Cofense Triage

Use the Cofense Triage to enable superusers to programmatically extract data from Cofense Triage in JSON format.
This integration was tested with Cofense Triage version 1.14.0.

Configure Cofense Triage on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Cofense Triage.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g., https://192.168.0.1 )
    • User
    • API Token
    • Fetch incidents
    • Incident type
    • First fetch time ( , e.g., 12 hours, 7 days, 3 months, 1 year)
    • Category ID to fetch - corresponds to the ranking that determines the Cofense Triage prioritization (1-5)
    • Match Priority - the highest match priority based on rule hits for the report
    • Tags - CSV list of tags of processed reports by which to filter
    • Maximum number of incidents to fetch each time
    • Trust any certificate (not secure)
    • Use system proxy
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Search reports: cofense-search-reports
  2. Get an attachment: cofense-get-attachment
  3. Get the reporter email address: cofense-get-reporter
  4. Get a report: cofense-get-report-by-id

1. Search reports


Runs a query for reports.

Base Command

cofense-search-reports

Input
Argument Name Description Required
file_hash File hash, MD5 or SHA256. Optional
url The reported URLs. Optional
subject Report subject. Optional
reported_at Retrieve reports that were reported after this time, for example: "2 hours, 4 minutes, 6 month, 1 day". Optional
created_at Retrieve reports that were created after this time, for example: "2 hours, 4 minutes, 6 month, 1 day". Optional
reporter Name or ID of the reporter. Optional
max_matches Maximum number of matches to fetch. Default is 30. Optional
verbose Returns all fields of a report. Optional

Context Output
Path Type Description
Report.ID unknown ID number of the report.
Report.EmailAttachments unknown Email attachments.
Report.EmailAttachments.id unknown Email attachment ID.
Report.Tags string Report tags.
Report.ClusterId number Cluster ID number.
Report.CategoryId number Report category.
Report.CreatedAt date Report creation date.
Report.ReportedAt string Reporting time.
Report.MatchPriority number The highest match priority based on rule hits for the report.
Report.ReporterId number Reporter ID.
Report.Location string Location of the report.
Report.Reporter string Reporter email address.
Report.SuspectFromAddress string Suspect from address.
Report.ReportSubject string Report subject.
Report.ReportBody string Report body.
Report.Md5 number MD5 hash of the file.
Report.Sha256 unknown SHA256 hash of the file.

Command Example
cofense-search-reports max_matches=30 created_at="60 days" reported_at="60 days" reporter=5328
Context Example
{
    "Cofense.Report": [
        {
            "ReportBody": "Good day\n\n\nPlease arrange to provide the best offer for below attached Purchase Order\nThe requirement for our green field project in Berghofen,Dortmund.\nKindly get back to us\n\n \n\n\n1) Proforma invoice with bank details\n\n2) Delivery date \n\n3) FOB/CIF Port\n\n \n\n \n \nRegards,\n\nkahn Gotze\nSales & Services Assistant\n", 
            "ReportedAt": "2019-05-17T11:37:52.000Z", 
            "ReporterId": 5328, 
            "Tags": [], 
            "ClusterId": null, 
            "ID": 13232, 
            "Location": "Processed", 
            "EmailAttachments": [
                {
                    "content_type": "application/octet-stream; name=ORDER#t571BA80.rar", 
                    "size_in_bytes": 219777, 
                    "decoded_filename": "ORDER#t571BA80.rar", 
                    "email_attachment_payload": {
                        "sha256": "1e2c4ac7be08888c72c953adaeb79254e7e9b821988bfdad5d75d75b2467def1", 
                        "id": 7037, 
                        "mime_type": "application/x-rar; charset=binary", 
                        "md5": "e74c45a697651f3942f86fc5fce009df"
                    }, 
                    "id": 17831, 
                    "report_id": 13232
                }
            ], 
            "ReportSubject": "NEW ORDER", 
            "MatchPriority": 5, 
            "Sha256": "ca2579c53bd4ff0fa70fe38ae09a893c9332b8dfeab6ca7a13b89a709d54c0bb", 
            "CategoryId": 3, 
            "CreatedAt": "2019-05-17T16:57:16.343Z", 
            "Md5": "f5a1766371c063414d8b6a616b19bad0"
        }
    ]
}
Human Readable Output

Reports:

Category Id Email Attachments Sha256 Created At Id Match Priority Location Report Body Report Subject Reported At Reporter Id Md5
3 {'id': 17831, 'report_id': 13232, 'decoded_filename': 'ORDER#t571BA80.rar', 'content_type': 'application/octet-stream; name=ORDER#t571BA80.rar', 'size_in_bytes': 219777, 'email_attachment_payload': {'id': 7037, 'md5': 'e74c45a697651f3942f86fc5fce009df', 'sha256': '1e2c4ac7be08888c72c953adaeb79254e7e9b821988bfdad5d75d75b2467def1', 'mime_type': 'application/x-rar; charset=binary'}} ca2579c53bd4ff0fa70fe38ae09a893c9332b8dfeab6ca7a13b89a709d54c0bb 2019-05-17T16:57:16.343Z 13232 5 Processed Good day


Please arrange to provide the best offer for below attached Purchase Order
The requirement for our green field project in Berghofen,Dortmund.
Kindly get back to us




1) Proforma invoice with bank details

2) Delivery date

3) FOB/CIF Port





Regards,

kahn Gotze
Sales & Services Assistant
NEW ORDER 2019-05-17T11:37:52.000Z 5328 f5a1766371c063414d8b6a616b19bad0

2. Get an attachment


Retrieves an attachment by the attachment ID number.

Base Command

cofense-get-attachment

Input
Argument Name Description Required
attachment_id ID of the attachment. Required

Context Output
Path Type Description
Attachment.ID string The ID number of the report that contains the attachment.
File.Size string The date and time (in UTC) when the threat was found on the device.
File.EntryID string The file path where the threat was found on the device.
File.Name string The name of the threat.
File.SHA1 string The SHA1 hash of the threat.
File.SHA256 string The SHA256 hash of the threat.
File.MD5 string The MD5 hash of the threat.

Command Example
cofense-get-attachment attachment_id=8195
Context Example
{
    "Cofense.Attachment": {
        "ID": "8195"
    }
}

3. Get the reporter email address


Retrieves the email address of the reporter, by reporter ID.

Base Command

cofense-get-reporter

Input
Argument Name Description Required
reporter_id ID of the reporter. Required

Context Output
Path Type Description
Report.ID unknown ID of the reporter.
Report.Email unknown Reporter email address.

Command Example
cofense-get-reporter reporter_id=5328
Context Example
{
    "Cofense.Reporter": {
        "Email": "vishnuetp16@gmail.com", 
        "ID": "5328"
    }
}
Human Readable Output

Reporter: vishnuetp16@gmail.com

4. Get a report


Retrieves a report by the report ID.

Base Command

cofense-get-report-by-id

Input
Argument Name Description Required
report_id ID of the report. Required

Context Output
Path Type Description
Report.ID unknown ID number of the report.
Report.EmailAttachments unknown Email attachments.
Report.EmailAttachments.id unknown Email attachment ID.
Report.Tags string Report tags.
Report.ClusterId number Cluster ID number.
Report.CategoryId number Report category.
Report.CreatedAt date Report creation date.
Report.ReportedAt string Reporting time.
Report.MatchPriority number The highest match priority based on rule hits for the report.
Report.ReporterId number Reporter ID.
Report.Location string Location of the report.
Report.Reporter string Reporter email address.
Report.SuspectFromAddress string Suspect from address.
Report.ReportSubject string Report subject.
Report.ReportBody string Report body.
Report.Md5 number MD5 hash of the file.
Report.Sha256 unknown SHA256 hash of the file.

Command Example
cofense-get-report-by-id report_id=5760
Context Example
{
    "Cofense.Report": [
        {
            "ReportedAt": "2019-04-17T16:54:57.000Z", 
            "ReporterId": 3280, 
            "Reporter": "no-reply@server.com", 
            "Tags": [], 
            "ClusterId": null, 
            "ID": 5760, 
            "Location": "Processed", 
            "EmailAttachments": [], 
            "ReportSubject": "example.gmail.com Reset password instruction", 
            "MatchPriority": 0, 
            "Sha256": "4f6bc0d9c1217a2a6f327423e16b7a6e9294c68cfb33864541bd805fe4ab2d72", 
            "CategoryId": 4, 
            "CreatedAt": "2019-04-17T20:53:02.090Z", 
            "Md5": "f13bbc172fe7d394828ccabb25c3c99e"
        }
    ]
}
Human Readable Output

Cofense HTML Report:

HTML report download request has been completed

Report Summary:

Category Id Sha256 Created At Id Match Priority Location Report Subject Reported At Reporter Id Md5 Reporter
4 4f6bc0d9c1217a2a6f327423e16b7a6e9294c68cfb33864541bd805fe4ab2d72 2019-04-17T20:53:02.090Z 5760 0 Processed example.gmail.com password i