Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.
This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.
IMPORTANT: Cofense Triage v2.0.0 integration uses the Cofense Triage v2 API.
Connector Version: 2.0.0
Authored By: Community
Certified: No
Following enhancements have been made to the Cofense Triage connector in version 2.0.0:
Use the Content Hub to install the connector. For a detailed procedure to install a connector, click here.
You can also run the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-cofense-triage
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Cofense Triage connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Cofense Triage server URL to connect to and perform automated operations. |
Client ID | Unique Client ID of the Cofense Triage that is used to create an authentication token required to access the Cofense Triage API. |
Client Secret | Unique Client Secret of the Cofense Triage that is used to create an authentication token required to access the API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Clusters | Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage. |
get_clusters Investigation |
Get Cluster Details | Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. | get_cluster_details Investigation |
Get Reports | Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage. |
get_reports Investigation |
Get Report Details | Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. | get_report_details Investigation |
Get Inbox Reports | Retrieves a list of uncategorized reports from Cofense Triage "Inbox" folders based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage. |
get_inbox_reports Investigation |
Get Report Reporters Details | Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_report_reporters_details Investigation |
Get Attachment Details | Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified | get_attachment_details Investigation |
Get Triage Threat Indicators | Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_triage_threat_indicators Investigation |
Get URL Details | Retrieves URL details from Cofense Triage based on the endpoint and request you have specified. | get_url_details Query |
Download Report | Retrieves files associated with a specific report from the Cofense Triage server based on the report ID you have specified. | download_report Investigation |
Download Attachment | Download an attachment from the Cofense Triage server based on the attachment ID you have specified. | download_attachment Investigation |
Get Domain Details | Retrieves the details of a specific domain from Cofense Triage based on the domain ID you have specified | get_domain_details Investigation |
Get Hostname Details | Retrieves the details of a specific hostname from Cofense Triage based on the domain ID you have specified | get_hostname_details Investigation |
Parameter | Description |
---|---|
Priority | Specify the priority of clusters to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
Created At | Specify the date and time of creation, from when to retrieve the clusters from Cofense Triage. |
Updated At | Specify the date and time of updation, from when to retrieve the clusters from Cofense Triage. |
Page | Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the clusters.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of clusters by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, location and from_address. |
Count | Specify the number of reports to be present in the cluster. |
Tags | Specify the tags to retrieve the cluster. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Cluster ID | Specify the cluster ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Priority | Specify the priority of reports to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
Created At | Specify the date and time of creation, from when you want to retrieve reports from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve reports from Cofense Triage. |
Page | Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the reports.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of reports by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, location and from_address. |
Report Location | Specify the location to retrieve the reports based on the location of the reported email within Cofense Triage. Some possible values are inbox, reconnaissance, and processed. |
Tags | Specify the tags to retrieve the reports based on the tags associated with the reports. |
Categorization Tags | Specify the categorization tags to retrieve the reports based on the tags assigned when the reported email was processed. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | Specify the report ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Priority | Specify the priority of uncategorized reports to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
Created At | Specify the date and time of creation, from when you want to retrieve uncategorized reports from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve uncategorized reports from Cofense Triage. |
Page | Specify a page number to retrieve uncategorized records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the uncategorized reports.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of uncategorized reports by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, location, from_address. |
Tags | Specify the tags to retrieve the uncategorized reports based on the tags associated with the reports. |
Categorization Tags | Specify the categorization tags to retrieve the uncategorized reports based on the tags assigned when the reported email was processed. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Created At | Specify the date and time of creation, from when you want to retrieve the list IDs of all reporters and the number of reports they reported, from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve the list IDs of all reporters and the number of reports they reported, from Cofense Triage. |
Page | Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the reporters.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of reporters by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, email, reports_count. |
VIP | Specify that the reporter to be retrieved is VIP or non-VIP. |
Reputation Score | Specify reputation score to retrieve the reporters. |
Specify emails of the reporter to retrieve the reporter. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attachment ID | Specify the attachment ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Threat Type | Specify the triage threat type of associated indicators to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, SHA256, Hostname, or Header. |
Threat Level | Specify a triage threat level of indicators to retrieve from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign. |
Threat Value | Specify the threat type, indicated in threat_type, to retrieve the threat indicators. |
Threat Source | Specify the value corresponding to the source of the threat indicator. |
Created At | Specify the date and time of creation, from when you want to retrieve triage threat indicators from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve triage threat indicators from Cofense Triage. |
Sort By | Specify the attributes to sort the threat indicators.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of threat indicators by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, threat_level, threat_type, threat_value. |
Page | Specify a page number to retrieve the records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
API Endpoint | Specify the API Endpoint for Cofense Triage that starts with https://triage.example.com/api/public/v2/reports/4/assignee and helps make the API call. |
HTTP method | Select the HTTP method to use for the API call. You can choose between GET or POST. |
Request Body | (Optional) Specify a GET/POST request body to send with the API call request. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | Specify the report ID whose associated files you want to retrieve from the Cofense Triage server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attachment ID | Specify the attachment ID whose associated attachment you want to retrieve from the Cofense Triage server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Domain ID | Specify the domain ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hostname ID | Specify the hostname ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
The Sample - Cofense Triage - 2.0.0
playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Cofense Triage is a phishing response workbench that allows analysts to automate and respond to phishing threats.
This document provides information about the Cofense Triage connector, which facilitates automated interactions, with your Cofense Triage endpoint using FortiSOAR™ playbooks. Add the Cofense Triage connector, as a step in FortiSOAR™ playbooks and perform automated operations such as retrieving clusters, reports, and threat triage indicators from Cofense Triage.
IMPORTANT: Cofense Triage v2.0.0 integration uses the Cofense Triage v2 API.
Connector Version: 2.0.0
Authored By: Community
Certified: No
Following enhancements have been made to the Cofense Triage connector in version 2.0.0:
Use the Content Hub to install the connector. For a detailed procedure to install a connector, click here.
You can also run the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-cofense-triage
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Cofense Triage connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | Cofense Triage server URL to connect to and perform automated operations. |
Client ID | Unique Client ID of the Cofense Triage that is used to create an authentication token required to access the Cofense Triage API. |
Client Secret | Unique Client Secret of the Cofense Triage that is used to create an authentication token required to access the API. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations:
Function | Description | Annotation and Category |
---|---|---|
Get Clusters | Retrieves a list of clusters from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all clusters from Cofense Triage. |
get_clusters Investigation |
Get Cluster Details | Retrieves details of a specific cluster from Cofense Triage based on the cluster ID you have specified. | get_cluster_details Investigation |
Get Reports | Retrieves reports from Cofense Triage "Inbox", "Recon", and "Processed" folders based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all reports from Cofense Triage. |
get_reports Investigation |
Get Report Details | Retrieves details of a specific report from Cofense Triage based on the report ID you have specified. | get_report_details Investigation |
Get Inbox Reports | Retrieves a list of uncategorized reports from Cofense Triage "Inbox" folders based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all uncategorized reports from Cofense Triage. |
get_inbox_reports Investigation |
Get Report Reporters Details | Retrieves a list of IDs of all reporters and the number of reports those individuals reported from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_report_reporters_details Investigation |
Get Attachment Details | Retrieves the details of a specific attachment from Cofense Triage based on the attachment ID you have specified | get_attachment_details Investigation |
Get Triage Threat Indicators | Retrieves a list of triage threat indicators from Cofense Triage based on the input parameters you have specified.
NOTE: If you do not specify any input parameters, then this operation will retrieve all categorized reports from Cofense Triage. |
get_triage_threat_indicators Investigation |
Get URL Details | Retrieves URL details from Cofense Triage based on the endpoint and request you have specified. | get_url_details Query |
Download Report | Retrieves files associated with a specific report from the Cofense Triage server based on the report ID you have specified. | download_report Investigation |
Download Attachment | Download an attachment from the Cofense Triage server based on the attachment ID you have specified. | download_attachment Investigation |
Get Domain Details | Retrieves the details of a specific domain from Cofense Triage based on the domain ID you have specified | get_domain_details Investigation |
Get Hostname Details | Retrieves the details of a specific hostname from Cofense Triage based on the domain ID you have specified | get_hostname_details Investigation |
Parameter | Description |
---|---|
Priority | Specify the priority of clusters to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
Created At | Specify the date and time of creation, from when to retrieve the clusters from Cofense Triage. |
Updated At | Specify the date and time of updation, from when to retrieve the clusters from Cofense Triage. |
Page | Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the clusters.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of clusters by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, location and from_address. |
Count | Specify the number of reports to be present in the cluster. |
Tags | Specify the tags to retrieve the cluster. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Cluster ID | Specify the cluster ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Priority | Specify the priority of reports to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
Created At | Specify the date and time of creation, from when you want to retrieve reports from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve reports from Cofense Triage. |
Page | Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the reports.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of reports by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, location and from_address. |
Report Location | Specify the location to retrieve the reports based on the location of the reported email within Cofense Triage. Some possible values are inbox, reconnaissance, and processed. |
Tags | Specify the tags to retrieve the reports based on the tags associated with the reports. |
Categorization Tags | Specify the categorization tags to retrieve the reports based on the tags assigned when the reported email was processed. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | Specify the report ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Priority | Specify the priority of uncategorized reports to retrieve from Cofense Triage. You can specify the priority as a value between 0 to 5. |
Created At | Specify the date and time of creation, from when you want to retrieve uncategorized reports from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve uncategorized reports from Cofense Triage. |
Page | Specify a page number to retrieve uncategorized records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the uncategorized reports.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of uncategorized reports by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, location, from_address. |
Tags | Specify the tags to retrieve the uncategorized reports based on the tags associated with the reports. |
Categorization Tags | Specify the categorization tags to retrieve the uncategorized reports based on the tags assigned when the reported email was processed. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Created At | Specify the date and time of creation, from when you want to retrieve the list IDs of all reporters and the number of reports they reported, from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve the list IDs of all reporters and the number of reports they reported, from Cofense Triage. |
Page | Specify a page number to retrieve records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
Sort By | Specify the attributes to sort the reporters.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of reporters by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, email, reports_count. |
VIP | Specify that the reporter to be retrieved is VIP or non-VIP. |
Reputation Score | Specify reputation score to retrieve the reporters. |
Specify emails of the reporter to retrieve the reporter. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attachment ID | Specify the attachment ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Threat Type | Specify the triage threat type of associated indicators to retrieve from Cofense Triage. You can specify one of the following types (case sensitive): Subject, Sender, Domain, URL, MD5, SHA256, Hostname, or Header. |
Threat Level | Specify a triage threat level of indicators to retrieve from Cofense Triage. You can specify one of the following levels (case sensitive): Malicious, Suspicious, or Benign. |
Threat Value | Specify the threat type, indicated in threat_type, to retrieve the threat indicators. |
Threat Source | Specify the value corresponding to the source of the threat indicator. |
Created At | Specify the date and time of creation, from when you want to retrieve triage threat indicators from Cofense Triage. |
Updated At | Specify the date and time of updation, from when you want to retrieve triage threat indicators from Cofense Triage. |
Sort By | Specify the attributes to sort the threat indicators.
NOTE: The default sort order for an attribute is ascending. Prefix the attributes with a hyphen to sort in descending order. |
Filter By | Specify the filters to filter the list of threat indicators by attribute values.
NOTE: Enter values in key-value JSON format. |
Fields to Retrieve | Specify the fields to retrieve the mentioned attributes only. For example, threat_level, threat_type, threat_value. |
Page | Specify a page number to retrieve the records. The header of the response contains the number of the next page and the total number of results. |
Number of Results to Fetch | Specify the number of results this operation returns, per page, in the response. The maximum number of results per page is set items to 200. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
API Endpoint | Specify the API Endpoint for Cofense Triage that starts with https://triage.example.com/api/public/v2/reports/4/assignee and helps make the API call. |
HTTP method | Select the HTTP method to use for the API call. You can choose between GET or POST. |
Request Body | (Optional) Specify a GET/POST request body to send with the API call request. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Report ID | Specify the report ID whose associated files you want to retrieve from the Cofense Triage server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Attachment ID | Specify the attachment ID whose associated attachment you want to retrieve from the Cofense Triage server. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Domain ID | Specify the domain ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
Parameter | Description |
---|---|
Hostname ID | Specify the hostname ID whose details you want to retrieve from Cofense Triage. |
The output contains a non-dictionary value.
The Sample - Cofense Triage - 2.0.0
playbook collection comes bundled with the Cofense Triage connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Cofense Triage connector.
NOTE: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.