About the connector
Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.
This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:
yum install cyops-connector-cofense-triage
Prerequisites to configuring the connector
- You must have the URL of Cofense Triage server to which you will connect and perform automated operations.
- You must have the username and API token that will be used to access the Cofense Triage endpoint to which you will connect and perform the automated operations.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, click the Cofense Triage connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
| Parameter |
Description |
| Server URL |
URL of the Cofense Triage server to which you will connect and perform automated operations. |
| User |
Username used to access the Cofense Triage endpoint to which you will connect and perform the automated operations. |
| API Token |
API Token used to access the Cofense Triage endpoint to which you will connect and perform the automated operations. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Clusters |
Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage. |
get_clusters
Investigation |
| Get Cluster Details |
Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. |
get_cluster_details
Investigation |
| Get Last Cluster Details |
Retrieves the ID of the last cluster triage that was created on Cofense Triage. |
get_last_cluster_details
Investigation |
| Get Reports |
Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage. |
get_reports
Investigation |
| Get Report Details |
Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. |
get_report_details
Investigation |
| Get Report Email Attachment |
Retrieves a specific raw email attachment from Cofense Triage based on the report ID you have specified. |
get_report_email_attachment
Investigation |
| Get Inbox Reports |
Retrieves a list of uncategorized reports from Cofense Triage "Inbox" and "Recon" folders based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage. |
get_inbox_reports
Investigation |
| Get Processed Reports |
Retrieves a list of categorized reports from Cofense Triage "Processed" folder based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_processed_reports
Investigation |
| Get Last Report |
Retrieves the ID of the last report from Cofense Triage. |
get_last_report
Investigation |
| Get Last Inbox Report |
Retrieves the ID of the last inbox report from Cofense Triage. |
get_last_inbox_report
Investigation |
| Get Last Processed Report |
Retrieves the ID of the last processed report from Cofense Triage. |
get_last_processed_report
Investigation |
| Get Report Reporters Details |
Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_report_reporters_details
Investigation |
| Get Attachment Details |
Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified |
get_attachment_details
Investigation |
| Get Triage Threat Indicators |
Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_triage_threat_indicators
Investigation |
operation: Get Clusters
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Priority |
Highest priority that you want to match for retrieving clusters from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
| Start Date |
Datetime from when you want to retrieve clusters from Cofense Triage.
To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster (for example, reports or tags added to or deleted from the cluster within the specified date range).
Note: By default, Cofense Triage will retrieve clusters from six days ago. |
| End Date |
Datetime till when you want to retrieve clusters from Cofense Triage.
To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster.
Note: By default, Cofense Triage will retrieve clusters till the current time. |
| Page |
Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.
|
Output
The output contains a non-dictionary value.
operation: Get Cluster Details
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Cluster ID |
ID of the cluster whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Last Cluster Details
Input parameters
None.
Output
The output contains a non-dictionary value.
operation: Get Reports
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Priority |
Highest priority that you want to match for retrieving reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
| Category ID |
ID of the category for processed reports whose details you want to retrieve from Cofense Triage. |
| Start Date |
Datetime from when you want to retrieve reports from Cofense Triage.
To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve reports from six days ago. |
| End Date |
Datetime till when you want to retrieve reports from Cofense Triage.
To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report.
Note: By default, Cofense Triage will retrieve reports till the current time. |
| Page |
Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
Output
The output contains a non-dictionary value.
operation: Get Report Details
Input parameters
| Parameter |
Description |
| Report ID |
ID of the report whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Report Email Attachment
Input parameters
| Parameter |
Description |
| Report ID |
ID of the report whose email attachment you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Inbox Reports
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Priority |
Highest priority that you want to match for retrieving uncategorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
| Start Date |
Datetime from when you want to retrieve uncategorized reports from Cofense Triage.
To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve uncategorized reports from six days ago. |
| End Date |
Datetime till when you want to retrieve uncategorized reports from Cofense Triage.
To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report.
Note: By default, Cofense Triage will retrieve uncategorized reports till the current time. |
| Page |
Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
Output
The output contains a non-dictionary value.
operation: Get Processed Reports
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Priority |
Highest priority that you want to match for retrieving categorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
| Category ID |
ID of the category for processed reports whose details you want to retrieve from Cofense Triage. |
| Start Date |
Datetime from when you want to retrieve categorized reports from Cofense Triage.
To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve categorized reports from six days ago. |
| End Date |
Datetime till when you want to retrieve categorized reports from Cofense Triage.
To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report.
Note: By default, Cofense Triage will retrieve categorized reports till the current time. |
| Page |
Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
Output
The output contains a non-dictionary value.
operation: Get Last Report
Input parameters
None.
Output
The output contains a non-dictionary value.
operation: Get Last Inbox Report
Input parameters
None.
Output
The output contains a non-dictionary value.
operation: Get Last Processed Report
Input parameters
None.
Output
The output contains a non-dictionary value.
operation: Get Report Reporters Details
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Start Date |
Datetime from when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage.
To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported from six days ago. |
| End Date |
Datetime till when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage.
To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report.
Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported till the current time. |
Output
The output contains a non-dictionary value.
operation: Get Attachment Details
Input parameters
| Parameter |
Description |
| Attachment ID |
ID of the attachment whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Triage Threat Indicators
Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter |
Description |
| Type |
Type of triage threat whose associated indicators you want to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, or SHA256. |
| Level |
Level of triage threat based on which you want to retrieve indicators from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign. |
| Start Date |
Datetime from when you want to retrieve triage threat indicators from Cofense Triage.
To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat (for example, reports or tags added to or deleted from the threat within the specified date range).
Note: By default, Cofense Triage will retrieve triage threat indicators from six days ago. |
| End Date |
Datetime till when you want to retrieve triage threat indicators from Cofense Triage.
To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat.
Note: By default, Cofense Triage will retrieve triage threat indicators till the current time. |
| Page |
Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - Cofense Triage - 1.0.0 playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.
- Get Attachment Details
- Get Cluster Details
- Get Clusters
- Get Inbox Reports
- Get Last Cluster Details
- Get Last Inbox Report
- Get Last Processed Report
- Get Last Report
- Get Processed Reports
- Get Report Details
- Get Report Email Attachment
- Get Report Reporters Details
- Get Reports
- Get Triage Threat Indicators
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
