Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.
This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-cofense-triage
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cofense Triage connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Cofense Triage server to which you will connect and perform automated operations. |
User | Username used to access the Cofense Triage endpoint to which you will connect and perform the automated operations. |
API Token | API Token used to access the Cofense Triage endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Clusters | Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage. |
get_clusters Investigation |
Get Cluster Details | Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. | get_cluster_details Investigation |
Get Last Cluster Details | Retrieves the ID of the last cluster triage that was created on Cofense Triage. | get_last_cluster_details Investigation |
Get Reports | Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage. |
get_reports Investigation |
Get Report Details | Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. | get_report_details Investigation |
Get Report Email Attachment | Retrieves a specific raw email attachment from Cofense Triage based on the report ID you have specified. | get_report_email_attachment Investigation |
Get Inbox Reports | Retrieves a list of uncategorized reports from Cofense Triage "Inbox" and "Recon" folders based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage. |
get_inbox_reports Investigation |
Get Processed Reports | Retrieves a list of categorized reports from Cofense Triage "Processed" folder based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_processed_reports Investigation |
Get Last Report | Retrieves the ID of the last report from Cofense Triage. | get_last_report Investigation |
Get Last Inbox Report | Retrieves the ID of the last inbox report from Cofense Triage. | get_last_inbox_report Investigation |
Get Last Processed Report | Retrieves the ID of the last processed report from Cofense Triage. | get_last_processed_report Investigation |
Get Report Reporters Details | Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_report_reporters_details Investigation |
Get Attachment Details | Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified | get_attachment_details Investigation |
Get Triage Threat Indicators | Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_triage_threat_indicators Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving clusters from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Start Date | Datetime from when you want to retrieve clusters from Cofense Triage. To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster (for example, reports or tags added to or deleted from the cluster within the specified date range). Note: By default, Cofense Triage will retrieve clusters from six days ago. |
End Date | Datetime till when you want to retrieve clusters from Cofense Triage. To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster. Note: By default, Cofense Triage will retrieve clusters till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Cluster ID | ID of the cluster whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Category ID | ID of the category for processed reports whose details you want to retrieve from Cofense Triage. |
Start Date | Datetime from when you want to retrieve reports from Cofense Triage. To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve reports from six days ago. |
End Date | Datetime till when you want to retrieve reports from Cofense Triage. To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report. Note: By default, Cofense Triage will retrieve reports till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | ID of the report whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | ID of the report whose email attachment you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving uncategorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Start Date | Datetime from when you want to retrieve uncategorized reports from Cofense Triage. To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve uncategorized reports from six days ago. |
End Date | Datetime till when you want to retrieve uncategorized reports from Cofense Triage. To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report. Note: By default, Cofense Triage will retrieve uncategorized reports till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving categorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Category ID | ID of the category for processed reports whose details you want to retrieve from Cofense Triage. |
Start Date | Datetime from when you want to retrieve categorized reports from Cofense Triage. To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve categorized reports from six days ago. |
End Date | Datetime till when you want to retrieve categorized reports from Cofense Triage. To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report. Note: By default, Cofense Triage will retrieve categorized reports till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Date | Datetime from when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage. To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported from six days ago. |
End Date | Datetime till when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage. To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report. Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported till the current time. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attachment ID | ID of the attachment whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Type | Type of triage threat whose associated indicators you want to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, or SHA256. |
Level | Level of triage threat based on which you want to retrieve indicators from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign. |
Start Date | Datetime from when you want to retrieve triage threat indicators from Cofense Triage. To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat (for example, reports or tags added to or deleted from the threat within the specified date range). Note: By default, Cofense Triage will retrieve triage threat indicators from six days ago. |
End Date | Datetime till when you want to retrieve triage threat indicators from Cofense Triage. To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat. Note: By default, Cofense Triage will retrieve triage threat indicators till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
The Sample - Cofense Triage - 1.0.0
playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.
This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.
Connector Version: 1.0.0
Authored By: Community
Certified: No
From version 5.0.0 onwards, use the Connector Store to install the connector. For the detailed procedure to install a connector, click here.
You can also use the yum
command to install connectors. Connectors provided by FortiSOAR™ are delivered using a FortiSOAR™ repository. Therefore, you must set up your FortiSOAR™ repository and run the yum command as a root
user to install connectors:
yum install cyops-connector-cofense-triage
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, click the Cofense Triage connector row (if you are in the Grid view on the Connectors page) and in the Configurations tab enter the required configuration details:
Parameter | Description |
---|---|
Server URL | URL of the Cofense Triage server to which you will connect and perform automated operations. |
User | Username used to access the Cofense Triage endpoint to which you will connect and perform the automated operations. |
API Token | API Token used to access the Cofense Triage endpoint to which you will connect and perform the automated operations. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from version 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Clusters | Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage. |
get_clusters Investigation |
Get Cluster Details | Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. | get_cluster_details Investigation |
Get Last Cluster Details | Retrieves the ID of the last cluster triage that was created on Cofense Triage. | get_last_cluster_details Investigation |
Get Reports | Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage. |
get_reports Investigation |
Get Report Details | Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. | get_report_details Investigation |
Get Report Email Attachment | Retrieves a specific raw email attachment from Cofense Triage based on the report ID you have specified. | get_report_email_attachment Investigation |
Get Inbox Reports | Retrieves a list of uncategorized reports from Cofense Triage "Inbox" and "Recon" folders based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage. |
get_inbox_reports Investigation |
Get Processed Reports | Retrieves a list of categorized reports from Cofense Triage "Processed" folder based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_processed_reports Investigation |
Get Last Report | Retrieves the ID of the last report from Cofense Triage. | get_last_report Investigation |
Get Last Inbox Report | Retrieves the ID of the last inbox report from Cofense Triage. | get_last_inbox_report Investigation |
Get Last Processed Report | Retrieves the ID of the last processed report from Cofense Triage. | get_last_processed_report Investigation |
Get Report Reporters Details | Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_report_reporters_details Investigation |
Get Attachment Details | Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified | get_attachment_details Investigation |
Get Triage Threat Indicators | Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified. Note: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_triage_threat_indicators Investigation |
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving clusters from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Start Date | Datetime from when you want to retrieve clusters from Cofense Triage. To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster (for example, reports or tags added to or deleted from the cluster within the specified date range). Note: By default, Cofense Triage will retrieve clusters from six days ago. |
End Date | Datetime till when you want to retrieve clusters from Cofense Triage. To determine whether to include a cluster in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the cluster. Note: By default, Cofense Triage will retrieve clusters till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch |
Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Cluster ID | ID of the cluster whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Category ID | ID of the category for processed reports whose details you want to retrieve from Cofense Triage. |
Start Date | Datetime from when you want to retrieve reports from Cofense Triage. To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve reports from six days ago. |
End Date | Datetime till when you want to retrieve reports from Cofense Triage. To determine whether to include a report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report. Note: By default, Cofense Triage will retrieve reports till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | ID of the report whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | ID of the report whose email attachment you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving uncategorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Start Date | Datetime from when you want to retrieve uncategorized reports from Cofense Triage. To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve uncategorized reports from six days ago. |
End Date | Datetime till when you want to retrieve uncategorized reports from Cofense Triage. To determine whether to include an uncategorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the uncategorized report. Note: By default, Cofense Triage will retrieve uncategorized reports till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Priority | Highest priority that you want to match for retrieving categorized reports from Cofense Triage, You can specify the priority value as any value between 1 to 5. |
Category ID | ID of the category for processed reports whose details you want to retrieve from Cofense Triage. |
Start Date | Datetime from when you want to retrieve categorized reports from Cofense Triage. To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve categorized reports from six days ago. |
End Date | Datetime till when you want to retrieve categorized reports from Cofense Triage. To determine whether to include a categorized report in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the categorized report. Note: By default, Cofense Triage will retrieve categorized reports till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
None.
The output contains a non-dictionary value.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
Parameter | Description |
---|---|
Start Date | Datetime from when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage. To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report (for example, reports or tags added to or deleted from the report within the specified date range). Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported from six days ago. |
End Date | Datetime till when you want to retrieve the list IDs of all reporters and the number of reports those individuals reported from Cofense Triage. To determine whether to include a reporter's ID in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the report. Note: By default, Cofense Triage will retrieve the list IDs of all reporters and the number of reports those individuals reported till the current time. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attachment ID | ID of the attachment whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Type | Type of triage threat whose associated indicators you want to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, or SHA256. |
Level | Level of triage threat based on which you want to retrieve indicators from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign. |
Start Date | Datetime from when you want to retrieve triage threat indicators from Cofense Triage. To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat (for example, reports or tags added to or deleted from the threat within the specified date range). Note: By default, Cofense Triage will retrieve triage threat indicators from six days ago. |
End Date | Datetime till when you want to retrieve triage threat indicators from Cofense Triage. To determine whether to include a triage threat indicator in the results, Cofense Triage evaluates the timestamp of the last change made in connection with the threat. Note: By default, Cofense Triage will retrieve triage threat indicators till the current time. |
Page | Page number from which you want to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Number of results that you want this operation to return, per page, in the response. The maximum number of results per page is set items to 50. |
The output contains a non-dictionary value.
The Sample - Cofense Triage - 1.0.0
playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.