Fortinet Document Library

Version:


Table of Contents

1.0.0
Copy Link

About the connector

Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.

This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-cofense-triage

Prerequisites to configuring the connector

  • You must have the URL of Cofense Triage server to which you will connect and perform automated operations.
  • You must have the username and API token that will be used to access the Cofense Triage endpoint to which you will connect and perform the automated operations.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cofense Triage connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Cofense Triage server to which you will connect and perform automated operations.
User Username used to access the Cofense Triage endpoint to which you will connect and perform the automated operations.
API Token API Token used to access the Cofense Triage endpoint to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Clusters Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage.
get_clusters
Investigation
Get Cluster Details Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. get_cluster_details
Investigation
Get Last Cluster Details Retrieves the ID of the last cluster triage that was created on Cofense Triage. get_last_cluster_details
Investigation
Get Reports Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage.
get_reports
Investigation
Get Report Details Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. get_report_details
Investigation
Get Report Email Attachment Retrieves a specific raw email attachment from Cofense Triage based on the report ID you have specified. get_report_email_attachment
Investigation
Get Inbox Reports Retrieves a list of uncategorized reports from Cofense Triage "Inbox" and "Recon" folders based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage.
get_inbox_reports
Investigation
Get Processed Reports Retrieves a list of categorized reports from Cofense Triage "Processed" folder based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
get_processed_reports
Investigation
Get Last Report Retrieves the ID of the last report from Cofense Triage. get_last_report
Investigation
Get Last Inbox Report Retrieves the ID of the last inbox report from Cofense Triage. get_last_inbox_report
Investigation
Get Last Processed Report Retrieves the ID of the last processed report from Cofense Triage. get_last_processed_report
Investigation
Get Report Reporters Details Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
get_report_reporters_details
Investigation
Get Attachment Details Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified get_attachment_details
Investigation
Get Triage Threat Indicators Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
get_triage_threat_indicators
Investigation

operation: Get Clusters

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving clusters from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Start Date Datetime from when you want to retrieve clusters from Cofense Triage.
To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster (for example, reports or tags added to or deleted from the cluster within the specified date range).
Note: By default, Cofense Triage will retrieve clusters from six days ago.
End Date Datetime till when you want to retrieve clusters from Cofense Triage.
To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster.
Note: By default, Cofense Triage will retrieve clusters till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch

Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Cluster Details

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Cluster ID ID of the cluster whose details you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Last Cluster Details

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving reports from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Category ID ID of the category for processed reports whose details you want to retrieve from Cofense Triage.
Start Date Datetime from when you want to retrieve reports from Cofense Triage.
To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve reports from six days ago.
End Date Datetime till when you want to retrieve reports from Cofense Triage.
To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report.
Note: By default, Cofense Triage will retrieve reports till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Report Details

Input parameters

Parameter Description
Report ID ID of the report whose details you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Report Email Attachment

Input parameters

Parameter Description
Report ID ID of the report whose email attachment you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Inbox Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving uncategorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Start Date Datetime from when you want to retrieve uncategorized reports from Cofense Triage.
To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve uncategorized reports from six days ago.
End Date Datetime till when you want to retrieve uncategorized reports from Cofense Triage.
To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report.
Note: By default, Cofense Triage will retrieve uncategorized reports till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Processed Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving categorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Category ID ID of the category for processed reports whose details you want to retrieve from Cofense Triage.
Start Date Datetime from when you want to retrieve categorized reports from Cofense Triage.
To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve categorized reports from six days ago.
End Date Datetime till when you want to retrieve categorized reports from Cofense Triage.
To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report.
Note: By default, Cofense Triage will retrieve categorized reports till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Last Report

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Last Inbox Report

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Last Processed Report

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Report Reporters Details

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Date Datetime from when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage.
To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported from six days ago.
End Date Datetime till when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage.
To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report.
Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported till the current time.

Output

The output contains a non-dictionary value.

operation: Get Attachment Details

Input parameters

Parameter Description
Attachment ID ID of the attachment whose details you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Triage Threat Indicators

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Type Type of triage threat whose associated indicators you want to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, or SHA256.
Level Level of triage threat based on which you want to retrieve indicators from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign.
Start Date Datetime from when you want to retrieve triage threat indicators from Cofense Triage.
To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat (for example, reports or tags added to or deleted from the threat within the specified date range).
Note: By default, Cofense Triage will retrieve triage threat indicators from six days ago.
End Date Datetime till when you want to retrieve triage threat indicators from Cofense Triage.
To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat.
Note: By default, Cofense Triage will retrieve triage threat indicators till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Cofense Triage - 1.0.0 playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.

  • Get Attachment Details
  • Get Cluster Details
  • Get Clusters
  • Get Inbox Reports
  • Get Last Cluster Details
  • Get Last Inbox Report
  • Get Last Processed Report
  • Get Last Report
  • Get Processed Reports
  • Get Report Details
  • Get Report Email Attachment
  • Get Report Reporters Details
  • Get Reports
  • Get Triage Threat Indicators

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

About the connector

Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.

This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.

Version information

Connector Version: 1.0.0

Authored By: Community

Certified: No

Installing the connector

From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root user to install connectors:

yum install cyops-connector-cofense-triage

Prerequisites to configuring the connector

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Connectors page, click the Cofense Triage connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details: 

Parameter Description
Server URL URL of the Cofense Triage server to which you will connect and perform automated operations.
User Username used to access the Cofense Triage endpoint to which you will connect and perform the automated operations.
API Token API Token used to access the Cofense Triage endpoint to which you will connect and perform the automated operations.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:

Function Description Annotation and Category
Get Clusters Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage.
get_clusters
Investigation
Get Cluster Details Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. get_cluster_details
Investigation
Get Last Cluster Details Retrieves the ID of the last cluster triage that was created on Cofense Triage. get_last_cluster_details
Investigation
Get Reports Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage.
get_reports
Investigation
Get Report Details Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. get_report_details
Investigation
Get Report Email Attachment Retrieves a specific raw email attachment from Cofense Triage based on the report ID you have specified. get_report_email_attachment
Investigation
Get Inbox Reports Retrieves a list of uncategorized reports from Cofense Triage "Inbox" and "Recon" folders based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage.
get_inbox_reports
Investigation
Get Processed Reports Retrieves a list of categorized reports from Cofense Triage "Processed" folder based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
get_processed_reports
Investigation
Get Last Report Retrieves the ID of the last report from Cofense Triage. get_last_report
Investigation
Get Last Inbox Report Retrieves the ID of the last inbox report from Cofense Triage. get_last_inbox_report
Investigation
Get Last Processed Report Retrieves the ID of the last processed report from Cofense Triage. get_last_processed_report
Investigation
Get Report Reporters Details Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
get_report_reporters_details
Investigation
Get Attachment Details Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified get_attachment_details
Investigation
Get Triage Threat Indicators Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified.
Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
get_triage_threat_indicators
Investigation

operation: Get Clusters

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving clusters from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Start Date Datetime from when you want to retrieve clusters from Cofense Triage.
To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster (for example, reports or tags added to or deleted from the cluster within the specified date range).
Note: By default, Cofense Triage will retrieve clusters from six days ago.
End Date Datetime till when you want to retrieve clusters from Cofense Triage.
To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster.
Note: By default, Cofense Triage will retrieve clusters till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch

Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Cluster Details

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Cluster ID ID of the cluster whose details you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Last Cluster Details

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving reports from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Category ID ID of the category for processed reports whose details you want to retrieve from Cofense Triage.
Start Date Datetime from when you want to retrieve reports from Cofense Triage.
To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve reports from six days ago.
End Date Datetime till when you want to retrieve reports from Cofense Triage.
To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report.
Note: By default, Cofense Triage will retrieve reports till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Report Details

Input parameters

Parameter Description
Report ID ID of the report whose details you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Report Email Attachment

Input parameters

Parameter Description
Report ID ID of the report whose email attachment you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Inbox Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving uncategorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Start Date Datetime from when you want to retrieve uncategorized reports from Cofense Triage.
To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve uncategorized reports from six days ago.
End Date Datetime till when you want to retrieve uncategorized reports from Cofense Triage.
To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report.
Note: By default, Cofense Triage will retrieve uncategorized reports till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Processed Reports

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Priority Highest priority that you want to match for retrieving categorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5.
Category ID ID of the category for processed reports whose details you want to retrieve from Cofense Triage.
Start Date Datetime from when you want to retrieve categorized reports from Cofense Triage.
To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve categorized reports from six days ago.
End Date Datetime till when you want to retrieve categorized reports from Cofense Triage.
To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report.
Note: By default, Cofense Triage will retrieve categorized reports till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

operation: Get Last Report

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Last Inbox Report

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Last Processed Report

Input parameters

None.

Output

The output contains a non-dictionary value.

operation: Get Report Reporters Details

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Start Date Datetime from when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage.
To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range).
Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported from six days ago.
End Date Datetime till when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage.
To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report.
Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported till the current time.

Output

The output contains a non-dictionary value.

operation: Get Attachment Details

Input parameters

Parameter Description
Attachment ID ID of the attachment whose details you want to retrieve from Cofense Triage.

Output

The output contains a non-dictionary value.

operation: Get Triage Threat Indicators

Input parameters
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.

Parameter Description
Type Type of triage threat whose associated indicators you want to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, or SHA256.
Level Level of triage threat based on which you want to retrieve indicators from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign.
Start Date Datetime from when you want to retrieve triage threat indicators from Cofense Triage.
To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat (for example, reports or tags added to or deleted from the threat within the specified date range).
Note: By default, Cofense Triage will retrieve triage threat indicators from six days ago.
End Date Datetime till when you want to retrieve triage threat indicators from Cofense Triage.
To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat.
Note: By default, Cofense Triage will retrieve triage threat indicators till the current time.
Page Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results.
Number of Results to Fetch Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50.

Output

The output contains a non-dictionary value.

Included playbooks

The Sample - Cofense Triage - 1.0.0 playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.