example#

{
"Cofense": {
"ThreatIndicator": {
"attributes": {
"created_at": "2020-10-26T10:47:09.675Z",
"threat_level": "Suspicious",
"threat_source": "URL",
"threat_type": "SHA256",
"threat_value": "dummy_hash",
"updated_at": "2021-06-22T06:09:22.661Z"
},
"id": "1",
"links": {
"self": "https://triage.example.com/api/public/v2/threat_indicators/1"
},
"relationships": {
"comments": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/1/comments",
"self": "https://triage.example.com/api/public/v2/threat_indicators/1/relationships/comments"
}
},
"owner": {
"data": {
"id": "3",
"type": "api_applications"
},
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/1/owner",
"self": "https://triage.example.com/api/public/v2/threat_indicators/1/relationships/owner"
}
},
"reports": {
"links": {
"related": "https://triage.example.com/api/public/v2/threat_indicators/1/reports",
"self": "https://triage.example.com/api/public/v2/threat_indicators/1/relationships/reports"
}
}
},
"type": "threat_indicators"
}
}
}

Human Readable Output#

Threat Indicator(s)#

Threat Indicator IDThreat LevelThreat TypeThreat ValueThreat SourceCreated AtUpdated At
1SuspiciousSHA256dummy_hashURL2020-10-26T10:47:09.675Z2021-06-22T06:09:22.661Z

get-remote-data#


Get remote data from a remote incident. Please note that this method will not update the current incident, it's here for debugging purposes.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
idThe report ID.Required
lastUpdateDate string representing the local time.The incident is only returned if it was modified after the last update time.Required

Context Output#

There is no context output for this command.

Command Example#

!get-remote-data id=34 lastUpdate="3 days"

get-modified-remote-data#


Gets the list of incidents that were modified since the last update time. Note that this method is here for debugging purposes. The get-modified-remote-data command is used as part of a Mirroring feature, which is available from version 6.1.

Base Command#

get-modified-remote-data

Input#

Argument NameDescriptionRequired
lastUpdateDate string in local time representing the last time the incident was updated. The incident is only returned if it was modified after the last update time.Required

Context Output#

There is no context output for this command.

Command Example#

!get-modified-remote-data lastUpdate="3 days"

cofense-report-image-download#


Downloads the image of the report that matches the specified report ID.

Base Command#

cofense-report-image-download

Input#

Argument NameDescriptionRequired
idSpecify the ID of the report to download the image file. Note: To retrieve id, execute cofense-report-list command.Required
typeThe image type of the report the user wants to download. Some possible values are: jpg, png. Default is png.Optional

Context Output#

PathTypeDescription
InfoFile.NameStringFile name.
InfoFile.EntryIDStringThe entry ID of the file.
InfoFile.SizeNumberFile size in bytes.
InfoFile.TypeStringThe file type.
InfoFile.InfoStringFile information.
InfoFile.ExtensionStringFile extension.

Command Example#

!cofense-report-image-download id="4"

Context Example#

{
"InfoFile": {
"EntryID": "12345@24e2b8bb-acd8-4ad6-8f7c-5140d65ea600",
"Extension": "png",
"Info": "image/png",
"Name": "Report ID - 4.png",
"Size": 63172,
"Type": "PNG image data, 400 x 769, 8-bit/color RGBA, non-interlaced"
}
}

Human Readable Output#

Uploaded an image: Report ID - 4.png cofense-report-image-download

Breaking changes from the previous version of this integration - Cofense Triage v2#

The following sections list the changes in this version.

Commands#

The following commands were removed in this version:#

  • cofense-search-reports - this command was replaced by cofense-report-list.
  • cofense-search-inbox-reports - this command was replaced by cofense-report-list with argument 'report_location' .
  • cofense-get-attachment
  • cofense-get-reporter - this command was replaced by cofense-reporter-list.
  • cofense-get-report-by-id - this command was replaced by cofense-report-list with argument 'id'.
  • cofense-get-report-png-by-id - this command was replaced by cofense-report-image-download.
  • cofense-get-threat-indicators - this command was replaced by cofense-threat-indicator-list.

Additional Considerations for this version#

The ability to mirror incident data has been added.

The following commands were added in this version:#

  • cofense-attachment-payload-list
  • cofense-category-list
  • cofense-cluster-list
  • cofense-comment-list
  • cofense-integration-submission-get
  • cofense-report-categorize
  • cofense-report-download
  • cofense-rule-list
  • cofense-threat-indicator-create
  • cofense-threat-indicator-update
  • cofense-url-list
  • cofense-report-attachment-payload-list
  • cofense-report-attachment-list
  • cofense-report-attachment-download