About the connector
Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.
This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.
IMPORTANT: Cofense Triage v2.0.0 integration uses the Cofense Triage v2 API.
Version information
Connector Version: 2.0.0
Authored By: Community
Certified: No
Release Notes for version 2.0.0
Following enhancements have been made to the Cofense Triage connector in version 2.0.0:
- Added support for OAuth authorization
- Following actions and playbooks are now added to the connector:
- Get URL Details
- Download Report
- Download Attachment
- Get Domain Details
- Get Hostname Details
- Added the following parameters to the "Get Clusters" operation:
- Created At
- Updated At
- Sort By
- Filter By
- Fields to Retrieve
- Count
- Tags
- Added the following parameters to the "Get Inbox Reports" operation:
- Created At
- Updated At
- Sort By
- Filter By
- Fields to Retrieve
- Tags
- Categorization Tags
- Added the following parameters to the "Get Report Reporters Details" operation:
- Created At
- Updated At
- Page
- Number of Results to Fetch
- Sort By
- Filter By
- Fields to Retrieve
- VIP
- Reputation Score
- Email
- Added the following parameters to the "Get Triage Threat Indicators" operation:
- Threat Value
- Threat Source
- Created At
- Updated At
- Sort By
- Filter By
- Fields to Retrieve
- Following actions and playbooks have been removed from the connector:
- Get Last Cluster Details
- Get Report Email Attachment
- Get Processed Reports
- Get Last Report
- Get Last Inbox Report
- Get Last Processed Report
- Removed the "Start Date" and "End Date" parameters from the following operations:
- Get Clusters
- Get Inbox Reports
- Get Report Reporters Details
- Get Triage Threat Indicators
- Renamed the following parameters in the "Get Triage Threat Indicators" operation:
- "Type" to "Threat Type"
- "Level" to "Threat Level"
Installing the connector
Use the Content Hub to install the connector. For a detailed procedure to install a connector, click here.
You can also run the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-cofense-triage
Prerequisites to configuring the connector
- You must have the Cofense Triage server URL to connect and perform automated operations.
- You must have the Client ID and Secret to access the Cofense Triage endpoint and perform the automated operations.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the Cofense Triage server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Cofense Triage connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter |
Description |
| Server URL |
Cofense Triage server URL to connect to and perform automated operations. |
| Client ID |
Unique Client ID of the Cofense Triage that is used to create an authentication token required to access the Cofense Triage API. |
| Client Secret |
Unique Client Secret of the Cofense Triage that is used to create an authentication token required to access the API. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
| Function |
Description |
Annotation and Category |
| Get Clusters |
Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage.
|
get_clusters
Investigation |
| Get Cluster Details |
Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. |
get_cluster_details
Investigation |
| Get Reports |
Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage.
|
get_reports
Investigation |
| Get Report Details |
Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. |
get_report_details
Investigation |
| Get Inbox Reports |
Retrieves a list of uncategorized reports from Cofense Triage "Inbox" folders based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage.
|
get_inbox_reports
Investigation |
| Get Report Reporters Details |
Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
|
get_report_reporters_details
Investigation |
| Get Attachment Details |
Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified |
get_attachment_details
Investigation |
| Get Triage Threat Indicators |
Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage.
|
get_triage_threat_indicators
Investigation |
| Get URL Details |
Retrieves URL details from Cofense Triage based on the endpoint and request you have specified. |
get_url_details
Query |
| Download Report |
Retrieves files associated with a specific report from the Cofense Triage server based on the report ID you have specified. |
download_report
Investigation |
| Download Attachment |
Download an attachment from the Cofense Triage server based on the attachment ID you have specified. |
download_attachment
Investigation |
| Get Domain Details |
Retrieves the details of a specific domain from Cofense Triage based on the domain ID you have specified |
get_domain_details
Investigation |
| Get Hostname Details |
Retrieves the details of a specific hostname from Cofense Triage based on the domain ID you have specified |
get_hostname_details
Investigation |
operation: Get Clusters
Input parameters
| Parameter |
Description |
| Priority |
Specify the priority of clusters to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
| Created At |
Specify the date and time of creation, from when to retrieve the clusters from Cofense Triage. |
| Updated At |
Specify the date and time of updation, from when to retrieve the clusters from Cofense Triage. |
| Page |
Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
| Sort By |
Specify the attributes to sort the clusters.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order.
|
| Filter By |
Specify the filters to filter the list of clusters by attribute values.
NOTE: Enter values in key-value JSON format.
|
| Fields to Retrieve |
Specify the fields to retrieve the mentioned attributes only. For example, location and from_address. |
| Count |
Specify the number of reports to be present in the cluster. |
| Tags |
Specify the tags to retrieve the cluster. |
Output
The output contains a non-dictionary value.
operation: Get Cluster Details
Input parameters
| Parameter |
Description |
| Cluster ID |
Specify the cluster ID whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Reports
Input parameters
| Parameter |
Description |
| Priority |
Specify the priority of reports to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
| Created At |
Specify the date and time of creation, from when you want to retrieve reports from Cofense Triage. |
| Updated At |
Specify the date and time of updation, from when you want to retrieve reports from Cofense Triage. |
| Page |
Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
| Sort By |
Specify the attributes to sort the reports.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order.
|
| Filter By |
Specify the filters to filter the list of reports by attribute values.
NOTE: Enter values in key-value JSON format.
|
| Fields to Retrieve |
Specify the fields to retrieve the mentioned attributes only. For example, location and from_address. |
| Report Location |
Specify the location to retrieve the reports based on the location of the reported email within Cofense Triage. Some possible values are inbox, reconnaissance, and processed. |
| Tags |
Specify the tags to retrieve the reports based on the tags associated with the reports. |
| Categorization Tags |
Specify the categorization tags to retrieve the reports based on the tags assigned when the reported email was processed. |
Output
The output contains a non-dictionary value.
operation: Get Report Details
Input parameters
| Parameter |
Description |
| Report ID |
Specify the report ID whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Inbox Reports
Input parameters
| Parameter |
Description |
| Priority |
Specify the priority of uncategorized reports to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
| Created At |
Specify the date and time of creation, from when you want to retrieve uncategorized reports from Cofense Triage. |
| Updated At |
Specify the date and time of updation, from when you want to retrieve uncategorized reports from Cofense Triage. |
| Page |
Specify a page number to retrieve uncategorized records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
| Sort By |
Specify the attributes to sort the uncategorized reports.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order.
|
| Filter By |
Specify the filters to filter the list of uncategorized reports by attribute values.
NOTE: Enter values in key-value JSON format.
|
| Fields to Retrieve |
Specify the fields to retrieve the mentioned attributes only. For example, location, from_address. |
| Tags |
Specify the tags to retrieve the uncategorized reports based on the tags associated with the reports. |
| Categorization Tags |
Specify the categorization tags to retrieve the uncategorized reports based on the tags assigned when the reported email was processed. |
Output
The output contains a non-dictionary value.
operation: Get Report Reporters Details
Input parameters
| Parameter |
Description |
| Created At |
Specify the date and time of creation, from when you want to retrieve the list IDs of all reporters and the number of reports they reported, from Cofense Triage. |
| Updated At |
Specify the date and time of updation, from when you want to retrieve the list IDs of all reporters and the number of reports they reported, from Cofense Triage. |
| Page |
Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
| Sort By |
Specify the attributes to sort the reporters.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order.
|
| Filter By |
Specify the filters to filter the list of reporters by attribute values.
NOTE: Enter values in key-value JSON format.
|
| Fields to Retrieve |
Specify the fields to retrieve the mentioned attributes only. For example, email, reports_count. |
| VIP |
Specify that the reporter to be retrieved is VIP or non-VIP. |
| Reputation Score |
Specify reputation score to retrieve the reporters. |
| Email |
Specify emails of the reporter to retrieve the reporter. |
Output
The output contains a non-dictionary value.
operation: Get Attachment Details
Input parameters
| Parameter |
Description |
| Attachment ID |
Specify the attachment ID whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Triage Threat Indicators
Input parameters
| Parameter |
Description |
| Threat Type |
Specify the triage threat type of associated indicators to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, SHA256, Hostname, or Header. |
| Threat Level |
Specify a triage threat level of indicators to retrieve from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign. |
| Threat Value |
Specify the threat type, indicated in threat_type, to retrieve the threat indicators. |
| Threat Source |
Specify the value corresponding to the source of the threat indicator. |
| Created At |
Specify the date and time of creation, from when you want to retrieve triage threat indicators from Cofense Triage. |
| Updated At |
Specify the date and time of updation, from when you want to retrieve triage threat indicators from Cofense Triage. |
| Sort By |
Specify the attributes to sort the threat indicators.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order.
|
| Filter By |
Specify the filters to filter the list of threat indicators by attribute values.
NOTE: Enter values in key-value JSON format.
|
| Fields to Retrieve |
Specify the fields to retrieve the mentioned attributes only. For example, threat_level, threat_type, threat_value. |
| Page |
Specify a page number to retrieve the records. The header of the response contains the number of the next page and the total number of results. |
| Number of Results to Fetch |
Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Output
The output contains a non-dictionary value.
operation: Get URL Details
Input parameters
| Parameter |
Description |
| API Endpoint |
Specify the API Endpoint for Cofense Triage that starts with https://triage.example.com/api/public/v2/reports/4/assignee and helps make the API call. |
| HTTP method |
Select the HTTP method to use for the API call. You can choose between GET or POST. |
| Request Body |
(Optional) Specify a GET/POST request body to send with the API call request. |
Output
The output contains a non-dictionary value.
operation: Download Report
Input parameters
| Parameter |
Description |
| Report ID |
Specify the report ID whose associated files you want to retrieve from the Cofense Triage server. |
Output
The output contains a non-dictionary value.
operation: Download Attachment
Input parameters
| Parameter |
Description |
| Attachment ID |
Specify the attachment ID whose associated attachment you want to retrieve from the Cofense Triage server. |
Output
The output contains a non-dictionary value.
operation: Get Domain Details
Input parameters
| Parameter |
Description |
| Domain ID |
Specify the domain ID whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
operation: Get Hostname Details
Input parameters
| Parameter |
Description |
| Hostname ID |
Specify the hostname ID whose details you want to retrieve from Cofense Triage. |
Output
The output contains a non-dictionary value.
Included playbooks
The Sample - Cofense Triage - 2.0.0 playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.
- Download Attachment
- Download Report
- Get Attachment Details
- Get Cluster Details
- Get Clusters
- Get Domain Details
- Get Hostname Details
- Get Inbox Reports
- Get Report Details
- Get Report Reporters Details
- Get Reports
- Get Triage Threat Indicators
- Get URL Details
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
