Cofense Triage v2

Use the Cofense Triage integration to ingest reported phishing indicators. This integration was integrated and tested with version 1.20 of Cofense Triage v2

Configure Cofense Triage v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Cofense Triage v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
hostServer URL (e.g., https://192.168.0.1\)True
userUserTrue
tokenAPI TokenTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
date_rangeFirst fetch time (<number> <time unit>, e.g., 12 hours, 7 days, 3 months, 1 year)False
category_idCategory ID to fetchFalse
match_priorityMatch Priority - the highest match priority based on rule hits for the reportFalse
tagsTags - CSV list of tags of processed reports by which to filterFalse
max_fetchMaximum number of incidents to fetch each timeFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

cofense-search-reports


Runs a query for reports.

Base Command

cofense-search-reports

Input

Argument NameDescriptionRequired
file_hashFile hash, MD5 or SHA256.Optional
urlThe reported URLs.Optional
subjectReport's subjectOptional
reported_atRetrieve reports that were reported after this time, for example: "2 hours, 4 minutes, 6 month, 1 day".Optional
created_atRetrieve reports that were created after this time, for example: "2 hours, 4 minutes, 6 month, 1 day".Optional
reporterAddress or ID of the reporter.Optional
max_matchesMaximum number of matches to fetch. Default is 30.Optional
verboseReturns all fields of a report.Optional

Context Output

PathTypeDescription
Cofense.Report.IDunknownID number of the report.
Cofense.Report.EmailAttachmentsunknownEmail attachments.
Cofense.Report.EmailAttachments.idunknownEmail attachment ID.
Cofense.Report.TagsstringReport tags.
Cofense.Report.ClusterIdnumberCluster ID number.
Cofense.Report.CategoryIdnumberReport category.
Cofense.Report.CreatedAtdateReport creation date.
Cofense.Report.ReportedAtstringReporting time.
Cofense.Report.MatchPrioritynumberThe highest match priority based on rule hits for the report.
Cofense.Report.ReporterIdnumberReporter ID.
Cofense.Report.LocationstringLocation of the report.
Cofense.Report.ReporterstringReporter email address.
Cofense.Report.SuspectFromAddressstringSuspect from address.
Cofense.Report.ReportSubjectstringReport subject.
Cofense.Report.ReportBodystringReport body.
Cofense.Report.Md5numberMD5 hash of the file.
Cofense.Report.Sha256unknownSHA256 hash of the file.

Command Example

!cofense-search-reports reported_at="7 days" created_at="7 days" max_matches="1"

Context Example

{
"Cofense": {
"Report": {
"CategoryId": 4,
"ClusterId": null,
"CreatedAt": "2020-06-04T13:42:26.173Z",
"EmailAttachments": [
{
"content_type": "image/png; name=image001.png",
"decoded_filename": "image001.png",
"email_attachment_payload": {
"id": 7095,
"md5": "5008fb6e6652f56cac5bdc5bf1cbe9c2",
"mime_type": "image/png; charset=binary",
"sha256": "554aeaaace31c7038a09dd408945583e1035ec124a46b04e5c6c5b148dc96f68"
},
"id": 18087,
"report_id": 13429,
"size_in_bytes": 1397
},
{
"content_type": "image/png; name=image003.png",
"decoded_filename": "image003.png",
"email_attachment_payload": {
"id": 7097,
"md5": "731ffb7846c22e41e9de8de307c93ece",
"mime_type": "image/png; charset=binary",
"sha256": "c911d07d1f7be624e00e44821148629d98cf6d0f2bfac112362c7c564522ea51"
},
"id": 18089,
"report_id": 13429,
"size_in_bytes": 1701
},
{
"content_type": "image/png; name=image006.png",
"decoded_filename": "image006.png",
"email_attachment_payload": {
"id": 7100,
"md5": "124bd437f87181fdfe3154b31fd2cf6b",
"mime_type": "image/png; charset=binary",
"sha256": "3d804c705545bf2a1e5ac6b0ea9b93a41ceb16d7453adebc58fba5df75335b20"
},
"id": 18092,
"report_id": 13429,
"size_in_bytes": 1994
},
{
"content_type": "image/png; name=image002.png",
"decoded_filename": "image002.png",
"email_attachment_payload": {
"id": 7096,
"md5": "cc07463ceeaaed79783a7f2a607797f9",
"mime_type": "image/png; charset=binary",
"sha256": "c6c2c95238f52648faaef4520fa9bba49c10ca0f1df9bfd1912be544f319b80b"
},
"id": 18088,
"report_id": 13429,
"size_in_bytes": 1430
},
{
"content_type": "image/png; name=image004.png",
"decoded_filename": "image004.png",
"email_attachment_payload": {
"id": 7098,
"md5": "95878e37974ed3cad67154d36dd58a9a",
"mime_type": "image/png; charset=binary",
"sha256": "e0d478f6ce56721867a0584ddea0016d713b9b2ab758fd0c9be3f1409d6e2634"
},
"id": 18090,
"report_id": 13429,
"size_in_bytes": 1557
},
{
"content_type": "image/png; name=image005.png",
"decoded_filename": "image005.png",
"email_attachment_payload": {
"id": 7099,
"md5": "0e911498bf4dc5eddb544ab5ece4b06a",
"mime_type": "image/png; charset=binary",
"sha256": "5f2046b3c55a874aadde052f9da4af3c17e2b5bf5baf704f58b1dd1eadf08544"
},
"id": 18091,
"report_id": 13429,
"size_in_bytes": 1609
},
{
"content_type": "application/pdf; name=\"XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf\"",
"decoded_filename": "XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf",
"email_attachment_payload": {
"id": 7110,
"md5": "fb7f083f4fb93a88ab8110d857312978",
"mime_type": "application/pdf; charset=binary",
"sha256": "15ab1b20ada04dfc6285caff5e4da4eab09a9157c2cbe32cd96113da6304a5ee"
},
"id": 18093,
"report_id": 13429,
"size_in_bytes": 49597
}
],
"ID": 13429,
"Location": "Processed",
"MatchPriority": 1,
"Md5": "d312e79695d5de744436006aab6b4ec1",
"ReportBody": "Testing PDF attachment\r\n\r\n\r\nTest User | Director\r\nTEST\r\nm. 123-456-7890\r\ne. test@test.com<mailto:test@test.com>\r\n\r\nConnect with Cofense:\r\n\r\n[signature_527626984]<https://cofense.com/>[signature_379086648]<https://facebook.com/cofense>[signature_426568440]<https://twitter.com/cofense>[signature_1467413640]<https://linkedin.com/company/cofense>[signature_749445379]<https://www.instagram.com/cofense/>[signature_1384270593]<https://www.themuse.com/profiles/cofense>\r\n\r\nUniting Humanity Against Phishing. Watch Our Video<https://cofense.com/project/uhap-video/>\r\n\r\n",
"ReportSubject": "2020-06-04 XSOAR attachment test",
"ReportedAt": "2020-06-04T13:40:29.000Z",
"ReporterId": 5331,
"Sha256": "ba77b5d984f7da97b6f96daa442535c79f47e4b6ea0055e3472b855ee8c244e4",
"Tags": []
}
}
}

Human Readable Output

Reports:

Category IdCreated AtEmail AttachmentsIdLocationMatch PriorityMd5Report BodyReport SubjectReported AtReporter IdSha256
42020-06-04T13:42:26.173Z{'id': 18087, 'report_id': 13429, 'decoded_filename': 'image001.png', 'content_type': 'image/png; name=image001.png', 'size_in_bytes': 1397, 'email_attachment_payload': {'id': 7095, 'md5': '5008fb6e6652f56cac5bdc5bf1cbe9c2', 'sha256': '554aeaaace31c7038a09dd408945583e1035ec124a46b04e5c6c5b148dc96f68', 'mime_type': 'image/png; charset=binary'}},
{'id': 18089, 'report_id': 13429, 'decoded_filename': 'image003.png', 'content_type': 'image/png; name=image003.png', 'size_in_bytes': 1701, 'email_attachment_payload': {'id': 7097, 'md5': '731ffb7846c22e41e9de8de307c93ece', 'sha256': 'c911d07d1f7be624e00e44821148629d98cf6d0f2bfac112362c7c564522ea51', 'mime_type': 'image/png; charset=binary'}},
{'id': 18092, 'report_id': 13429, 'decoded_filename': 'image006.png', 'content_type': 'image/png; name=image006.png', 'size_in_bytes': 1994, 'email_attachment_payload': {'id': 7100, 'md5': '124bd437f87181fdfe3154b31fd2cf6b', 'sha256': '3d804c705545bf2a1e5ac6b0ea9b93a41ceb16d7453adebc58fba5df75335b20', 'mime_type': 'image/png; charset=binary'}},
{'id': 18088, 'report_id': 13429, 'decoded_filename': 'image002.png', 'content_type': 'image/png; name=image002.png', 'size_in_bytes': 1430, 'email_attachment_payload': {'id': 7096, 'md5': 'cc07463ceeaaed79783a7f2a607797f9', 'sha256': 'c6c2c95238f52648faaef4520fa9bba49c10ca0f1df9bfd1912be544f319b80b', 'mime_type': 'image/png; charset=binary'}},
{'id': 18090, 'report_id': 13429, 'decoded_filename': 'image004.png', 'content_type': 'image/png; name=image004.png', 'size_in_bytes': 1557, 'email_attachment_payload': {'id': 7098, 'md5': '95878e37974ed3cad67154d36dd58a9a', 'sha256': 'e0d478f6ce56721867a0584ddea0016d713b9b2ab758fd0c9be3f1409d6e2634', 'mime_type': 'image/png; charset=binary'}},
{'id': 18091, 'report_id': 13429, 'decoded_filename': 'image005.png', 'content_type': 'image/png; name=image005.png', 'size_in_bytes': 1609, 'email_attachment_payload': {'id': 7099, 'md5': '0e911498bf4dc5eddb544ab5ece4b06a', 'sha256': '5f2046b3c55a874aadde052f9da4af3c17e2b5bf5baf704f58b1dd1eadf08544', 'mime_type': 'image/png; charset=binary'}},
{'id': 18093, 'report_id': 13429, 'decoded_filename': 'XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf', 'content_type': 'application/pdf; name="XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf"', 'size_in_bytes': 49597, 'email_attachment_payload': {'id': 7110, 'md5': 'fb7f083f4fb93a88ab8110d857312978', 'sha256': '15ab1b20ada04dfc6285caff5e4da4eab09a9157c2cbe32cd96113da6304a5ee', 'mime_type': 'application/pdf; charset=binary'}}
13429Processed1d312e79695d5de744436006aab6b4ec1Testing PDF attachment


Test User | Director
COFENSE
m. 123-456-7890
e. test@test.comtest@test.com

Connect with Cofense:

[signature_527626984]https://cofense.com/[signature_379086648]https://facebook.com/cofense[signature_426568440]https://twitter.com/cofense[signature_1467413640]https://linkedin.com/company/cofense[signature_749445379]https://www.instagram.com/cofense/[signature_1384270593]https://www.themuse.com/profiles/cofense

Uniting Humanity Against Phishing. Watch Our Videohttps://cofense.com/project/uhap-video/

2020-06-04 XSOAR attachment test2020-06-04T13:40:29.000Z5331ba77b5d984f7da97b6f96daa442535c79f47e4b6ea0055e3472b855ee8c244e4

cofense-search-inbox-reports


Runs a query for reports from the inbox mailbox.

Base Command

cofense-search-reports

Input

Argument NameDescriptionRequired
file_hashFile hash, MD5 or SHA256.Optional
urlThe reported URLs.Optional
subjectReport's subjectOptional
reported_atRetrieve reports that were reported after this time, for example: "2 hours, 4 minutes, 6 month, 1 day".Optional
created_atRetrieve reports that were created after this time, for example: "2 hours, 4 minutes, 6 month, 1 day".Optional
reporterAddress or ID of the reporter.Optional
max_matchesMaximum number of matches to fetch. Default is 30.Optional
verboseReturns all fields of a report.Optional

Context Output

PathTypeDescription
Cofense.Report.IDunknownID number of the report.
Cofense.Report.EmailAttachmentsunknownEmail attachments.
Cofense.Report.EmailAttachments.idunknownEmail attachment ID.
Cofense.Report.TagsstringReport tags.
Cofense.Report.ClusterIdnumberCluster ID number.
Cofense.Report.CategoryIdnumberReport category.
Cofense.Report.CreatedAtdateReport creation date.
Cofense.Report.ReportedAtstringReporting time.
Cofense.Report.MatchPrioritynumberThe highest match priority based on rule hits for the report.
Cofense.Report.ReporterIdnumberReporter ID.
Cofense.Report.LocationstringLocation of the report.
Cofense.Report.ReporterstringReporter email address.
Cofense.Report.SuspectFromAddressstringSuspect from address.
Cofense.Report.ReportSubjectstringReport subject.
Cofense.Report.ReportBodystringReport body.
Cofense.Report.Md5numberMD5 hash of the file.
Cofense.Report.Sha256unknownSHA256 hash of the file.

Command Example

!cofense-search-inbox-reports reported_at="7 days" created_at="7 days" max_matches="1"

Context Example

{
"Cofense": {
"Report": {
"CategoryId": 4,
"ClusterId": null,
"CreatedAt": "2020-06-04T13:42:26.173Z",
"EmailAttachments": [
{
"content_type": "image/png; name=image001.png",
"decoded_filename": "image001.png",
"email_attachment_payload": {
"id": 7095,
"md5": "5008fb6e6652f56cac5bdc5bf1cbe9c2",
"mime_type": "image/png; charset=binary",
"sha256": "554aeaaace31c7038a09dd408945583e1035ec124a46b04e5c6c5b148dc96f68"
},
"id": 18087,
"report_id": 13429,
"size_in_bytes": 1397
},
{
"content_type": "image/png; name=image003.png",
"decoded_filename": "image003.png",
"email_attachment_payload": {
"id": 7097,
"md5": "731ffb7846c22e41e9de8de307c93ece",
"mime_type": "image/png; charset=binary",
"sha256": "c911d07d1f7be624e00e44821148629d98cf6d0f2bfac112362c7c564522ea51"
},
"id": 18089,
"report_id": 13429,
"size_in_bytes": 1701
},
{
"content_type": "image/png; name=image006.png",
"decoded_filename": "image006.png",
"email_attachment_payload": {
"id": 7100,
"md5": "124bd437f87181fdfe3154b31fd2cf6b",
"mime_type": "image/png; charset=binary",
"sha256": "3d804c705545bf2a1e5ac6b0ea9b93a41ceb16d7453adebc58fba5df75335b20"
},
"id": 18092,
"report_id": 13429,
"size_in_bytes": 1994
},
{
"content_type": "image/png; name=image002.png",
"decoded_filename": "image002.png",
"email_attachment_payload": {
"id": 7096,
"md5": "cc07463ceeaaed79783a7f2a607797f9",
"mime_type": "image/png; charset=binary",
"sha256": "c6c2c95238f52648faaef4520fa9bba49c10ca0f1df9bfd1912be544f319b80b"
},
"id": 18088,
"report_id": 13429,
"size_in_bytes": 1430
},
{
"content_type": "image/png; name=image004.png",
"decoded_filename": "image004.png",
"email_attachment_payload": {
"id": 7098,
"md5": "95878e37974ed3cad67154d36dd58a9a",
"mime_type": "image/png; charset=binary",
"sha256": "e0d478f6ce56721867a0584ddea0016d713b9b2ab758fd0c9be3f1409d6e2634"
},
"id": 18090,
"report_id": 13429,
"size_in_bytes": 1557
},
{
"content_type": "image/png; name=image005.png",
"decoded_filename": "image005.png",
"email_attachment_payload": {
"id": 7099,
"md5": "0e911498bf4dc5eddb544ab5ece4b06a",
"mime_type": "image/png; charset=binary",
"sha256": "5f2046b3c55a874aadde052f9da4af3c17e2b5bf5baf704f58b1dd1eadf08544"
},
"id": 18091,
"report_id": 13429,
"size_in_bytes": 1609
},
{
"content_type": "application/pdf; name=\"XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf\"",
"decoded_filename": "XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf",
"email_attachment_payload": {
"id": 7110,
"md5": "fb7f083f4fb93a88ab8110d857312978",
"mime_type": "application/pdf; charset=binary",
"sha256": "15ab1b20ada04dfc6285caff5e4da4eab09a9157c2cbe32cd96113da6304a5ee"
},
"id": 18093,
"report_id": 13429,
"size_in_bytes": 49597
}
],
"ID": 13429,
"Location": "Inbox",
"MatchPriority": 1,
"Md5": "d312e79695d5de744436006aab6b4ec1",
"ReportBody": "Testing PDF attachment\r\n\r\n\r\nTest User | Director\r\nTEST\r\nm. 123-456-7890\r\ne. test@test.com<mailto:test@test.com>\r\n\r\nConnect with Cofense:\r\n\r\n[signature_527626984]<https://cofense.com/>[signature_379086648]<https://facebook.com/cofense>[signature_426568440]<https://twitter.com/cofense>[signature_1467413640]<https://linkedin.com/company/cofense>[signature_749445379]<https://www.instagram.com/cofense/>[signature_1384270593]<https://www.themuse.com/profiles/cofense>\r\n\r\nUniting Humanity Against Phishing. Watch Our Video<https://cofense.com/project/uhap-video/>\r\n\r\n",
"ReportSubject": "2020-06-04 XSOAR attachment test",
"ReportedAt": "2020-06-04T13:40:29.000Z",
"ReporterId": 5331,
"Sha256": "ba77b5d984f7da97b6f96daa442535c79f47e4b6ea0055e3472b855ee8c244e4",
"Tags": []
}
}
}

Human Readable Output

Reports:

Category IdCreated AtEmail AttachmentsIdLocationMatch PriorityMd5Report BodyReport SubjectReported AtReporter IdSha256
42020-06-04T13:42:26.173Z{'id': 18087, 'report_id': 13429, 'decoded_filename': 'image001.png', 'content_type': 'image/png; name=image001.png', 'size_in_bytes': 1397, 'email_attachment_payload': {'id': 7095, 'md5': '5008fb6e6652f56cac5bdc5bf1cbe9c2', 'sha256': '554aeaaace31c7038a09dd408945583e1035ec124a46b04e5c6c5b148dc96f68', 'mime_type': 'image/png; charset=binary'}},
{'id': 18089, 'report_id': 13429, 'decoded_filename': 'image003.png', 'content_type': 'image/png; name=image003.png', 'size_in_bytes': 1701, 'email_attachment_payload': {'id': 7097, 'md5': '731ffb7846c22e41e9de8de307c93ece', 'sha256': 'c911d07d1f7be624e00e44821148629d98cf6d0f2bfac112362c7c564522ea51', 'mime_type': 'image/png; charset=binary'}},
{'id': 18092, 'report_id': 13429, 'decoded_filename': 'image006.png', 'content_type': 'image/png; name=image006.png', 'size_in_bytes': 1994, 'email_attachment_payload': {'id': 7100, 'md5': '124bd437f87181fdfe3154b31fd2cf6b', 'sha256': '3d804c705545bf2a1e5ac6b0ea9b93a41ceb16d7453adebc58fba5df75335b20', 'mime_type': 'image/png; charset=binary'}},
{'id': 18088, 'report_id': 13429, 'decoded_filename': 'image002.png', 'content_type': 'image/png; name=image002.png', 'size_in_bytes': 1430, 'email_attachment_payload': {'id': 7096, 'md5': 'cc07463ceeaaed79783a7f2a607797f9', 'sha256': 'c6c2c95238f52648faaef4520fa9bba49c10ca0f1df9bfd1912be544f319b80b', 'mime_type': 'image/png; charset=binary'}},
{'id': 18090, 'report_id': 13429, 'decoded_filename': 'image004.png', 'content_type': 'image/png; name=image004.png', 'size_in_bytes': 1557, 'email_attachment_payload': {'id': 7098, 'md5': '95878e37974ed3cad67154d36dd58a9a', 'sha256': 'e0d478f6ce56721867a0584ddea0016d713b9b2ab758fd0c9be3f1409d6e2634', 'mime_type': 'image/png; charset=binary'}},
{'id': 18091, 'report_id': 13429, 'decoded_filename': 'image005.png', 'content_type': 'image/png; name=image005.png', 'size_in_bytes': 1609, 'email_attachment_payload': {'id': 7099, 'md5': '0e911498bf4dc5eddb544ab5ece4b06a', 'sha256': '5f2046b3c55a874aadde052f9da4af3c17e2b5bf5baf704f58b1dd1eadf08544', 'mime_type': 'image/png; charset=binary'}},
{'id': 18093, 'report_id': 13429, 'decoded_filename': 'XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf', 'content_type': 'application/pdf; name="XSOAR Attachment Test -Inquiry - Agent Tesla Keylogger.pdf"', 'size_in_bytes': 49597, 'email_attachment_payload': {'id': 7110, 'md5': 'fb7f083f4fb93a88ab8110d857312978', 'sha256': '15ab1b20ada04dfc6285caff5e4da4eab09a9157c2cbe32cd96113da6304a5ee', 'mime_type': 'application/pdf; charset=binary'}}
13429Processed1d312e79695d5de744436006aab6b4ec1Testing PDF attachment


Test User | Director
TEST
m. 123-456-7890
e. test@test.comtest@test.com

Connect with Cofense:

[signature_527626984]https://cofense.com/[signature_379086648]https://facebook.com/cofense[signature_426568440]https://twitter.com/cofense[signature_1467413640]https://linkedin.com/company/cofense[signature_749445379]https://www.instagram.com/cofense/[signature_1384270593]https://www.themuse.com/profiles/cofense

Uniting Humanity Against Phishing. Watch Our Videohttps://cofense.com/project/uhap-video/

2020-06-04 XSOAR attachment test2020-06-04T13:40:29.000Z5331ba77b5d984f7da97b6f96daa442535c79f47e4b6ea0055e3472b855ee8c244e4

cofense-get-attachment


Retrieves an attachment by the attachment ID number.

Base Command

cofense-get-attachment

Input

Argument NameDescriptionRequired
attachment_idID of the attachment.Required

Context Output

PathTypeDescription
File.SizenumberFile size.
File.TypestringFile type, for example: "PE", "txt"
File.EntryIDstringThe file entry ID.
File.NamestringFile name.
File.SHA1stringFile SHA1 hash.
File.SHA256stringFile SHA256 hash.
File.MD5stringFile MD5 hash.

Command Example

!cofense-get-attachment attachment_id="13311"

Context Example

{
"File": {
"EntryID": "603@cc18bdc4-7c64-494c-879c-23c3aee60818",
"Info": "text/plain",
"MD5": "97ee1d575640245abadbba15c0672eec",
"Name": "13311",
"SHA1": "13395876300d0a575812878446e15b9bbddda0b2",
"SHA256": "19d9c63bf4067a897950cfb72c14e8d05d8dcab0655979c6b60b925fb91e329f",
"SHA512": "31df48f235cc82247c6edc05850f910d6a057717d5d5f6ce84a4bc6c6fc3cc1f6ebae706ac592ace106b0559753928a838a1aee7018bec5b4316b90d95f55bcf",
"SSDeep": "24:nDBTBpJG4hbUWBFcXekJPkJ1WkJM8PWkJKckJvV/WskJvV28BesR1zvX0:nDNrHb1BWXekJPkJ1WkJfPWkJDkJvV/n",
"Size": 988,
"Type": "ASCII text, with CRLF line terminators"
}
}

Human Readable Output

cofense-get-reporter


Retrieves Email address of the reporter by ID

Base Command

cofense-get-reporter

Input

Argument NameDescriptionRequired
reporter_idID of the reporter.Required

Context Output

PathTypeDescription
Cofense.Reporter.IDnumberID of the reporter.
Cofense.Reporter.EmailstringReporter email address.
Cofense.Reporter.CreatedAtstringReporter creation date.
Cofense.Reporter.UpdatedAtstringReporter last-updated date.
Cofense.Reporter.CreditibilityScorenumberReporter credibility score.
Cofense.Reporter.ReportsCountnumberNumber of reports.
Cofense.Reporter.LastReportedAtstringDate of most recent report.
Cofense.Reporter.VIPboolWhether Reporter is a VIP.

Command Example

!cofense-get-reporter reporter_id="1"

Context Example

{
"Cofense": {
"Reporter": {
"CreatedAt": "2019-04-12T02:58:17.401Z",
"CredibilityScore": 0,
"Email": "ha.oullette@example.com",
"ID": 1,
"LastReportedAt": "2016-02-18T00:24:45.000Z",
"ReportsCount": 3,
"UpdatedAt": "2019-04-12T02:59:22.287Z",
"Vip": false
}
}
}

Human Readable Output

Integration log: cmel case attrs: {'ID': 1, 'Email': 'ha.oullette@example.com', 'CreatedAt': '2019-04-12T02:58:17.401Z', 'UpdatedAt': '2019-04-12T02:59:22.287Z', 'CredibilityScore': 0, 'ReportsCount': 3, 'LastReportedAt': '2016-02-18T00:24:45.000Z', 'Vip': False}### Reporter Results: |Created At|Credibility Score|Email|Id|Last Reported At|Reports Count|Updated At|Vip| |---|---|---|---|---|---|---|---| | 2019-04-12T02:58:17.401Z | 0 | ha.oullette@example.com | 1 | 2016-02-18T00:24:45.000Z | 3 | 2019-04-12T02:59:22.287Z | false |

cofense-get-report-by-id


Retrieves a report by the report ID number.

Base Command

cofense-get-report-by-id

Input

Argument NameDescriptionRequired
report_idID of the reportRequired

Context Output

PathTypeDescription
Cofense.Report.IDnumberID number of the report.
Cofense.Report.EmailAttachmentsstringEmail attachments.
Cofense.Report.EmailAttachments.idstringEmail attachment ID.
Cofense.Report.TagsstringReport tags.
Cofense.Report.ClusterIdnumberCluster ID number.
Cofense.Report.CategoryIdnumberReport category.
Cofense.Report.CreatedAtstringReport creation date.
Cofense.Report.ReportedAtstringReporting time.
Cofense.Report.MatchPrioritynumberThe highest match priority based on rule hits for the report.
Cofense.Report.ReporterIdnumberReporter ID.
Cofense.Report.LocationstringLocation of the report.
Cofense.Report.ReporterstringReporter email address.
Cofense.Report.SuspectFromAddressstringSuspect from address.
Cofense.Report.ReportSubjectstringReport subject.
Cofense.Report.ReportBodystringReport body.
Cofense.Report.Md5numberMD5 hash of the file.
Cofense.Report.Sha256unknownSHA256 hash of the file.

Command Example

!cofense-get-report-by-id report_id="5760"

Context Example

{
"Cofense": {
"Report": {
"CategoryId": 4,
"ClusterId": null,
"CreatedAt": "2019-04-17T20:53:02.090Z",
"EmailAttachments": [],
"ID": 5760,
"Location": "Processed",
"MatchPriority": 0,
"Md5": "f13bbc172fe7d394828ccabb25c3c99e",
"ReportSubject": "test@test.net Reset password instruction",
"ReportedAt": "2019-04-17T16:54:57.000Z",
"ReporterId": 3280,
"Sha256": "4f6bc0d9c1217a2a6f327423e16b7a6e9294c68cfb33864541bd805fe4ab2d72",
"Tags": []
}
}
}

Human Readable Output

{"HumanReadable":"### Cofense HTML Report:\nHTML report download request has been completed","name":"5760-report.html","path":"aaf1160b-9176-45d9-aab9-90efd278e05d"}### Report Summary: |Category Id|Created At|Id|Location|Match Priority|Md5|Report Subject|Reported At|Reporter Id|Sha256| |---|---|---|---|---|---|---|---|---|---| | 4 | 2019-04-17T20:53:02.090Z | 5760 | Processed | 0 | f13bbc172fe7d394828ccabb25c3c99e | test@test.nul Reset password instruction | 2019-04-17T16:54:57.000Z | 3280 | 4f6bc0d9c1217a2a6f327423e16b7a6e9294c68cfb33864541bd805fe4ab2d72 |

cofense-get-report-png-by-id


Retrieves a report by the report ID number and displays as PNG

Base Command

cofense-get-report-png-by-id

Input

Argument NameDescriptionRequired
report_idReport ID PNG outputRequired
set_white_bgChange background to whiteOptional

Context Output

There is no context output for this command.

Command Example

!cofense-get-report-png-by-id report_id="5760" set_white_bg="True"

Context Example

{
"InfoFile": {
"EntryID": "616@cc18bdc4-7c64-494c-879c-23c3aee60818",
"Extension": "png",
"Info": "image/png",
"Name": "cofense_report_5760.png",
"Size": 40692,
"Type": "PNG image data, 400 x 369, 8-bit/color RGBA, non-interlaced"
}
}

Human Readable Output

Cofense: PNG of Report 5760

cofense-get-threat-indicators


Threat Indicators that are designated by analysts as malicious, suspicious or benign

Base Command

cofense-get-threat-indicators

Input

Argument NameDescriptionRequired
typeindicator typeOptional
levelindicator severityOptional
start_datedesignated start date tagged by analyst (format example: YYYY-MM-DD+HH:MM:SS). Default: 6 days ago.Optional
end_datedesignated end date from assignment (format example: YYYY-MM-DD+HH:MM:SS). Default: current date.Optional

Context Output

PathTypeDescription
Cofense.ThreatIndicatorsunknownThreat indicator output
Cofense.ThreatIndicators.IDnumberThreat indicator ID in Cofense Triage.
Cofense.ThreatIndicators.OperatorIdnumberCofense Triage operator who designated the threat indicator.
Cofense.ThreatIndicators.ReportIdnumberAssociated Report in Cofense Triage.
Cofense.ThreatIndicators.ThreatKeystringThreat indicator type.
Cofense.ThreatIndicators.ThreatLevelstringThreat indicator level.
Cofense.ThreatIndicators.ThreatValuestringValue of the threat indicator.

Command Example

!cofense-get-threat-indicators type="URL" level="Malicious" start_date="2020-05-28"

Context Example

{
"Cofense": {
"ThreatIndicators": {
"CreatedAt": "2020-05-28T22:14:52.690Z",
"ID": 75,
"OperatorId": 2,
"ReportId": 5760,
"ThreatKey": "URL",
"ThreatLevel": "Malicious",
"ThreatValue": "http://bold-air0example.com/notification.php?email=test@test.net"
}
}
}

Human Readable Output

Threat Indicators:

Created AtIdOperator IdReport IdThreat KeyThreat LevelThreat Value
2020-05-28T22:14:52.690Z7525760URLMalicioushttp://bold-air0example.com/notification.php?email=test@test.net