Skip to main content

Cofense Vision

This Integration is part of the Cofense Vision Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.2.0 and later.

The Cofense Vision integration provides commands to initiate advanced search jobs to hunt suspicious emails matching IOCs. It also contains commands to quarantine emails, download messages and their attachments, and aids to manage IOCs in the local repository to keep up with upcoming emerging threats. This integration was integrated and tested with version 4 of Cofense Vision and version 1 of Cofense IOC Repository.

Configure Cofense Vision in Cortex#

ParameterDescriptionRequired
Server URLServer URL to connect to Cofense Vision.True
Client IDTrue
Client SecretTrue
Threat levels to be marked as GoodMapping of Cofense Vision threat level to XSOAR DbotScore.
For 'Good', DbotScore will be 1 and default threat level value is 'low'.
Comma separated values are supported.
False
Threat levels to be marked as SuspiciousMapping of Cofense Vision threat level to XSOAR DbotScore.
For 'Suspicious', DbotScore will be 2 and default threat level values are 'suspicious', 'moderate', 'substantial'.
Comma separated values are supported.
False
Threat levels to be marked as BadMapping of Cofense Vision threat level to XSOAR DbotScore.
For 'Bad', DbotScore will be 3 and default threat level values are 'malicious', 'severe', 'critical', 'high'.
Comma separated values are supported.
False
Trust any certificate (not secure)Indicates whether to allow connections without verifying SSL certificate's validity.False
Use system proxy settingsIndicates whether to use XSOAR's system proxy settings to connect to the API.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cofense-message-token-get#


Retrieves a one-time token that can be used to get an email's content.

Base Command#

cofense-message-token-get

Input#

Argument NameDescriptionRequired
internet_message_idUnique identifier of the email, enclosed in angle brackets.

Example: <AC6CAE11-779E-4044-BB25-110171AB0301@example.com>

Note: Users can get the ID by executing the "cofense-message-search-results-get" command.
Required
recipient_addressEmail address of the recipient of the email.

Note: The email address can be a carbon copy (Cc) or blind
carbon copy (Bcc) recipient but cannot be a shared mailbox or a
distribution list.

Note: Users can get the recipient address by executing the "cofense-message-search-results-get" command.
Required
passwordPassword to protect the zip file containing the email.Optional

Context Output#

PathTypeDescription
Cofense.Message.tokenStringOne-time token to access an email content.
Cofense.Message.internetMessageIdStringID of an email assigned by the message transfer agent.
Cofense.Message.recipients.addressStringEmail address of the recipient.

Command example#

!cofense-message-token-get internet_message_id="<1216208547.160.1658930322668@6d14a4fa9032>" recipient_address="abc@example.com"

Context Example#

{
"Cofense": {
"Message": {
"internetMessageId": "<1216208547.160.1658930322668@6d14a4fa9032>",
"recipient": {
"address": "abc@example.com"
},
"token": "de7475a4-3802-46c1-8e4c-2665912445c0"
}
}
}

Human Readable Output#

One-time token:#

Internet Message IDRecipient's AddressToken
1216208547.160.1658930322668@6d14a4fa9032\abc@example.comde7475a4-3802-46c1-8e4c-2665912445c0

cofense-message-metadata-get#


Retrieves the full content of a message that matches the specified Internet message ID and recipient email address of an email.

Base Command#

cofense-message-metadata-get

Input#

Argument NameDescriptionRequired
internet_message_idUnique identifier of the email, enclosed in angle brackets.

Example: <AC6CAE11-779E-4044-BB25-110171AB0301@example.com>

Note: Users can get the internet message ID by executing the "cofense-message-search-results-get" command.
Required
recipient_addressEmail address of the recipient of an email. The email address can be a
carbon copy (Cc) or blind carbon copy (Bcc) recipient but cannot be a
shared mailbox or a distribution list.

Note: Users can get the recipient address by executing the "cofense-message-search-results-get" command.
Required

Context Output#

PathTypeDescription
Cofense.Message.idNumberID of the message in cofense vision.
Cofense.Message.storageUriStringStorage URI of an email.
Cofense.Message.subjectStringSubject of the email.
Cofense.Message.receivedOnDateDate and time an email was received by the recipient.
Cofense.Message.sentOnDateDate and time an email was sent to the recipient.
Cofense.Message.deliveredOnDateDate and time an email was delivered to the recipient.
Cofense.Message.processedOnDateDate and time cofense vision ingested the email.
Cofense.Message.textBodyStringBody of an email in text format.
Cofense.Message.htmlBodyStringBody of an email in HTML format.
Cofense.Message.md5StringMD5 hash of the message.
Cofense.Message.sha1StringSHA1 hash of the message.
Cofense.Message.sha256StringSHA256 hash of the message.
Cofense.Message.internetMessageIdStringID of an email assigned by the message transfer agent.
Cofense.Message.from.idNumberID of the sender.
Cofense.Message.from.personalStringPersonal email of the sender.
Cofense.Message.from.addressStringAn email address of the sender.
Cofense.Message.headers.nameStringThe name of the key in the header.
Cofense.Message.headers.valueStringThe value of the key in the header.
Cofense.Message.recipients.idNumberID of the recipient.
Cofense.Message.recipients.personalStringPersonal email of the recipient.
Cofense.Message.recipients.addressStringEmail address of the recipient.
Cofense.Message.recipients.recipientTypeStringType of the recipient.
Cofense.Message.attachments.sizeNumberThe size of the attachment file.
Cofense.Message.attachments.filenameStringThe name of the attachment file.
Cofense.Message.attachments.contentTypeStringThe content type present in the header.
Cofense.Message.attachments.detectedContentTypeStringThe detected content type of the attachment.
Cofense.Message.attachments.md5StringThe MD5 hash of the attachment.
Cofense.Message.attachments.sha256StringThe SHA256 hash of the attachment.
Cofense.Message.attachments.idNumberThe ID of the attachment.
Cofense.Message.matchingIOCsUnknownMD5 hash of one or more matching IOCs.
Cofense.Message.matchingSourcesUnknownOne or more matching IOC sources.

Command example#

!cofense-message-metadata-get internet_message_id="<1216208547.160.1658930322668@6d14a4fa9032>" recipient_address="abc@example.com"

Context Example#

{
"Cofense": {
"Message": {
"attachments": [
{
"contentType": "text/plain",
"detectedContentType": "text/plain",
"filename": "fileNum-Thread[mailer-011,5,main]-text-file-163.txt",
"id": 1673289,
"md5": "3d0e1d68f12afee22ae3e79e01027c7a",
"sha256": "ca68f5eecd5822783911ed392fbff3c171d3a1854c0f992364d038ee447f8ac3",
"size": 59173
},
{
"contentType": "application/zip",
"detectedContentType": "application/zip",
"filename": "fileNum-Thread[mailer-011,5,main]-text-file-146.txt.zip",
"id": 1673290,
"md5": "5c602ca45faac3bb128a5ecbf977f9f1",
"sha256": "6018b7cc402e6368d4542c0f6c129a99e35c80ae9001ec338e7621df2f8ac51f",
"size": 14563
},
{
"detectedContentType": "text/plain",
"filename": "text-file-146.txt",
"id": 1673291,
"md5": "c5aa88f949574a0a5e75a795dc507da7",
"sha256": "d3a070977ae0ae561bae2215526c187d5c46c54dd8899eefb8fe21ed0e6c1303",
"size": 27842
}
],
"from": [
{
"address": "abc@example.com",
"id": 760623,
"personal": "abc"
}
],
"headers": [
{
"name": "From",
"value": "abc@example.com"
},
{
"name": "To",
"value": "pqr@example.com"
},
{
"name": "CC",
"value": "abc@example.com"
},
{
"name": "Subject",
"value": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"name": "Thread-Topic",
"value": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"name": "Thread-Index",
"value": "AQHYocD7Ut113z4F00uSjzqlEM2clw=="
},
{
"name": "Date",
"value": "Wed, 27 Jul 2022 13:58:43 +0000"
},
{
"name": "Message-ID",
"value": "<1216208547.160.1658930322668@6d14a4fa9032>"
}
],
"id": 760623,
"internetMessageId": "<1216208547.160.1658930322668@6d14a4fa9032>",
"md5": "a486b023cd82f45f7b099a41dc3776a6",
"processedOn": "2022-07-27T13:58:46.271+00:00",
"receivedOn": "2022-07-27T13:58:44.000+00:00",
"recipients": [
{
"address": "abc@example.com",
"id": 7606409,
"personal": "abc",
"recipientType": "cc"
},
{
"address": "pqr@example.com",
"id": 7606410,
"personal": "pqr",
"recipientType": "to"
}
],
"sentOn": "2022-07-27T13:58:43.000+00:00",
"sha1": "0b744bed73106d5d613d83c71b9d9884f48690f4",
"sha256": "2d7bad3fe37c9e4089e6231784f51354ef2fd9689fe7fae6d46cb70d279da8e0",
"subject": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
}
}
}

Human Readable Output#

Message Metadata:#

IDSubjectReceived OnSent OnProcessed OnSenderRecipientsMD5SHA1SHA256Internet Message ID
760623craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 165893032264627/07/2022, 01:58 PM UTC27/07/2022, 01:58 PM UTC27/07/2022, 01:58 PM UTCabc@example.comabc@example.com
pqr@example.com
a486b023cd82f45f7b099a41dc3776a60b744bed73106d5d613d83c71b9d9884f48690f42d7bad3fe37c9e4089e6231784f51354ef2fd9689fe7fae6d46cb70d279da8e01216208547.160.1658930322668@6d14a4fa9032\

cofense-message-get#


Fetches full content of an email and returns it as a zip file using a token.

Base Command#

cofense-message-get

Input#

Argument NameDescriptionRequired
tokenA one-time token to access the content of an email in a zip file.

Note: Users can get the token by executing the "cofense-message-token-get" command.
Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!cofense-message-get token="fbbeff70-2c17-4d67-a741-3d8a7e394005"

Context Example#

{
"File": {
"EntryID": "603@cc18bdc4-7c64-494c-879c-23c3aee60818",
"Info": "text/plain",
"MD5": "97ee1d575640245abadbba15c0672eec",
"Name": "13311",
"SHA1": "13395876300d0a575812878446e15b9bbddda0b2",
"SHA256": "19d9c63bf4067a897950cfb72c14e8d05d8dcab0655979c6b60b925fb91e329f",
"SHA512": "31df48f235cc82247c6edc05850f910d6a057717d5d5f6ce84a4bc6c6fc3cc1f6ebae706ac592ace106b0559753928a838a1aee7018bec5b4316b90d95f55bcf",
"SSDeep": "24:nDBTBpJG4hbUWBFcXekJPkJ1WkJM8PWkJKckJvV/WskJvV28BesR1zvX0:nDNrHb1BWXekJPkJ1WkJfPWkJDkJvV/n",
"Size": 988,
"Type": "ASCII text, with CRLF line terminators"
}
}

Human Readable Output#

EntryIDInfoMD5NameSHA1SHA256SHA512SSDeepSizeType
603@cc18bdc4-7c64-494c-879c-23c3aee60818text/plain97ee1d575640245abadbba15c0672eec1331113395876300d0a575812878446e15b9bbddda0b219d9c63bf4067a897950cfb72c14e8d05d8dcab0655979c6b60b925fb91e329f31df48f235cc82247c6edc05850f910d6a057717d5d5f6ce84a4bc6c6fc3cc1f6ebae706ac592ace106b0559753928a838a1aee7018bec5b4316b90d95f55bcf24:nDBTBpJG4hbUWBFcXekJPkJ1WkJM8PWkJKckJvV/WskJvV28BesR1zvX0:nDNrHb1BWXekJPkJ1WkJfPWkJDkJvV/n988ASCII text, with CRLF line terminators

cofense-message-attachment-get#


Fetches the full content of an email and returns a zip file.

Base Command#

cofense-message-attachment-get

Input#

Argument NameDescriptionRequired
md5The hex-encoded string that represents an attachment's MD5 hash.

Note: The md5 hash can be retrieved by using the command "cofense-message-search-results-get".
Required
sha256The hex-encoded string that represents an attachment's SHA256 hash.

Note: The sha256 hash can be retrieved by using the command "cofense-message-search-results-get".
Optional
file_nameProvide a name to the file with the extension that needs to be downloaded.

Note: The file name can be retrieved by using the command "cofense-message-search-results-get".
Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file in bytes.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Command example#

!cofense-message-attachment-get md5="3d0e1d68f12afee22ae3e79e01027c7a" file_name="attachment.txt"

Context Example#

{
"File": {
"EntryID": "603@cc18bdc4-7c64-494c-879c-23c3aee60818",
"Info": "text/plain",
"MD5": "97ee1d575640245abadbba15c0672eec",
"Name": "13311",
"SHA1": "13395876300d0a575812878446e15b9bbddda0b2",
"SHA256": "19d9c63bf4067a897950cfb72c14e8d05d8dcab0655979c6b60b925fb91e329f",
"SHA512": "31df48f235cc82247c6edc05850f910d6a057717d5d5f6ce84a4bc6c6fc3cc1f6ebae706ac592ace106b0559753928a838a1aee7018bec5b4316b90d95f55bcf",
"SSDeep": "24:nDBTBpJG4hbUWBFcXekJPkJ1WkJM8PWkJKckJvV/WskJvV28BesR1zvX0:nDNrHb1BWXekJPkJ1WkJfPWkJDkJvV/n",
"Size": 988,
"Type": "ASCII text, with CRLF line terminators"
}
}

Human Readable Output#

EntryIDInfoMD5NameSHA1SHA256SHA512SSDeepSizeType
603@cc18bdc4-7c64-494c-879c-23c3aee60818text/plain97ee1d575640245abadbba15c0672eec1331113395876300d0a575812878446e15b9bbddda0b219d9c63bf4067a897950cfb72c14e8d05d8dcab0655979c6b60b925fb91e329f31df48f235cc82247c6edc05850f910d6a057717d5d5f6ce84a4bc6c6fc3cc1f6ebae706ac592ace106b0559753928a838a1aee7018bec5b4316b90d95f55bcf24:nDBTBpJG4hbUWBFcXekJPkJ1WkJM8PWkJKckJvV/WskJvV28BesR1zvX0:nDNrHb1BWXekJPkJ1WkJfPWkJDkJvV/n988ASCII text, with CRLF line terminators

cofense-quarantine-jobs-list#


Filters and returns a paginated list of matching quarantine jobs.

Base Command#

cofense-quarantine-jobs-list

Input#

Argument NameDescriptionRequired
exclude_quarantine_emailsWhether to remove (true) or not remove (false) quarantined emails from the response. Possible values are: True, False. Default is False.Optional
pageStart page of the results. The value must be a positive integer or 0. Default is 0.Optional
sizeThe number of results to retrieve per page. The value must be a positive integer up to 2000. Default is 50.Optional
sortThe name-value pair defining the order of the response. Comma separated values are supported.

Supported format: propertyName1:sortOrder1,propertyName2:sortOrder2

Supported values for propertyName are: id, createdBy, createdDate, modifiedBy, modifiedDate, stopRequested.

Supported values for sortOrder are: asc, desc. Default is id:asc.
Optional
auto_quarantineWhether to include auto quarantine jobs (true) or not include auto quarantine jobs (false). Possible values are: True, False.Optional
include_statusFilters quarantine jobs by including emails with the specified status. Supports comma-separated values.

Supported values are: NEW, PENDING_APPROVAL, QUEUED, RUNNING, COMPLETED, FAILED.

Where,
NEW: Job was created but is not yet queued.
PENDING_APPROVAL: Job was created from an auto quarantine action and is waiting for approval to run.
QUEUED: Job is queued but has not yet run.
RUNNING: Job is currently running.
COMPLETED: Job run finished and emails were quarantined or restored.
FAILED: Job run finished but some emails to be quarantined or restored are in an error state. Cofense Vision retries failed jobs until the retry limit is reached.
Optional
exclude_statusFilters quarantine jobs by excluding emails with the specified status. Supports comma-separated values.

Supported values are: NEW, PENDING_APPROVAL, QUEUED, RUNNING, COMPLETED, FAILED.

Where,
NEW: Job was created but is not yet queued.
PENDING_APPROVAL: Job was created from an auto quarantine action and is waiting for approval to run.
QUEUED: Job is queued but has not yet run.
RUNNING: Job is currently running.
COMPLETED: Job run finished and emails were quarantined or restored.
FAILED: Job run finished but some emails to be quarantined or restored are in an error state. Cofense Vision retries failed jobs until the retry limit is reached.
Optional
iocsUnique MD5 hash identifier of one or more IOCs. Comma separated values are supported.

Example:
07fa1e91f99050521a87edc784e83fd5,07123459050525189160784e83fd5.
Optional
modified_date_afterEmails modified after this date and time. The date and time must be in UTC.
Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

For example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z.
Optional
sourcesOne or more configured IOC sources. Comma separated values are supported.

Example: Intelligence, Triage-1.
Optional

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.createdByStringClient that created the quarantine job.
Cofense.QuarantineJob.createdDateDateDate and time the quarantine job was created. The timestamp is in UTC.
Cofense.QuarantineJob.modifiedByStringClient that last updated the quarantine job.
Cofense.QuarantineJob.modifiedDateDateDate and time the quarantine job was last modified. The timestamp is in UTC.
Cofense.QuarantineJob.stopRequestedBooleanWhether a request was issued (true) or was not issued (false) to stop the quarantine job.
Cofense.QuarantineJob.emailCountNumberNumber of emails quarantined.
Cofense.QuarantineJob.quarantineEmails.createdDateDateDate the quarantine job was created.
Cofense.QuarantineJob.quarantineEmails.errorMessageStringError message.
Cofense.QuarantineJob.quarantineEmails.ewsMessageIdStringID of the email in EWS.
Cofense.QuarantineJob.quarantineEmails.idNumberID in cofense vision.
Cofense.QuarantineJob.quarantineEmails.internetMessageIDStringID of the email assigned by the message transfer agent.
Cofense.QuarantineJob.quarantineEmails.originalFolderIdStringID of the EWS folder where the email was located before it was quarantined.
Cofense.QuarantineJob.quarantineEmails.quarantinedDateDateThe date when an email was quarantined.
Cofense.QuarantineJob.quarantineEmails.recipientAddressStringEmail address of the account containing the emails to be quarantined.
Cofense.QuarantineJob.quarantineEmails.statusStringStatus of the email.
Cofense.QuarantineJob.quarantineJobRuns.completedDateDateDate the quarantine job completed.
Cofense.QuarantineJob.quarantineJobRuns.errorNumberTotal number of errors in the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.idNumberID of the quarantine job in Cofense Vision.
Cofense.QuarantineJob.quarantineJobRuns.jobRunTypeStringType of Job depending on the operation being performed against the emails.
Cofense.QuarantineJob.quarantineJobRuns.startedDateDateDate the quarantine job started.
Cofense.QuarantineJob.quarantineJobRuns.statusStringStatus of the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.totalNumberTotal number of emails in the quarantine job.
Cofense.QuarantineJob.autoQuarantineBooleanWhether the quarantine job was part of an auto quarantine action (true) or was not part of an auto quarantine action (false).
Cofense.QuarantineJob.matchingIOCsUnknownMD5 hash of one or more matching IOCs.
Cofense.QuarantineJob.matchingSourcesUnknownOne or more IOC sources.
Cofense.QuarantineJob.matchingIocInfo.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.QuarantineJob.matchingIocInfo.typeStringType of the cofense resource which is always "ioc".
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_typeStringThreat type of the IOC match.
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.QuarantineJob.matchingIocInfo.metadata.sourceUnknownData that the IOC source reads and writes.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expires_atDateDate and time in UTC, after which this IOC expires.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.first_quarantined_atDateDate and time Cofense Vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.last_quarantined_atDateDate and time Cofense Vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.QuarantineJob.searchIdNumberID that Cofense Vision assigned to the search, if any.

Command example#

!cofense-quarantine-jobs-list size=2

Context Example#

{
"Cofense": {
"QuarantineJob": [
{
"autoQuarantine": false,
"createdBy": "testuser",
"createdDate": "2022-07-07T07:36:09.097744",
"emailCount": 1,
"id": 8,
"modifiedBy": "system",
"modifiedDate": "2022-07-20T05:37:41.585128",
"quarantineEmails": [
{
"createdDate": "2022-07-07T07:29:23.535483",
"errorMessage": "No primary addresses were found for 3/xxxxx@muczynskicofense.onmicrosoft.com",
"id": 3,
"internetMessageId": "<1341250439.1013918.1657064008682@af226d4cfbab>",
"recipientAddress": "abc@example.com",
"status": "NOT_FOUND"
}
],
"quarantineJobRuns": [
{
"completedDate": "2022-07-07T07:36:20.616526",
"error": 1,
"id": 14,
"jobRunType": "QUARANTINE",
"startedDate": "2022-07-07T07:36:20.035786",
"status": "COMPLETED",
"total": 1
},
{
"completedDate": "2022-07-20T05:37:42.31125",
"error": 0,
"id": 440,
"jobRunType": "RESTORE",
"startedDate": "2022-07-20T05:37:41.585443",
"status": "COMPLETED",
"total": 1
}
],
"stopRequested": true
},
{
"autoQuarantine": false,
"createdBy": "testuser",
"createdDate": "2022-07-07T09:19:07.29997",
"emailCount": 1,
"id": 12,
"modifiedBy": "system",
"modifiedDate": "2022-08-09T11:23:22.074202",
"quarantineEmails": [
{
"createdDate": "2022-07-07T06:46:34.76681",
"errorMessage": "No primary addresses were found for 1/xxxxx@muczynskicofense.onmicrosoft.com",
"ewsMessageId": "AAMkADgyNjJmMzg0LTI1NjgtNDkzMi04OWM4LTQ0YmMxZGMyNjViOABGAAAAAAA2/UgfwINITKjcFdr2xiIPBwDd+41JQMRFTYDq3CRJ00qJAABhEUxVAADd+41JQMRFTYDq3CRJ00qJAABoQNd2AAA=",
"id": 1,
"internetMessageId": "<999389937.952188.1657035399834@af226d4cfbab>",
"originalFolderId": "AQMkADgyNjJmMzg0LTI1NjgtNDkzMi04OWM4LTQ0AGJjMWRjMjY1YjgALgAAAzb9SB/Ag0hMqNwV2vbGIg8BAN37jUlAxEVNgOrcJEnTSokAAAIBJAAAAA==",
"quarantinedDate": "2022-07-15T09:24:59.469491",
"recipientAddress": "pqr@example.com",
"status": "NOT_FOUND"
}
],
"quarantineJobRuns": [
{
"completedDate": "2022-07-07T09:19:22.014868",
"error": 1,
"id": 45,
"jobRunType": "QUARANTINE",
"startedDate": "2022-07-07T09:19:21.583128",
"status": "COMPLETED",
"total": 1
},
{
"completedDate": "2022-08-09T11:23:22.578602",
"error": 0,
"id": 839,
"jobRunType": "RESTORE",
"startedDate": "2022-08-09T11:23:22.076621",
"status": "COMPLETED",
"total": 1
}
],
"stopRequested": false
}
]
}
}

Human Readable Output#

Quarantine Job:#

IDCreated ByCreated DateLast Modified ByLast Modified DateLast ActionStatusCompleted DateMessages
8testuser07/07/2022, 07:36 AMsystem20/07/2022, 05:37 AMRESTORECOMPLETED20/07/2022, 05:37 AM1
12testuser07/07/2022, 09:19 AMsystem09/08/2022, 11:23 AMRESTORECOMPLETED09/08/2022, 11:23 AM1

cofense-quarantine-job-create#


Creates a new quarantine job.

Base Command#

cofense-quarantine-job-create

Input#

Argument NameDescriptionRequired
quarantine_emailsA comma-separated string of quarantine emails, specifying the internet
message ID and the recipient address of the email.

Supported format:
internetMessageID1:recipientAddress1, internetMessageID2:recipientAddress2

Where,
internetMessageID: IDs of any emails in the particular account to be
quarantined, with each internet message ID enclosed in angle brackets.

recipientAddress: Email address of the account containing the emails to be quarantined.

Example: <513C8CD8-E593-4DC4-82BF6202E8AC95CB>:mail054@example.com,
<41348CD8-E593-4DC4-82BF6202E8AC95CB>:ma32il054@example.com

Note: Users can get the internet message ID and recipient address by
executing the "cofense-message-search-results-get" command.
Required

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.createdByStringClient that created the quarantine job.
Cofense.QuarantineJob.createdDateDateDate and time the quarantine job was created. The timestamp is in UTC.
Cofense.QuarantineJob.modifiedByStringClient that last updated the quarantine job.
Cofense.QuarantineJob.modifiedDateDateDate and time the quarantine job was last modified. The timestamp is in UTC.
Cofense.QuarantineJob.stopRequestedBooleanWhether a request was issued (true) or was not issued (false) to stop the quarantine job.
Cofense.QuarantineJob.emailCountNumberNumber of emails quarantined.
Cofense.QuarantineJob.quarantineEmails.createdDateDateDate the quarantine job was created.
Cofense.QuarantineJob.quarantineEmails.errorMessageStringError message.
Cofense.QuarantineJob.quarantineEmails.ewsMessageIdStringID of the email in EWS.
Cofense.QuarantineJob.quarantineEmails.idNumberID in cofense vision.
Cofense.QuarantineJob.quarantineEmails.internetMessageIDStringID of the email assigned by the message transfer agent.
Cofense.QuarantineJob.quarantineEmails.originalFolderIdStringID of the EWS folder where the email was located before it was quarantined.
Cofense.QuarantineJob.quarantineEmails.quarantinedDateDateDate the email was quarantined.
Cofense.QuarantineJob.quarantineEmails.recipientAddressStringEmail address of the account containing the emails to be quarantined.
Cofense.QuarantineJob.quarantineEmails.statusStringStatus of the email.
Cofense.QuarantineJob.quarantineJobRuns.completedDateDateDate the quarantine job completed.
Cofense.QuarantineJob.quarantineJobRuns.errorNumberTotal number of errors in the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.idNumberID of the quarantine job in Cofense Vision.
Cofense.QuarantineJob.quarantineJobRuns.jobRunTypeStringType of Job depending on the operation being performed against the emails.
Cofense.QuarantineJob.quarantineJobRuns.startedDateDateDate the quarantine job started.
Cofense.QuarantineJob.quarantineJobRuns.statusStringStatus of the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.totalNumberTotal number of emails in the quarantine job.
Cofense.QuarantineJob.autoQuarantineBooleanWhether the quarantine job was part of an auto quarantine action (true) or was not part of an auto quarantine action (false).
Cofense.QuarantineJob.matchingIOCsUnknownMD5 hash of one or more matching IOCs.
Cofense.QuarantineJob.matchingSourcesUnknownOne or more IOC sources.
Cofense.QuarantineJob.matchingIocInfo.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.QuarantineJob.matchingIocInfo.typeStringType of the cofense resource which is always "ioc".
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_typeStringThreat type of the IOC match.
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.QuarantineJob.matchingIocInfo.metadata.sourceUnknownData that the IOC source reads and writes.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.first_quarantined_atDateDate and time Cofense Vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.last_quarantined_atDateDate and time Cofense Vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.QuarantineJob.searchIdNumberID that Cofense Vision assigned to the search, if any.

Command example#

!cofense-quarantine-job-create quarantine_emails="<test-id>:test@example.com"

Context Example#

{
"Cofense": {
"QuarantineJob": {
"autoQuarantine": false,
"createdBy": "testuser",
"createdDate": "2022-08-10T04:23:57.442172557",
"emailCount": 1,
"id": 431,
"modifiedBy": "testuser",
"modifiedDate": "2022-08-10T04:23:57.442172557",
"quarantineEmails": [
{
"createdDate": "2022-08-08T09:15:46.921796",
"errorMessage": "No primary addresses were found for 5578/xxxxx@example.com",
"id": 5578,
"internetMessageId": "<test-id>",
"recipientAddress": "test@example.com",
"status": "UNKNOWN_MAILBOX"
}
],
"quarantineJobRuns": [
{
"error": 0,
"id": 860,
"jobRunType": "QUARANTINE",
"status": "NEW",
"total": 1
}
],
"stopRequested": false
}
}
}

Human Readable Output#

Quarantine job create:#

Quarantine job has been created successfully.#

IDCreated ByCreated DateLast Modified ByLast Modified DateMessages
431testuser10/08/2022, 04:23 AMtestuser10/08/2022, 04:23 AM1

cofense-quarantine-job-delete#


Deletes the quarantine job identified by its unique ID.

Base Command#

cofense-quarantine-job-delete

Input#

Argument NameDescriptionRequired
idID of the quarantine job in cofense vision to be deleted.

Note: Users can get the list of IDs by executing the "cofense-quarantine-jobs-list" command.
Required

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.isDeletedBooleanWhether the quarantine job is successfully deleted(true) or not(false).

Command example#

!cofense-quarantine-job-delete id=266

Context Example#

{
"Cofense": {
"QuarantineJob": {
"id": "266",
"isDeleted": true
}
}
}

Human Readable Output#

Quarantine Job with ID 266 is successfully deleted.#

cofense-quarantine-job-get#


Retrieves quarantine job identified by its unique ID.

Base Command#

cofense-quarantine-job-get

Input#

Argument NameDescriptionRequired
idID of the quarantine job in cofense vision to be retrieved.

Note: Users can get the list of IDs by executing the "cofense-quarantine-jobs-list" command.
Required

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.createdByStringClient that created the quarantine job.
Cofense.QuarantineJob.createdDateDateDate and time the quarantine job was created. The timestamp is in UTC.
Cofense.QuarantineJob.modifiedByStringClient that last updated the quarantine job.
Cofense.QuarantineJob.modifiedDateDateDate and time the quarantine job was last modified. The timestamp is in UTC.
Cofense.QuarantineJob.stopRequestedBooleanWhether a request was issued (true) or was not issued (false) to stop the quarantine job.
Cofense.QuarantineJob.emailCountNumberNumber of emails quarantined.
Cofense.QuarantineJob.quarantineEmails.createdDateDateDate the quarantine job was created.
Cofense.QuarantineJob.quarantineEmails.errorMessageStringError message.
Cofense.QuarantineJob.quarantineEmails.ewsMessageIdStringID of the email in EWS.
Cofense.QuarantineJob.quarantineEmails.idNumberID in cofense vision.
Cofense.QuarantineJob.quarantineEmails.internetMessageIDStringID of the email assigned by the message transfer agent.
Cofense.QuarantineJob.quarantineEmails.originalFolderIdStringID of the EWS folder where the email was located before it was quarantined.
Cofense.QuarantineJob.quarantineEmails.quarantinedDateDateDate the email was quarantined.
Cofense.QuarantineJob.quarantineEmails.recipientAddressStringEmail address of the account containing the emails to be quarantined.
Cofense.QuarantineJob.quarantineEmails.statusStringStatus of the email.
Cofense.QuarantineJob.quarantineJobRuns.completedDateDateDate the quarantine job completed.
Cofense.QuarantineJob.quarantineJobRuns.errorNumberTotal number of errors in the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.idNumberID of the quarantine job in Cofense Vision.
Cofense.QuarantineJob.quarantineJobRuns.jobRunTypeStringType of Job depending on the operation being performed against the emails.
Cofense.QuarantineJob.quarantineJobRuns.startedDateDateDate the quarantine job started.
Cofense.QuarantineJob.quarantineJobRuns.statusStringStatus of the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.totalNumberTotal number of emails in the quarantine job.
Cofense.QuarantineJob.autoQuarantineBooleanWhether the quarantine job was part of an auto quarantine action (true) or was not part of an auto quarantine action (false).
Cofense.QuarantineJob.matchingIOCsUnknownMD5 hash of one or more matching IOCs.
Cofense.QuarantineJob.matchingSourcesUnknownOne or more IOC sources.
Cofense.QuarantineJob.matchingIocInfo.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.QuarantineJob.matchingIocInfo.typeStringType of the cofense resource which is always "ioc".
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_typeStringThreat type of the IOC match.
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.QuarantineJob.matchingIocInfo.metadata.sourceUnknownData that the IOC source reads and writes.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expires_atDateDate and time in UTC, after which this IOC expires.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.first_quarantined_atDateDate and time Cofense Vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.last_quarantined_atDateDate and time Cofense Vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.QuarantineJob.searchIdNumberID that Cofense Vision assigned to the search, if any.

Command example#

!cofense-quarantine-job-get id=100

Context Example#

{
"Cofense": {
"QuarantineJob": {
"autoQuarantine": false,
"createdBy": "testuser",
"createdDate": "2022-07-08T15:49:19.302416",
"emailCount": 10,
"id": 100,
"modifiedBy": "testuser",
"modifiedDate": "2022-08-09T11:36:35.996422",
"quarantineEmails": [
{
"createdDate": "2022-07-08T15:49:16.87704",
"ewsMessageId": "AAMkAGJhMGUzOTc2LTYxNjEtNDRlYi1hNWRmLWQyMGE5ZWZkY2JlOQBGAAAAAACYdf11Yr3QRIC86wUeQZguBwAMKVxfPrXHRbB4YDM6zXqKAABm5hr/AAAMKVxfPrXHRbB4YDM6zXqKAABm5h7VAAA=",
"id": 67,
"internetMessageId": "<1178768708.1512835.1657295339501@af226d4cfbab>",
"originalFolderId": "AQMkAGJhMGUzOTc2LTYxNjEtNDQAZWItYTVkZi1kMjBhOWVmZGNiZTkALgAAA5h1/XVivdBEgLzrBR5BmC4BAAwpXF8+tcdFsHhgMzrNeooAAAIBDAAAAA==",
"quarantinedDate": "2022-07-08T15:49:38.563419",
"recipientAddress": "abc@example.com",
"status": "NOT_FOUND"
},
{
"createdDate": "2022-07-08T15:49:16.89515",
"ewsMessageId": "AAMkADBkODY5OTkzLTFhMDMtNDUxZC05MTY4LTU1MWMzYmU2ZGM0YgBGAAAAAADHqxFyD0K3TI6sCxIePsQSBwALsQhDVRPPQpNK3uNfrckFAABmyPjPAAALsQhDVRPPQpNK3uNfrckFAABmyPylAAA=",
"id": 76,
"internetMessageId": "<1178768708.1512835.1657295339501@af226d4cfbab>",
"originalFolderId": "AQMkADBkODY5OQEzLTFhMDMtNDUxZC05MTY4LTU1ADFjM2JlNmRjNGIALgAAA8erEXIPQrdMjqwLEh4+xBIBAAuxCENVE89Ck0re41+tyQUAAAIBDAAAAA==",
"quarantinedDate": "2022-07-08T15:49:34.372725",
"recipientAddress": "pqr@example.com",
"status": "NOT_FOUND"
}
],
"quarantineJobRuns": [
{
"completedDate": "2022-07-08T15:49:41.865254",
"error": 0,
"id": 232,
"jobRunType": "QUARANTINE",
"startedDate": "2022-07-08T15:49:25.956206",
"status": "COMPLETED",
"total": 10
},
{
"completedDate": "2022-08-09T11:36:29.566425",
"error": 0,
"id": 841,
"jobRunType": "RESTORE",
"startedDate": "2022-08-09T11:36:22.344285",
"status": "COMPLETED",
"total": 10
}
],
"searchId": 402,
"stopRequested": true
}
}
}

Human Readable Output#

Quarantine Job:#

IDSearch IDCreated ByCreated DateLast Modified ByLast Modified DateLast ActionStatusCompleted DateMessages
100402testuser08/07/2022, 03:49 PMtestuser09/08/2022, 11:36 AMRESTORECOMPLETED09/08/2022, 11:36 AM10

cofense-quarantine-job-restore#


Restores emails quarantined by the job identified by its unique ID.

Base Command#

cofense-quarantine-job-restore

Input#

Argument NameDescriptionRequired
idID of the quarantine job in cofense vision to be restored.

Note: Users can get the list of ID by executing the "cofense-quarantine-jobs-list" command.
Required

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.isRestoredBooleanWhether the quarantine job is successfully restored(true) or not(false).

Command example#

!cofense-quarantine-job-restore id=100

Context Example#

{
"Cofense": {
"QuarantineJob": {
"id": "100",
"isRestored": true
}
}
}

Human Readable Output#

Emails quarantined by the quarantine job ID 100 have been successfully restored.#

cofense-quarantine-job-approve#


Approves the quarantine job identified by its unique ID. When the "Auto Quarantine" feature is configured which requires manual approvals, this command can approve all the pending quarantine jobs.

Base Command#

cofense-quarantine-job-approve

Input#

Argument NameDescriptionRequired
idID of the quarantine job in cofense vision to be approved.

Note: Users can get the list of IDs by executing the "cofense-quarantine-jobs-list" command.
Required
message_countNumber of emails containing IOC matches to be quarantined. When message_count is present, cofense vision quarantines a subset of the total number of emails containing IOC matches. The value must be a non-zero and positive integer. If message_count is not present, all messages will be approved.Optional

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.isApprovedBooleanWhether the quarantine job is successfully approved(true) or not(false).

Command example#

!cofense-quarantine-job-approve id=430 message_count=1

Context Example#

{
"Cofense": {
"QuarantineJob": {
"id": "430",
"isApproved": true
}
}
}

Human Readable Output#

Quarantine Job with ID 430 has been approved successfully.#

cofense-quarantine-job-stop#


Issues a request to stop the quarantine job identified by its unique ID.

Base Command#

cofense-quarantine-job-stop

Input#

Argument NameDescriptionRequired
idID of the quarantine job in cofense vision to be stopped.

Note: Users can get the list of IDs by executing the "cofense-quarantine-jobs-list" command.
Required

Context Output#

PathTypeDescription
Cofense.QuarantineJob.idNumberID of the quarantine job in cofense vision.
Cofense.QuarantineJob.createdByStringClient that created the quarantine job.
Cofense.QuarantineJob.createdDateDateDate and time the quarantine job was created. The timestamp is in UTC.
Cofense.QuarantineJob.modifiedByStringClient that last updated the quarantine job.
Cofense.QuarantineJob.modifiedDateDateDate and time the quarantine job was last modified. The timestamp is in UTC.
Cofense.QuarantineJob.stopRequestedBooleanWhether a request was issued (true) or was not issued (false) to stop the quarantine job.
Cofense.QuarantineJob.emailCountNumberNumber of emails quarantined.
Cofense.QuarantineJob.quarantineEmails.createdDateDateDate the quarantine job was created.
Cofense.QuarantineJob.quarantineEmails.errorMessageStringError message.
Cofense.QuarantineJob.quarantineEmails.ewsMessageIdStringID of the email in EWS.
Cofense.QuarantineJob.quarantineEmails.idNumberID in cofense vision.
Cofense.QuarantineJob.quarantineEmails.internetMessageIDStringID of the email assigned by the message transfer agent.
Cofense.QuarantineJob.quarantineEmails.originalFolderIdStringID of the EWS folder where the email was located before it was quarantined.
Cofense.QuarantineJob.quarantineEmails.quarantinedDateDateDate the email was quarantined.
Cofense.QuarantineJob.quarantineEmails.recipientAddressStringEmail address of the account containing the emails to be quarantined.
Cofense.QuarantineJob.quarantineEmails.statusStringStatus of the email.
Cofense.QuarantineJob.quarantineJobRuns.completedDateDateDate the quarantine job completed.
Cofense.QuarantineJob.quarantineJobRuns.errorNumberTotal number of errors in the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.idNumberID of the quarantine job in Cofense Vision.
Cofense.QuarantineJob.quarantineJobRuns.jobRunTypeStringType of Job depending on the operation being performed against the emails.
Cofense.QuarantineJob.quarantineJobRuns.startedDateDateDate the quarantine job started.
Cofense.QuarantineJob.quarantineJobRuns.statusStringStatus of the quarantine job.
Cofense.QuarantineJob.quarantineJobRuns.totalNumberTotal number of emails in the quarantine job.
Cofense.QuarantineJob.autoQuarantineBooleanWhether the quarantine job was part of an auto quarantine action (true) or was not part of an auto quarantine action (false).
Cofense.QuarantineJob.matchingIOCsUnknownMD5 hash of one or more matching IOCs.
Cofense.QuarantineJob.matchingSourcesUnknownOne or more IOC sources.
Cofense.QuarantineJob.matchingIocInfo.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.QuarantineJob.matchingIocInfo.typeStringType of the cofense resource which is always "ioc".
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_typeStringThreat type of the IOC match.
Cofense.QuarantineJob.matchingIocInfo.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.QuarantineJob.matchingIocInfo.metadata.sourceUnknownData that the IOC source reads and writes.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expires_atDateDate and time in UTC, after which this IOC expires.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.first_quarantined_atDateDate and time Cofense Vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.last_quarantined_atDateDate and time Cofense Vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.QuarantineJob.matchingIocInfo.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.QuarantineJob.searchIdNumberID that Cofense Vision assigned to the search, if any.

Command example#

!cofense-quarantine-job-stop id=100

Context Example#

{
"Cofense": {
"QuarantineJob": {
"autoQuarantine": false,
"createdBy": "testuser",
"createdDate": "2022-07-08T15:49:19.302416",
"emailCount": 10,
"id": 100,
"modifiedBy": "testuser",
"modifiedDate": "2022-08-10T04:24:37.004847",
"quarantineEmails": [
{
"createdDate": "2022-07-08T15:49:16.87704",
"ewsMessageId": "AAMkAGJhMGUzOTc2LTYxNjEtNDRlYi1hNWRmLWQyMGE5ZWZkY2JlOQBGAAAAAACYdf11Yr3QRIC86wUeQZguBwAMKVxfPrXHRbB4YDM6zXqKAABm5hr/AAAMKVxfPrXHRbB4YDM6zXqKAABm5h7VAAA=",
"id": 67,
"internetMessageId": "<1178768708.1512835.1657295339501@af226d4cfbab>",
"originalFolderId": "AQMkAGJhMGUzOTc2LTYxNjEtNDQAZWItYTVkZi1kMjBhOWVmZGNiZTkALgAAA5h1/XVivdBEgLzrBR5BmC4BAAwpXF8+tcdFsHhgMzrNeooAAAIBDAAAAA==",
"quarantinedDate": "2022-07-08T15:49:38.563419",
"recipientAddress": "abc@example.com",
"status": "NOT_FOUND"
},
{
"createdDate": "2022-07-08T15:49:16.89515",
"ewsMessageId": "AAMkADBkODY5OTkzLTFhMDMtNDUxZC05MTY4LTU1MWMzYmU2ZGM0YgBGAAAAAADHqxFyD0K3TI6sCxIePsQSBwALsQhDVRPPQpNK3uNfrckFAABmyPjPAAALsQhDVRPPQpNK3uNfrckFAABmyPylAAA=",
"id": 76,
"internetMessageId": "<1178768708.1512835.1657295339501@af226d4cfbab>",
"originalFolderId": "AQMkADBkODY5OQEzLTFhMDMtNDUxZC05MTY4LTU1ADFjM2JlNmRjNGIALgAAA8erEXIPQrdMjqwLEh4+xBIBAAuxCENVE89Ck0re41+tyQUAAAIBDAAAAA==",
"quarantinedDate": "2022-07-08T15:49:34.372725",
"recipientAddress": "pqr@example.com",
"status": "NOT_FOUND"
}
],
"quarantineJobRuns": [
{
"completedDate": "2022-07-08T15:49:41.865254",
"error": 0,
"id": 232,
"jobRunType": "QUARANTINE",
"startedDate": "2022-07-08T15:49:25.956206",
"status": "COMPLETED",
"total": 10
},
{
"completedDate": "2022-07-08T15:49:58.163195",
"error": 0,
"id": 233,
"jobRunType": "RESTORE",
"startedDate": "2022-07-08T15:49:56.006024",
"status": "COMPLETED",
"total": 10
},
{
"error": 0,
"id": 861,
"jobRunType": "RESTORE",
"startedDate": "2022-08-10T04:24:24.432429",
"status": "RUNNING",
"total": 10
}
],
"searchId": 402,
"stopRequested": true
}
}
}

Human Readable Output#

Quarantine job with ID 100 has been successfully stopped.#

IDCreated ByCreated DateLast Modified ByLast Modified DateLast ActionStatusMessagesStopped Quarantine
100testuser08/07/2022, 03:49 PMtestuser10/08/2022, 04:24 AMRESTORERUNNING10true

cofense-message-searches-list#


Retrieves the list of searches.

Base Command#

cofense-message-searches-list

Input#

Argument NameDescriptionRequired
pageThe start page of the results. The value must be a positive integer or 0. Default is 0.Optional
sizeThe number of results to retrieve per page. The value must be a positive integer up to 2000. Default is 50.Optional
sortThe name-value pair defining the order of the response. Comma separated values are supported.

Supported format: propertyName1:sortOrder1,propertyName2:sortOrder2

Supported values for propertyName are: id, createdBy, createdDate, modifiedBy,
modifiedDate, receivedAfterDate, receivedBeforeDate.

Supported values for sortOrder are: asc, desc. Default is id:asc.
Optional

Context Output#

PathTypeDescription
Cofense.Search.idStringID that Cofense Vision assigned to the search.
Cofense.Search.createdByStringUsername of the client that created the search.
Cofense.Search.createdDateDateDate and time the search was created. The timestamp is in UTC.
Cofense.Search.modifiedByStringUsername of the last client that updated the search.
Cofense.Search.modifiedDateDateDate and time the search was last modified. The timestamp is in UTC.
Cofense.Search.subjectsUnknownList of email subjects.
Cofense.Search.sendersUnknownList of sender's email addresses.
Cofense.Search.recipientStringEmail address of the recipient.
Cofense.Search.attachmentNamesUnknownList of attachment file names.
Cofense.Search.attachmentHashCriteria.typeStringThe type of matching for attachment hash.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashTypeStringThe type of hash. Either MD5 or SHA256.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashStringStringThe hash of the attachment file.
Cofense.Search.domainCriteria.typeStringThe type of matching for domains.
Cofense.Search.domainCriteria.domainsUnknownList of domains.
Cofense.Search.domainCriteria.domains.whiteListUrlsUnknownList of URLs to white list.
Cofense.Search.attachmentMimeTypesUnknownList of MIME types.
Cofense.Search.attachmentExcludeMimeTypesUnknownList of MIME types to exclude.
Cofense.Search.receivedAfterDateDateFilters for emails received on or after this date and time.
Cofense.Search.receivedBeforeDateDateFilters for emails received before or on this date and time.
Cofense.Search.urlStringThe URL to search for.
Cofense.Search.internetMessageIdStringUnique identifier of the email.
Cofense.Search.headers.keyStringThe name of the key in the header.
Cofense.Search.headers.valuesStringThe value of the key in the header.
Cofense.Search.partialIngestBooleanIndicates whether to search partially ingested emails or not.

Command example#

!cofense-message-searches-list size=2

Context Example#

{
"Cofense": {
"Search": [
{
"attachmentHashCriteria": {
"type": "ANY"
},
"createdBy": "testuser",
"createdDate": "2022-07-11T07:41:25.184255",
"domainCriteria": {
"type": "ANY"
},
"id": 430,
"modifiedBy": "testuser",
"modifiedDate": "2022-07-11T07:41:25.184255",
"recipient": "abc@example.com"
},
{
"attachmentHashCriteria": {
"type": "ANY"
},
"createdBy": "testuser",
"createdDate": "2022-07-11T07:42:58.176356",
"domainCriteria": {
"type": "ANY"
},
"id": 431,
"modifiedBy": "testuser",
"modifiedDate": "2022-07-11T07:42:58.176356",
"recipient": "pqr@example.com",
"subjects": [
"chalk1 time 1657035399833"
]
}
]
}
}

Human Readable Output#

Message Searches:#

IDCreated ByCreated DateModified ByModified DateRecipientSubjects
430testuser11/07/2022, 07:41 AMtestuser11/07/2022, 07:41 AMabc@example.com
431testuser11/07/2022, 07:42 AMtestuser11/07/2022, 07:42 AMpqr@example.comchalk1 time 1657035399833

cofense-message-search-get#


Retrieves the result of the search identified by an ID.

Base Command#

cofense-message-search-get

Input#

Argument NameDescriptionRequired
idThe unique ID that cofense vision has assigned to a search.

Note: The ID can be retrieved by using the command "cofense-message-searches-list".
Required

Context Output#

PathTypeDescription
Cofense.Search.idStringID that Cofense Vision assigned to the search.
Cofense.Search.createdByStringUsername of the client that created the search.
Cofense.Search.createdDateDateDate and time the search was created. The timestamp is in UTC.
Cofense.Search.modifiedByStringUsername of the last client that updated the search.
Cofense.Search.modifiedDateDateDate and time the search was last modified. The timestamp is in UTC.
Cofense.Search.subjectsUnknownList of email subjects.
Cofense.Search.sendersUnknownList of sender's email addresses.
Cofense.Search.recipientStringEmail address of the recipient.
Cofense.Search.attachmentNamesUnknownList of attachment file names.
Cofense.Search.attachmentHashCriteria.typeStringThe type of matching for attachment hash.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashTypeStringThe type of hash. Either MD5 or SHA256.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashStringStringThe hash of the attachment file.
Cofense.Search.domainCriteria.typeStringThe type of matching for domains.
Cofense.Search.domainCriteria.domainsUnknownList of domains.
Cofense.Search.domainCriteria.domains.whiteListUrlsUnknownList of URLs to white list.
Cofense.Search.attachmentMimeTypesUnknownList of MIME types.
Cofense.Search.attachmentExcludeMimeTypesUnknownList of MIME types to exclude.
Cofense.Search.receivedAfterDateDateFilters the emails received on or after this date and time.
Cofense.Search.receivedBeforeDateDateFilters the emails received before or on this date and time.
Cofense.Search.urlStringThe URL to be searched for.
Cofense.Search.internetMessageIdStringUnique identifier of the email.
Cofense.Search.headers.keyStringThe name of the key in the header.
Cofense.Search.headers.valuesStringThe value of the key in the header.
Cofense.Search.partialIngestBooleanIndicates whether to search partially ingested emails or not.

Command example#

!cofense-message-search-get id=700

Context Example#

{
"Cofense": {
"Search": {
"attachmentHashCriteria": {
"type": "ANY"
},
"createdBy": "testuser",
"createdDate": "2022-08-02T19:05:08.035549",
"domainCriteria": {
"type": "ANY"
},
"id": 700,
"modifiedBy": "testuser",
"modifiedDate": "2022-08-02T19:05:08.035549"
}
}
}

Human Readable Output#

Message Search:#

IDCreated ByCreated DateModified ByModified Date
700testuser02/08/2022, 07:05 PMtestuser02/08/2022, 07:05 PM

cofense-message-search-create#


Creates a new search.

Base Command#

cofense-message-search-create

Input#

Argument NameDescriptionRequired
subjectsA comma-separated string of subjects to create a search for an email's
subject. It supports the use of one or more wildcard characters (*)
in any position of a subject.

Note: The search can only have a maximum of 3 values.
Optional
sendersA comma-separated string of senders to create a search for an email's
sender. It supports the use of one or more wildcard characters (*)
in any position of a sender's email address.

Note: The search can only have a maximum of 3 values.
Optional
attachment_namesA comma-separated string of attachment names to create a search for an
email's attachments. It supports the use of one or more wildcard
characters (*) in any position of an attachment name.

Note: The search can only have a maximum of 3 values.
Optional
attachment_hash_match_criteriaThe type of matching performed on the hashes specified in the attachment_hashes argument.

Possible values are:
ALL: Emails must include all listed attachment hashes.
ANY: Emails must contain at least one of the listed attachment hash. Possible values are: ANY, ALL. Default is ANY.
Optional
attachment_hashesA comma-separated string of attachment hashes to create a search for an email's attachment hashes.

Supported format: hashtype1:hashvalue1, hashtype2:hashvalue2

Possible values for hashtype are: MD5, SHA256

Example: md5:938c2cc0dcc05f2b68c4287040cfcf71

Note: The search can only have a maximum of 3 values.
Optional
attachment_mime_typesA comma-separated string of MIME types to create a search for an email's attachment MIME type.

Note: The search can only have a maximum of 3 values.
Optional
attachment_exclude_mime_typesA comma-separated string of MIME types to create a search for excluding an email's attachment MIME type.

Note: The search can only have a maximum of 3 values.
Optional
domain_match_criteriaThe type of matching to perform on the domains specified in the domains argument.

Possible values are:
ALL: Emails must include all listed domains.
ANY: Emails must contain at least one of the listed domains. Possible values are: ANY, ALL. Default is ANY.
Optional
domainsA comma-separated string of domains to create a search for domains in
an email's body or its attachment. You can change the type of matching
that happens on the specified domains using the domain_match_criteria argument.

Note: The search can only have a maximum of 3 values.
Optional
whitelist_urlsA comma-separated string of URLs to be whitelisted.

Note: The search can only have a maximum of 3 values.
Optional
headersA comma-separated string of key-value pairs, defining the additional
criteria to search for in the email header.

Supported format: key1:value1, key2:value1:value2:value3

Example: Content-Type:application/json

List of available headers to create a search can be retrieved by
using the command "cofense-searchable-headers-list".

Note: The search can only have a maximum of 3 values.
Optional
internet_message_idThe unique identifier of the email, enclosed in angle brackets. This argument is case-sensitive.

Example: <513C8CD8-E593-4DC4-82BF6202E8AC95CB@example.com>.
Optional
partial_ingestWhether to create a search with partially ingested emails (true) or not with partially ingested emails (false). Possible values are: True, False. Default is False.Optional
received_after_dateDate and time to create a search for emails to specify the received
on or after the specified UTC date and time.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z.
Optional
received_before_dateDate and time to create a search for emails to specify the received
before or on the specified UTC date and time.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z.
Optional
recipientCreate a search with the specified recipient. Supports one or more
wildcard characters (*) in any position of a recipient's email address.
Optional
urlCreate a search with the specified url. Supports one or more
wildcard characters (*) in any position of the URL.
Optional

Context Output#

PathTypeDescription
Cofense.Search.idStringID that cofense vision assigned to the search.
Cofense.Search.createdByStringUsername of the client that created the search.
Cofense.Search.createdDateDateDate and time the search was created. The timestamp is in UTC.
Cofense.Search.modifiedByStringUsername of the last client that updated the search.
Cofense.Search.modifiedDateDateDate and time the search was last modified. The timestamp is in UTC.
Cofense.Search.subjectsUnknownList of email subjects.
Cofense.Search.sendersUnknownList of sender's email addresses.
Cofense.Search.recipientStringEmail address of the recipient.
Cofense.Search.attachmentNamesUnknownList of attachment file names.
Cofense.Search.attachmentHashCriteria.typeStringThe type of matching for attachment hash.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashTypeStringThe type of hash. Either MD5 or SHA256.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashStringStringThe hash of the attachment file.
Cofense.Search.domainCriteria.typeStringThe type of matching for domains.
Cofense.Search.domainCriteria.domainsUnknownList of domains.
Cofense.Search.domainCriteria.domains.whiteListUrlsUnknownList of URLs to white list.
Cofense.Search.attachmentMimeTypesUnknownList of MIME types.
Cofense.Search.attachmentExcludeMimeTypesUnknownList of MIME types to exclude.
Cofense.Search.receivedAfterDateDateFilters for emails received on or after this date and time.
Cofense.Search.receivedBeforeDateDateFilters for emails received before or on this date and time.
Cofense.Search.urlStringThe URL to search for.
Cofense.Search.internetMessageIdStringUnique identifier of the email.
Cofense.Search.headers.keyStringThe name of the key in the header.
Cofense.Search.headers.valuesStringThe value of the key in the header.
Cofense.Search.partialIngestBooleanIndicates whether to search partially ingested emails or not.

Command example#

!cofense-message-search-create subjects="test" senders="abc@example.com, pqr@example.com"

Context Example#

{
"Cofense": {
"Search": {
"attachmentHashCriteria": {
"type": "ANY"
},
"createdBy": "testuser",
"createdDate": "2022-08-10T04:25:00.626652162",
"domainCriteria": {
"type": "ANY"
},
"id": 1091,
"modifiedBy": "testuser",
"modifiedDate": "2022-08-10T04:25:00.626652162",
"partialIngest": false,
"senders": [
"abc@example.com",
"pqr@example.com"
],
"subjects": [
"test"
]
}
}
}

Human Readable Output#

Message search with ID 1091 has been created successfully.#

IDCreated ByCreated DateModified ByModified DateSendersSubjectsPartial Ingest
1091testuser10/08/2022, 04:25 AMtestuser10/08/2022, 04:25 AMabc@example.com,
pqr@example.com
testfalse

cofense-message-search-results-get#


Retrieves the results for the search identified by the search ID.

Base Command#

cofense-message-search-results-get

Input#

Argument NameDescriptionRequired
idThe unique ID that cofense vision has assigned to a search.

Note: The ID can be retrieved by using the command "cofense-message-searches-list".
Required
pageThe start page of the results. The value must be a positive integer or 0. Default is 0.Optional
sizeThe number of results to retrieve per page. The value must be a positive integer up to 2000. Default is 50.Optional
sortThe name-value pair defining the order of the response. Comma-separated values are supported.

Supported format: propertyName1:sortOrder1,propertyName2:sortOrder2

Supported values for propertyName are: id, subject, createdOn, sentOn,
htmlBody, md5, sha1, sha256.

Supported values for sortOrder are: asc, desc. Default is id:asc.
Optional

Context Output#

PathTypeDescription
Cofense.Search.Message.idNumberThe ID of the message.
Cofense.Search.Message.storageUriStringStorage URI of the search.
Cofense.Search.Message.subjectStringThe subject of the message.
Cofense.Search.Message.receivedOnDateThe date and time when the message was received by the recipient.
Cofense.Search.Message.sentOnDateThe date and time when the message was sent by the sender.
Cofense.Search.Message.deliveredOnDateThe date and time when the message was delivered.
Cofense.Search.Message.processedOnDateThe date and time Cofense Vision ingested the email.
Cofense.Search.Message.textBodyStringBody of the email in text format.
Cofense.Search.Message.htmlBodyStringBody of the email in HTML format.
Cofense.Search.Message.md5StringThe MD5 hash of the message.
Cofense.Search.Message.sha1StringThe SHA1 hash of the message.
Cofense.Search.Message.sha256StringThe SHA256 hash of the message.
Cofense.Search.Message.internetMessageIdStringUnique identifier of the email.
Cofense.Search.Message.from.idNumberThe ID of the sender.
Cofense.Search.Message.from.personalStringThe name of the sender.
Cofense.Search.Message.from.addressStringThe email address of the sender.
Cofense.Search.Message.headers.idNumberThe ID of the header.
Cofense.Search.Message.headers.nameStringThe name of the header key.
Cofense.Search.Message.headers.valueStringThe value of the header key.
Cofense.Search.Message.headers.seqNumberSequence of header field.
Cofense.Search.Message.headers.partialIngestString"Null" if no partially ingested messages found; otherwise, one or more of the following to describe the source of the ingestion failure: PARSE, ATTACHMENT, URL, UNKNOWN.
Cofense.Search.Message.recipients.idNumberThe ID of the recipient.
Cofense.Search.Message.recipients.personalStringThe name of the recipient.
Cofense.Search.Message.recipients.addressStringThe email address of the recipient.
Cofense.Search.Message.recipients.recipientTypeStringThe type of the recipient. Whether the recipient is in 'to', 'cc' or in 'bcc'.
Cofense.Search.Message.attachments.sizeNumberThe size of the attachment file.
Cofense.Search.Message.attachments.filenameStringThe name of the attachment file.
Cofense.Search.Message.attachments.contentTypeStringThe content type present in the header.
Cofense.Search.Message.attachments.detectedContentTypeStringThe detected content type of the attachment.
Cofense.Search.Message.attachments.md5StringThe MD5 hash of the attachment.
Cofense.Search.Message.attachments.sha256StringThe SHA256 hash of the attachment.
Cofense.Search.Message.attachments.idNumberThe ID of the attachment.
Cofense.Search.idStringID that cofense vision assigned to the search.
Cofense.Search.createdByStringUsername of the client that created the search.
Cofense.Search.createdDateDateDate and time the search was created. The timestamp is in UTC.
Cofense.Search.modifiedByStringUsername of the last client that updated the search.
Cofense.Search.modifiedDateDateDate and time the search was last modified. The timestamp is in UTC.
Cofense.Search.subjectsUnknownList of email subjects.
Cofense.Search.sendersUnknownList of sender's email addresses.
Cofense.Search.recipientStringEmail address of the recipient.
Cofense.Search.attachmentNamesUnknownList of attachment file names.
Cofense.Search.attachmentHashCriteria.typeStringThe type of matching for attachment hash.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashTypeStringThe type of hash. Either MD5 or SHA256.
Cofense.Search.attachmentHashCriteria.attachmentHashes.hashStringStringThe hash of the attachment file.
Cofense.Search.domainCriteria.typeStringThe type of matching for domains.
Cofense.Search.domainCriteria.domainsUnknownList of domains.
Cofense.Search.domainCriteria.domains.whiteListUrlsUnknownList of URLs to white list.
Cofense.Search.attachmentMimeTypesUnknownList of MIME types.
Cofense.Search.attachmentExcludeMimeTypesUnknownList of MIME types to exclude.
Cofense.Search.receivedAfterDateDateFilters for emails received on or after this date and time.
Cofense.Search.receivedBeforeDateDateFilters for emails received before or on this date and time.
Cofense.Search.urlStringThe url to search for.
Cofense.Search.internetMessageIdStringUnique identifier of the email.
Cofense.Search.headers.keyStringThe name of the key in the header.
Cofense.Search.headers.valuesStringThe value of the key in the header.
Cofense.Search.partialIngestBooleanIndicates whether to search partially ingested emails or not.

Command example#

!cofense-message-search-results-get id=700 size=2

Context Example#

{
"Cofense": {
"Search": {
"Message": [
{
"attachments": [
{
"contentType": "text/plain",
"detectedContentType": "text/plain",
"filename": "fileNum-Thread[mailer-011,5,main]-text-file-163.txt",
"id": 1673289,
"md5": "3d0e1d68f12afee22ae3e79e01027c7a",
"sha256": "ca68f5eecd5822783911ed392fbff3c171d3a1854c0f992364d038ee447f8ac3",
"size": 59173
},
{
"contentType": "application/zip",
"detectedContentType": "application/zip",
"filename": "fileNum-Thread[mailer-011,5,main]-text-file-146.txt.zip",
"id": 1673290,
"md5": "5c602ca45faac3bb128a5ecbf977f9f1",
"sha256": "6018b7cc402e6368d4542c0f6c129a99e35c80ae9001ec338e7621df2f8ac51f",
"size": 14563
},
{
"detectedContentType": "text/plain",
"filename": "text-file-146.txt",
"id": 1673291,
"md5": "c5aa88f949574a0a5e75a795dc507da7",
"sha256": "d3a070977ae0ae561bae2215526c187d5c46c54dd8899eefb8fe21ed0e6c1303",
"size": 27842
}
],
"from": [
{
"address": "abc@example.com",
"id": 760623,
"personal": "mailbox-08517"
}
],
"headers": [
{
"name": "From",
"value": "abc@example.com"
},
{
"name": "To",
"value": "pqr@example.com"
},
{
"name": "CC",
"value": "abc@example.com"
},
{
"name": "Subject",
"value": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"name": "Thread-Topic",
"value": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"name": "Thread-Index",
"value": "AQHYocD7Ut113z4F00uSjzqlEM2clw=="
},
{
"name": "Date",
"value": "Wed, 27 Jul 2022 13:58:43 +0000"
},
{
"name": "Message-ID",
"value": "<1216208547.160.1658930322668@6d14a4fa9032>"
}
],
"id": 760623,
"internetMessageId": "<1216208547.160.1658930322668@6d14a4fa9032>",
"md5": "a486b023cd82f45f7b099a41dc3776a6",
"processedOn": "2022-07-27T13:58:46.271+00:00",
"receivedOn": "2022-07-27T13:58:44.000+00:00",
"recipients": [
{
"address": "abc@example.com",
"id": 7606409,
"personal": "mailbox-00110",
"recipientType": "to"
},
{
"address": "pqr@example.com",
"id": 7606418,
"personal": "mailbox-00119",
"recipientType": "cc"
}
],
"sentOn": "2022-07-27T13:58:43.000+00:00",
"sha1": "0b744bed73106d5d613d83c71b9d9884f48690f4",
"sha256": "2d7bad3fe37c9e4089e6231784f51354ef2fd9689fe7fae6d46cb70d279da8e0",
"subject": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"attachments": [
{
"detectedContentType": "text/plain",
"filename": "text-file-146.txt",
"id": 1673291,
"md5": "c5aa88f949574a0a5e75a795dc507da7",
"sha256": "d3a070977ae0ae561bae2215526c187d5c46c54dd8899eefb8fe21ed0e6c1303",
"size": 27842
}
],
"from": [
{
"address": "abc@example.com",
"id": 760623,
"personal": "mailbox-08517"
}
],
"headers": [
{
"name": "From",
"value": "abc@example.com"
},
{
"name": "To",
"value": "pqr@example.com"
},
{
"name": "CC",
"value": "abc@example.com"
},
{
"name": "Subject",
"value": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"name": "Thread-Topic",
"value": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
},
{
"name": "Thread-Index",
"value": "AQHYocD7Ut113z4F00uSjzqlEM2clw=="
},
{
"name": "Date",
"value": "Wed, 27 Jul 2022 13:58:43 +0000"
},
{
"name": "Message-ID",
"value": "<1216208547.160.1658930322668@6d14a4fa9033>"
}
],
"id": 760624,
"internetMessageId": "<1216208547.160.1658930322668@6d14a4fa9033>",
"md5": "a486b023cd82f45f7b099a41dc3776a6",
"processedOn": "2022-07-27T13:58:46.271+00:00",
"receivedOn": "2022-07-27T13:58:44.000+00:00",
"recipients": [
{
"address": "abc@example.com",
"id": 7606409,
"personal": "mailbox-00110",
"recipientType": "to"
},
{
"address": "pqr@example.com",
"id": 7606418,
"personal": "mailbox-00119",
"recipientType": "cc"
}
],
"sentOn": "2022-07-27T13:58:43.000+00:00",
"sha1": "0b744bed73106d5d613d83c71b9d9884f48690f4",
"sha256": "2d7bad3fe37c9e4089e6231784f51354ef2fd9689fe7fae6d46cb70d279da8e0",
"subject": "craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 1658930322646"
}
],
"attachmentHashCriteria": {
"type": "ANY"
},
"createdBy": "testuser",
"createdDate": "2022-08-02T19:05:08.035549",
"domainCriteria": {
"type": "ANY"
},
"id": 700,
"modifiedBy": "testuser",
"modifiedDate": "2022-08-02T19:05:08.035549"
}
}
}

Human Readable Output#

Message Search:#

IDCreated ByCreated DateModified ByModified Date
700testuser02/08/2022, 07:05 PMtestuser02/08/2022, 07:05 PM

Message Search Results:#

Message IDInternet Message IDSubjectSent OnReceived OnSenderRecipientAttachment File Names
7606231216208547.160.1658930322668@6d14a4fa9032\craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 165893032264627/07/2022, 01:58 PM UTC27/07/2022, 01:58 PM UTCabc@example.comabc@example.com,
abc@example.com
File Name: fileNum-Thread[mailer-011,5,main]-text-file-163.txt
MD5: 3d0e1d68f12afee22ae3e79e01027c7a
SHA256: ca68f5eecd5822783911ed392fbff3c171d3a1854c0f992364d038ee447f8ac3


File Name: fileNum-Thread[mailer-011,5,main]-text-file-146.txt.zip
MD5: 5c602ca45faac3bb128a5ecbf977f9f1
SHA256: 6018b7cc402e6368d4542c0f6c129a99e35c80ae9001ec338e7621df2f8ac51f


File Name: text-file-146.txt
MD5: c5aa88f949574a0a5e75a795dc507da7
SHA256: d3a070977ae0ae561bae2215526c187d5c46c54dd8899eefb8fe21ed0e6c1303
7606241216208547.160.1658930322668@6d14a4fa9033\craftless plantable desulphurate iodized imbeds invoicing infrangibly prosers damn halberdiers refinedly unmoaned scatteredly11 time 165893032264627/07/2022, 01:58 PM UTC27/07/2022, 01:58 PM UTCabc@example.comabc@example.com,
abc@example.com
File Name: text-file-146.txt
MD5: c5aa88f949574a0a5e75a795dc507da7
SHA256: d3a070977ae0ae561bae2215526c187d5c46c54dd8899eefb8fe21ed0e6c1303

cofense-iocs-list#


Lists the IOCs stored in the local IOC Repository.

Base Command#

cofense-iocs-list

Input#

Argument NameDescriptionRequired
sourceA single IOC source value, to fetch the IOCs added or modified by that particular source. The value for source can contain uppercase letters, lowercase letters, numbers, and certain special characters ('.', '_' and '~').

Examples: Triage-1,IOC_Source-2.
Required
pageThe start page of the results. The value must be a positive integer or 0. Default is 0.Optional
sizeThe number of results to retrieve.

Maximum value is '2000'. Default is 50.
Optional
sortThe name-value pair defining the order of the response.

Supported format: propertyName:sortOrder

Supported value for propertyName is: updatedAt.

Supported values for sortOrder are: asc, desc.
Optional
include_expiredWhether to include expired IOCs or not. Possible values are: True, False. Default is False.Optional
sinceInclude only IOCs that were added to the repository after the given UTC date and time.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z.
Optional

Context Output#

PathTypeDescription
Cofense.IOC.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.IOC.typeStringType of the cofense resource which is always "ioc".
Cofense.IOC.attributes.threat_typeStringThreat type of the IOC match.
Cofense.IOC.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.IOC.metadata.source.threat_levelStringString that describes the severity of the threat.
Cofense.IOC.metadata.source.idStringUnique identifier assigned by the IOC source.
Cofense.IOC.metadata.source.created_atDateDate and time the IOC source included the IOC for the first time. The timestamp is in UTC.
Cofense.IOC.metadata.source.updated_atDateDate and time the IOC source last updated the IOC. The timestamp is in UTC.
Cofense.IOC.metadata.source.requested_expirationDateExpiration date and time for this IOC in UTC.
Cofense.IOC.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.IOC.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.IOC.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.first_quarantined_atDateDate and time cofense vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.last_quarantined_atDateDate and time cofense vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name.
Domain.Malicious.DescriptionStringA description of the malicious domain.
Domain.Malicious.VendorStringThe vendor who reported the domain as malicious.
URL.DataStringThe URL.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.Malicious.VendorStringThe vendor who reported the URL as malicious.
Email.AddressStringThe sender of the email.
Email.Malicious.DescriptionStringA description of the malicious email.
Email.Malicious.VendorStringThe vendor who reported the email as malicious.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.Malicious.VendorStringThe vendor who reported the file as malicious.

Command example#

!cofense-iocs-list source="Vision-UI" size=2

Context Example#

{
"Cofense": {
"IOC": [
{
"attributes": {
"threat_type": "DOMAIN",
"threat_value": "qwe"
},
"id": "088dc5454129d776b4a1484b71bb71b0",
"metadata": {
"quarantine": {
"created_at": "2022-07-29T07:09:39.849+00:00",
"expired": false,
"expires_at": "2022-08-12T07:09:39.849+00:00",
"match_count": 0,
"quarantine_count": 0,
"source_names": [
"Vision-UI"
],
"wildcard": false
},
"source": {
"created_at": "2022-07-29T00:00:00.000+00:00",
"id": "e3026f0c154395767993f34cc71b13e3",
"requested_expiration": "2022-08-12T07:09:39.849+00:00",
"threat_level": "very_high",
"updated_at": "2022-07-29T00:00:00.000+00:00"
}
},
"type": "ioc"
},
{
"attributes": {
"threat_type": "DOMAIN",
"threat_value": "fgh"
},
"id": "1627363590bae65d9497e0e02bc412b4",
"metadata": {
"quarantine": {
"created_at": "2022-08-03T09:20:26.808+00:00",
"expired": false,
"expires_at": "2022-08-17T09:20:26.808+00:00",
"match_count": 0,
"quarantine_count": 0,
"source_names": [
"Vision-UI"
],
"wildcard": false
},
"source": {
"created_at": "2022-02-02T00:00:00.000+00:00",
"id": "709d185bd891a61dedbcea8040a24a95",
"requested_expiration": "2022-08-17T09:20:26.808+00:00",
"threat_level": "High",
"updated_at": "2022-08-03T00:00:00.000+00:00"
}
},
"type": "ioc"
}
]
}
}

Human Readable Output#

IOC:#

IDThreat TypeThreat ValueThreat LevelUpdated AtCreated AtMatch CountQuarantine Count
088dc5454129d776b4a1484b71bb71b0DOMAINqwevery_high29/07/2022, 07:09 AM UTC29/07/2022, 07:09 AM UTC00

IOC:#

IDThreat TypeThreat ValueThreat LevelUpdated AtCreated AtMatch CountQuarantine Count
1627363590bae65d9497e0e02bc412b4DOMAINfghHigh02/08/2022, 09:20 AM UTC03/08/2022, 09:20 AM UTC00

cofense-ioc-update#


Updates the IOC identified by its unique MD5 ID.

Base Command#

cofense-ioc-update

Input#

Argument NameDescriptionRequired
idThe ID of the IOC to be updated.

Note: Users can get the list of IDs by executing the "cofense-iocs-list" command.
Required
expires_atExpiration date and time of the IOC. The timestamp is in UTC.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z.
Required

Context Output#

PathTypeDescription
Cofense.IOC.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.IOC.typeStringType of the cofense resource which is always "ioc".
Cofense.IOC.attributes.threat_typeStringThreat type of the IOC match.
Cofense.IOC.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.IOC.metadata.source.threat_levelStringString that describes the severity of the threat.
Cofense.IOC.metadata.source.idStringUnique identifier assigned by the IOC source.
Cofense.IOC.metadata.source.created_atDateDate and time the IOC source included the IOC for the first time. The timestamp is in UTC.
Cofense.IOC.metadata.source.updated_atDateDate and time the IOC source last updated the IOC. The timestamp is in UTC.
Cofense.IOC.metadata.source.requested_expirationDateExpiration date and time for this IOC in UTC.
Cofense.IOC.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.IOC.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.IOC.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.first_quarantined_atDateDate and time cofense vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.last_quarantined_atDateDate and time cofense vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.IOC.metadata.quarantine.wildcardBooleanWhether the wildcard matching is set (true) or not (false).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name.
Domain.Malicious.DescriptionStringA description of the malicious domain.
Domain.Malicious.VendorStringThe vendor who reported the domain as malicious.
URL.DataStringThe URL.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.Malicious.VendorStringThe vendor who reported the URL as malicious.
Email.AddressStringThe sender of the email.
Email.Malicious.DescriptionStringA description of the malicious email.
Email.Malicious.VendorStringThe vendor who reported the email as malicious.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.Malicious.VendorStringThe vendor who reported the file as malicious.

Command example#

!cofense-ioc-update id="bb78c7a2f8c9eea5b9c5a30eb8c9069b" expires_at="1 day"

Context Example#

{
"Cofense": {
"IOC": {
"attributes": {
"threat_type": "DOMAIN",
"threat_value": "test.com"
},
"id": "bb78c7a2f8c9eea5b9c5a30eb8c9069b",
"metadata": {
"quarantine": {
"created_at": "2022-08-08T09:17:11.188+00:00",
"expired": false,
"expires_at": "2022-08-24T04:25:24.909+00:00",
"match_count": 0,
"quarantine_count": 0,
"source_names": [
"Vision-UI"
],
"wildcard": false
},
"source": null
},
"type": "ioc"
}
}
}

Human Readable Output#

IOC with value bb78c7a2f8c9eea5b9c5a30eb8c9069b has been updated successfully.#

IDThreat TypeThreat ValueCreated AtExpires At
bb78c7a2f8c9eea5b9c5a30eb8c9069bDOMAINtest.com08/08/2022, 09:17 AM UTC24/08/2022, 04:25 AM UTC

cofense-iocs-update#


Updates one or more IOCs stored in the local IOC repository. To update multiple IOCs use iocs_json argument.

Note: iocs_json parameter will take precedence over other parameters. threat_type, threat_value, threat_level, created_at and source_id are required parameters to update a single IOC.

Base Command#

cofense-iocs-update

Input#

Argument NameDescriptionRequired
sourceA single IOC source value, to fetch the IOCs added or modified
by that particular source. The value for source can contain
uppercase letters, lowercase letters, numbers, and certain
special characters ("." , "-" , "_" , "~").

Example: "Traige-1" or "IOC_Source-2".
Required
iocs_jsonList of JSON data containing ioc details to be updated in the IOC local repository.

Supported format:
[{
"threat_type": "Domain",
"threat_value":"test1.com",
"threat_level": "Malicious",
"created_at":"20/08/2022",
"source_id":"test_source_1",
"updated_at": "20/08/2022",
"requested_expiration": "30/08/2022"
},
{
"threat_type": "Domain",
"threat_value":"test2.com",
"threat_level": "Malicious",
"created_at":"20/08/2022",
"source_id":"test_source_2",
"updated_at": "20/08/2022",
"requested_expiration": "30/08/2022"
}]

Note: threat_type, threat_value, threat_level, created_at and source_id are required parameters.
Optional
threat_typeType of the IOC.

Supported values: Domain, MD5, Sender, SHA256, Subject, or URL. Possible values are: Domain, MD5, Sender, SHA256, Subject, URL.
Optional
threat_valueThe actual value of the IOC match in the email.Optional
threat_levelThe severity of the IOC.

Example: "Malicious".
Optional
source_idThe unique identifier assigned by the IOC source.

Example: source1_id_00001.
Optional
created_atThe UTC date and time, the IOC source included the IOC for the first time.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z.
Optional
updated_atThe UTC date and time, the IOC source last updated the IOC.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z

Default value will be the current UTC time.
.
Optional
requested_expirationThe expected UTC expiration date and time. The IOC repository
calculates an expiration date and time for the new IOC by default 14 days
after the IOC is delivered to the IOC repository.

Supported formats: N minutes, N hours, N days, N weeks, N months, N years, yyyy-mm-dd, yyyy-mm-ddTHH:MM:SSZ

Example: 01 Mar 2021, 01 Feb 2021 04:45:33, 2022-04-17T14:05:44Z".
Optional

Context Output#

PathTypeDescription
Cofense.IOC.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.IOC.typeStringType of the cofense resource which is always "ioc".
Cofense.IOC.attributes.threat_typeStringThreat type of the IOC match.
Cofense.IOC.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.IOC.metadata.source.threat_levelStringString that describes the severity of the threat.
Cofense.IOC.metadata.source.idStringUnique identifier assigned by the IOC source.
Cofense.IOC.metadata.source.created_atDateDate and time the IOC source included the IOC for the first time. The timestamp is in UTC.
Cofense.IOC.metadata.source.updated_atDateDate and time the IOC source last updated the IOC. The timestamp is in UTC.
Cofense.IOC.metadata.source.requested_expirationDateExpiration date and time for this IOC in UTC.
Cofense.IOC.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.IOC.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.IOC.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.first_quarantined_atDateDate and time cofense vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.last_quarantined_atDateDate and time cofense vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.IOC.metadata.quarantine.wildcardBooleanWhether the wildcard matching is set (true) or not (false).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name.
Domain.Malicious.DescriptionStringA description of the malicious domain.
Domain.Malicious.VendorStringThe vendor who reported the domain as malicious.
URL.DataStringThe URL.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.Malicious.VendorStringThe vendor who reported the URL as malicious.
Email.AddressStringThe sender of the email.
Email.Malicious.DescriptionStringA description of the malicious email.
Email.Malicious.VendorStringThe vendor who reported the email as malicious.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.Malicious.VendorStringThe vendor who reported the file as malicious.

Command example#

!cofense-iocs-update source="Vision-UI" iocs_json="[{\"threat_type\":\"Domain\",\"threat_value\":\"test.com\",\"threat_level\":\"Malicious\",\"source_id\":\"test\",\"created_at\":\"1 day\",\"updated_at\":\"1 day\"}]"

Context Example#

{
"Cofense": {
"IOC": {
"attributes": {
"threat_type": "DOMAIN",
"threat_value": "test.com"
},
"id": "bb78c7a2f8c9eea5b9c5a30eb8c9069b",
"metadata": {
"quarantine": {
"created_at": "2022-08-08T09:17:11.188+00:00",
"expired": false,
"expires_at": "2022-08-24T04:25:24.909+00:00",
"match_count": 0,
"quarantine_count": 0,
"source_names": [
"Vision-UI"
],
"wildcard": false
},
"source": {
"created_at": "2022-08-09T04:25:23.000+00:00",
"id": "test",
"requested_expiration": "2022-08-24T04:25:24.909+00:00",
"threat_level": "Malicious",
"updated_at": "2022-08-09T04:25:23.000+00:00"
}
},
"type": "ioc"
}
}
}

Human Readable Output#

IOC bb78c7a2f8c9eea5b9c5a30eb8c9069b updated successfully.#

IDThreat TypeThreat ValueThreat LevelCreated AtUpdated AtRequested Expiration
bb78c7a2f8c9eea5b9c5a30eb8c9069bDOMAINtest.comMalicious09/08/2022, 04:25 AM UTC09/08/2022, 04:25 AM UTC24/08/2022, 04:25 AM UTC

cofense-last-ioc-get#


Synchronizes the update of data between the IOC source and the IOC repository. Retrieves the last updated IOC from the local IOC Repository. It may return an active or an expired IOC.

Base Command#

cofense-last-ioc-get

Input#

Argument NameDescriptionRequired
sourceA single IOC source value, to fetch the IOCs added or modified
by that particular source. The value for source can contain
uppercase letters, lowercase letters, numbers, and certain
special characters ("." , "-" , "_" , "~").

Example: "Traige-1" or "IOC_Source-2".
Required

Context Output#

PathTypeDescription
Cofense.IOC.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.IOC.typeStringType of the cofense resource which is always "ioc".
Cofense.IOC.attributes.threat_typeStringThreat type of the IOC match.
Cofense.IOC.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.IOC.metadata.source.threat_levelStringString that describes the severity of the threat.
Cofense.IOC.metadata.source.idStringUnique identifier assigned by the IOC source.
Cofense.IOC.metadata.source.created_atDateDate and time the IOC source included the IOC for the first time. The timestamp is in UTC.
Cofense.IOC.metadata.source.updated_atDateDate and time the IOC source last updated the IOC. The timestamp is in UTC.
Cofense.IOC.metadata.source.requested_expirationDateExpiration date and time for this IOC in UTC.
Cofense.IOC.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.IOC.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.IOC.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.first_quarantined_atDateDate and time cofense vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.last_quarantined_atDateDate and time cofense vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.IOC.metadata.quarantine.wildcardBooleanWhether the wildcard matching is set (true) or not (false).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name.
Domain.Malicious.DescriptionStringA description of the malicious domain.
Domain.Malicious.VendorStringThe vendor who reported the domain as malicious.
URL.DataStringThe URL.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.Malicious.VendorStringThe vendor who reported the URL as malicious.
Email.AddressStringThe sender of the email.
Email.Malicious.DescriptionStringA description of the malicious email.
Email.Malicious.VendorStringThe vendor who reported the email as malicious.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.Malicious.VendorStringThe vendor who reported the file as malicious.

Command example#

!cofense-last-ioc-get source="Vision-UI"

Context Example#

{
"Cofense": {
"IOC": {
"attributes": {
"threat_type": "SUBJECT",
"threat_value": "test-subject"
},
"id": "bb931fec9d9672a9e307456133223b2e",
"metadata": {
"quarantine": {
"created_at": "2022-08-10T04:12:49.003+00:00",
"expired": false,
"expires_at": "2022-08-24T18:29:59.999+00:00",
"first_quarantined_at": "2022-08-10T04:12:49.424+00:00",
"last_quarantined_at": "2022-08-10T04:12:49.424+00:00",
"match_count": 1,
"quarantine_count": 10,
"source_names": [
"Vision-UI"
],
"wildcard": false
},
"source": {
"created_at": "2022-08-10T04:12:45.064+00:00",
"id": " ",
"requested_expiration": "2022-08-24T18:29:59.999+00:00",
"threat_level": "Low",
"updated_at": "2022-08-10T04:12:45.064+00:00"
}
},
"type": "ioc"
}
}
}

Human Readable Output#

Last IOC:#

IDThreat TypeThreat ValueCreated AtExpires AtMatch CountQuarantine CountFirst Quarantined AtLast Quarantined At
bb931fec9d9672a9e307456133223b2eSUBJECTtest-subject10/08/2022, 04:12 AM UTC24/08/2022, 06:29 PM UTC11010/08/2022, 04:12 AM UTC10/08/2022, 04:12 AM UTC

cofense-ioc-delete#


Deletes a single active or expired IOC from the local IOC Repository.

Base Command#

cofense-ioc-delete

Input#

Argument NameDescriptionRequired
sourceA single IOC source value, to fetch the IOCs added or modified
by that particular source. The value for source can contain
uppercase letters, lowercase letters, numbers, and certain
special characters ("." , "-" , "_" , "~").

Example: "Traige-1" or "IOC_Source-2".
Required
idThe ID of the IOC to be deleted.

Note: Users can get the list of IDs by executing the "cofense-iocs-list" command.
Required

Context Output#

PathTypeDescription
Cofense.IOC.idStringMD5 hash composed of the UTF-8 concatenation of "threat type" and "threat value" attributes.
Cofense.IOC.typeStringType of the cofense resource which is always "ioc".
Cofense.IOC.attributes.threat_typeStringThreat type of the IOC match.
Cofense.IOC.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.IOC.metadata.source.threat_levelStringThe threat level of the IOC.
Cofense.IOC.metadata.source.idStringUnique identifier assigned by the IOC source.
Cofense.IOC.metadata.source.created_atDateDate and time the IOC source was first seen. The timestamp is in UTC.
Cofense.IOC.metadata.source.updated_atDateDate and time the IOC source last updated the IOC. The timestamp is in UTC.
Cofense.IOC.metadata.source.requested_expirationDateExpiration date and time for this IOC in UTC.
Cofense.IOC.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.IOC.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.IOC.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.first_quarantined_atDateDate and time the cofense vision quarantined the email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.last_quarantined_atDateDate and time the cofense vision last quarantined the email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.quarantine_countNumberNumber of times the email was quarantined.
Cofense.IOC.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.IOC.deletedBooleanIndicates whether the IOC is deleted or not.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name.
Domain.Malicious.DescriptionStringA description of the malicious domain.
Domain.Malicious.VendorStringThe vendor who reported the domain as malicious.
URL.DataStringThe URL.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.Malicious.VendorStringThe vendor who reported the URL as malicious.
Email.AddressStringThe sender of the email.
Email.Malicious.DescriptionStringA description of the malicious email.
Email.Malicious.VendorStringThe vendor who reported the email as malicious.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.Malicious.VendorStringThe vendor who reported the file as malicious.

Command example#

!cofense-ioc-delete source="Vision-UI" id=bb931fec9d9672a9e307456133223b2e

Context Example#

{
"Cofense": {
"IOC": {
"attributes": {
"threat_type": "SUBJECT",
"threat_value": "test-subject"
},
"deleted": true,
"id": "bb931fec9d9672a9e307456133223b2e",
"metadata": {
"quarantine": {
"created_at": "2022-08-10T04:12:49.003+00:00",
"expired": false,
"expires_at": "2022-08-24T18:29:59.999+00:00",
"first_quarantined_at": "2022-08-10T04:12:49.424+00:00",
"last_quarantined_at": "2022-08-10T04:12:49.424+00:00",
"match_count": 1,
"quarantine_count": 10,
"source_names": [
"Vision-UI"
],
"wildcard": false
},
"source": {
"created_at": "2022-08-10T04:12:45.064+00:00",
"id": " ",
"requested_expiration": "2022-08-24T18:29:59.999+00:00",
"threat_level": "Low",
"updated_at": "2022-08-10T04:12:45.064+00:00"
}
},
"type": "ioc"
}
}
}

Human Readable Output#

IOC with value "bb931fec9d9672a9e307456133223b2e" has been deleted successfully.#

IDThreat TypeThreat ValueAction Status
bb931fec9d9672a9e307456133223b2eSUBJECTtest-subjectSuccess

cofense-ioc-get#


Retrieves the IOC identified by its unique MD5 ID.

Base Command#

cofense-ioc-get

Input#

Argument NameDescriptionRequired
sourceA single IOC source value, to fetch the IOCs added or modified
by that particular source. The value for source can contain
uppercase letters, lowercase letters, numbers, and certain
special characters ("." , "-" , "_" , "~").

Example: "Traige-1" or "IOC_Source-2".
Optional
idThe ID of the IOC.

Note: Users can get the list of IDs by executing the "cofense-iocs-list" command.
Required

Context Output#

PathTypeDescription
Cofense.IOC.idStringMD5 hash composed of the UTF-8 concatenation of "threat_type" and "threat_value" attributes.
Cofense.IOC.typeStringType of the cofense resource which is always "ioc".
Cofense.IOC.attributes.threat_typeStringThreat type of the IOC match.
Cofense.IOC.attributes.threat_valueStringActual value of the IOC match in the email.
Cofense.IOC.metadata.source.threat_levelStringString that describes the severity of the threat.
Cofense.IOC.metadata.source.idStringUnique identifier assigned by the IOC source.
Cofense.IOC.metadata.source.created_atDateDate and time the IOC source included the IOC for the first time. The timestamp is in UTC.
Cofense.IOC.metadata.source.updated_atDateDate and time the IOC source last updated the IOC. The timestamp is in UTC.
Cofense.IOC.metadata.source.requested_expirationDateExpiration date and time for this IOC in UTC.
Cofense.IOC.metadata.quarantine.source_namesUnknownArray containing the IOC sources.
Cofense.IOC.metadata.quarantine.expires_atDateDate and time, in UTC, after which this IOC expires.
Cofense.IOC.metadata.quarantine.created_atDateDate and time the quarantine data was created in the IOC repository. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.first_quarantined_atDateDate and time cofense vision quarantined the first email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.last_quarantined_atDateDate and time cofense vision quarantined the last email due to this IOC. The timestamp is in UTC.
Cofense.IOC.metadata.quarantine.match_countNumberNumber of unique emails that matched the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.quarantine_countNumberNumber of recipients who received emails matching the IOC while the IOC was active.
Cofense.IOC.metadata.quarantine.expiredBooleanWhether the IOC is expired (true) or not expired (false).
Cofense.IOC.metadata.quarantine.wildcardBooleanWhether the wildcard matching is set (true) or not (false).
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
Domain.NameStringThe domain name.
Domain.Malicious.DescriptionStringA description of the malicious domain.
Domain.Malicious.VendorStringThe vendor who reported the domain as malicious.
URL.DataStringThe URL.
URL.Malicious.DescriptionStringA description of the malicious URL.
URL.Malicious.VendorStringThe vendor who reported the URL as malicious.
Email.AddressStringThe sender of the email.
Email.Malicious.DescriptionStringA description of the malicious email.
Email.Malicious.VendorStringThe vendor who reported the email as malicious.
File.SHA256StringThe SHA256 hash of the file.
File.MD5StringThe MD5 hash of the file.
File.Malicious.DescriptionStringA description explaining why the file was determined to be malicious.
File.Malicious.VendorStringThe vendor who reported the file as malicious.

Command example#

!cofense-ioc-get source="Vision-UI" id=bb931fec9d9672a9e307456133223b2e

Context Example#

{
"Cofense": {
"IOC": {
"id": "0c7aff000d37b4a600eb676a473fa5b1",
"type": "ioc",
"attributes": {
"threat_type": "DOMAIN",
"threat_value": "test"
},
"metadata": {
"source": {
"threat_level": "minor",
"id": "test",
"created_at": "2022-12-09T00:00:00.000+00:00",
"updated_at": "2022-09-12T06:55:56.000+00:00",
"requested_expiration": "2022-09-26T06:55:57.305+00:00"
},
"quarantine": {
"source_names": [
"Vision-UI"
],
"expires_at": "2022-09-26T06:55:57.305+00:00",
"created_at": "2022-09-12T06:55:57.305+00:00",
"first_quarantined_at": null,
"last_quarantined_at": null,
"match_count": 0,
"quarantine_count": 0,
"expired": false,
"wildcard": false
}
}
}
}
}

Human Readable Output#

IOC:#

IDThreat TypeThreat ValueCreated AtExpires At
0c7aff000d37b4a600eb676a473fa5b1DOMAINtest12/09/2022, 06:55 AM UTC26/09/2022, 06:55 AM UTC

cofense-searchable-headers-get#


Retrieves a list of configured header keys that can be used to create a message search.

Base Command#

cofense-searchable-headers-get

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Cofense.Config.nameStringName of the configuration which is 'searchableHeaders'.
Cofense.Config.valueUnknownList of headers that are available to create a message search.

Command example#

!cofense-searchable-headers-get

Context Example#

{
"Cofense": {
"Config": {
"name": "searchableHeaders",
"value": [
"X-MS-Exchange-Organization-AuthSource"
]
}
}
}

Human Readable Output#

Available headers to create a search:#

Headers
X-MS-Exchange-Organization-AuthSource