Cofense Triage
Integration version: 10.0
Use Cases
- Ingest Cofense Triage reports and use them to create Google Security Operations SOAR alerts. Next, in Google Security Operations SOAR, alerts can be used to perform orchestrations with playbooks or manual analysis.
- Enrichment of the related entities and details about the report.
- Triage of the report.
Configure Cofense Triage integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://tap.phishmecloud.com | N/A | API Root of the Cofense Triage instance. |
| Client ID | String | N/A | Yes | Client ID of the Cofense Triage account. |
| Client Secret | Password | N/A | Yes | Client Secret of the Cofense Triage account. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verifies that the SSL certificate for the connection to the Cofense Triage server is valid. |
Actions
Add Tags To Report
Description
Add tags to a report in Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the id of the report to which you want to add tags. |
| Tags | CSV | N/A | Yes | Specify a comma-separated list of tags that need to be applied to the report. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"id": "13507",
"type": "reports",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507"
},
"attributes": {
"location": "Inbox",
"risk_score": 96,
"from_address": null,
"subject": "Test Phishing domain",
"received_at": "2020-10-12T21:30:54.000Z",
"reported_at": "2020-10-12T21:30:53.000Z",
"raw_headers": "X-Triage-Noise-Reduction: state=0\r\nX-Triage-Noise-Reduction: score=79\r\nX-Triage-Noise-Reduction: vacb1561f9d032089\";\r\n charset=UTF-8\r\nContent-Transfer-Encoding: 7bit",
"text_body": "Testing<http://dsrihsddk.net/>\r\n\r\nThis is a poor reputation domain\r\n\r\n",
"html_body": "<html xmlns:v=\"urn:schemas-microsoft-com:vml\" xml>\r\n</div>\r\n</body>\r\n</html>\r\n",
"md5": "81fe86fc9c244be978ab8b8392d3c986",
"sha256": "146b857b2a147eeb9091571327452006438294aeb21069e38c6f25a811aa6c03",
"match_priority": 1,
"tags": [
"dsa",
"asd"
],
"categorization_tags": [],
"processed_at": null,
"created_at": "2020-10-12T21:31:36.495Z",
"updated_at": "2020-11-17T15:33:27.567Z"
},
"relationships": {
"assignee": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/assignee",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/assignee"
},
"data": null
},
"category": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/category",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/category"
},
"data": null
},
"cluster": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/cluster",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/cluster"
},
"data": {
"type": "clusters",
"id": "3915"
}
},
"reporter": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/reporter",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/reporter"
},
"data": {
"type": "reporters",
"id": "5331"
}
},
"attachment_payloads": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/attachment_payloads",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/attachment_payloads"
}
},
"attachments": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/attachments",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/attachments"
}
},
"headers": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/headers",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/headers"
}
},
"hostnames": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/hostnames",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/hostnames"
}
},
"urls": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/urls",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/urls"
}
},
"rules": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/rules",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/rules"
}
},
"threat_indicators": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/threat_indicators",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/threat_indicators"
}
}
},
"meta": {
"risk_score_summary": {
"integrations": 75,
"vip": 5,
"reporter": 15,
"rules": 1
}
}
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful(is_success = true): print "Successfully added tags to the the report with ID {0} in Cofense Triage.".format(report_id) if unsuccessful aka status code 404(is_success = false): The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Add Tags To Report". Reason: {0}''.format(error.Stacktrace) |
General |
Categorize Report
Description
Categorize a report in Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the id of the report to which you want to add tags. |
| Category Name | String | N/A | Yes | Specify the name of the category that should be applied to the report. Available categories can be found in the "List Categories" action. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"id": "13507",
"type": "reports",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507"
},
"attributes": {
"location": "Inbox",
"risk_score": 96,
"from_address": null,
"subject": "Test Phishing domain",
"received_at": "2020-10-12T21:30:54.000Z",
"reported_at": "2020-10-12T21:30:53.000Z",
"raw_headers": "X-Triage-Noise-Reduction: state=0\r\nX-Triage-Noise-Reduction: score=79\r\nX-Triage-Noise-Reduction: vacb1561f9d032089\";\r\n charset=UTF-8\r\nContent-Transfer-Encoding: 7bit",
"text_body": "Testing<http://dsrihsddk.net/>\r\n\r\nThis is a poor reputation domain\r\n\r\n",
"html_body": "<html xmlns:v=\"urn:schemas-microsoft-com:vml\" xml>\r\n</div>\r\n</body>\r\n</html>\r\n",
"md5": "81fe86fc9c244be978ab8b8392d3c986",
"sha256": "146b857b2a147eeb9091571327452006438294aeb21069e38c6f25a811aa6c03",
"match_priority": 1,
"tags": [
"dsa",
"asd"
],
"categorization_tags": [],
"processed_at": null,
"created_at": "2020-10-12T21:31:36.495Z",
"updated_at": "2020-11-17T15:33:27.567Z"
},
"relationships": {
"assignee": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/assignee",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/assignee"
},
"data": null
},
"category": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/category",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/category"
},
"data": null
},
"cluster": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/cluster",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/cluster"
},
"data": {
"type": "clusters",
"id": "3915"
}
},
"reporter": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/reporter",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/reporter"
},
"data": {
"type": "reporters",
"id": "5331"
}
},
"attachment_payloads": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/attachment_payloads",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/attachment_payloads"
}
},
"attachments": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/attachments",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/attachments"
}
},
"headers": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/headers",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/headers"
}
},
"hostnames": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/hostnames",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/hostnames"
}
},
"urls": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/urls",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/urls"
}
},
"rules": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/rules",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/rules"
}
},
"threat_indicators": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13507/relationships/threat_indicators",
"related": "https://tap.phishmecloud.com/api/public/v2/reports/13507/threat_indicators"
}
}
},
"meta": {
"risk_score_summary": {
"integrations": 75,
"vip": 5,
"reporter": 15,
"rules": 1
}
}
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful(is_success = true): print "Successfully updated category on the the report with ID {0} to {1} in Cofense Triage.".format(report_id, category_name) if unsuccessful aka status code 404(is_success = false): print "Action wasn't able to update the category on the report with ID {0} to {1} in Cofense Triage. Reason: \n {2}".format(report_id, category_name, errors/detail) if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Categorize Report". Reason: {0}''.format(error.Stacktrace) |
General |
Download Report Email
Description
Download raw email related to the report from Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the ID of the report, which contains the raw email that needs to be downloaded. |
| Download Folder | String | N/A | Yes | Specify the absolute path to the download folder. Note: Name will be constructed in the following way {report id}.eml. |
| Overwrite | Checkbox | Checked | No | If enabled, action will overwrite the file with the same name and filepath. |
| Create Insight | Checkbox | Unchecked | No | If enabled, action will create an insight that contains raw email of the report. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"absolute_file_path": "{filepath}"
}
Insight
| Name | Body |
|---|---|
| Report {ID}. Raw Email | {content of the response. \n should be replaced with \ } |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful(is_success = true): print "Successfully downloaded raw email related to the report with ID {0} in Cofense Triage.".format(report_id) if unsuccessful aka status code 400(is_success = false): print "Action wasn't able to download raw email related to the report with ID {0} in Cofense Triage. Reason: \n {1}".format(report_id, errors/detail) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Download Report Email". Reason: {0}''.format(error.Stacktrace) If file with filename exists and overwrite false: "Error executing action "Download Report Email". Reason: File with that file path already exists. Please remove it or set 'Overwrite' to true." |
General |
Download Report Preview
Description
Download image preview from the email related to the report from Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the ID of the report, which contains the raw email that needs to be downloaded. |
| Download Folder | String | N/A | Yes | Specify the absolute path to the download folder. Note: Name will be constructed in the following way {report id}.eml. |
| Overwrite | Checkbox | Checked | No | If enabled, action will overwrite the file with the same name and filepath. |
| Image Format | DDL | PNG
Possible values:
|
Yes | Specify the format of the image. |
| Create Insight | Checkbox | Unchecked | No | If enabled, action will create an insight that contains raw email of the report. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"absolute_file_path": "{filepath}"
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success=true):"Successfully downloaded preview related to the report with ID {0} in Cofense Triage.".format(report_id) If unsuccessful that is when the 400 status code (is_success=false): "Action wasn't able to download a preview related to the report with ID {0} in Cofense Triage. Reason: \n {1}".format(report_id, errors/detail) The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Download Report Preview". Reason: {0}''.format(error.Stacktrace) If file with filename exists and overwrite false: "Error executing action "Download Report Email". Reason: File with that file path already exists. Please remove it or set 'Overwrite' to true." |
General |
Enrich URL
Description
Return information about the URL from Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Risk Score Threshold | Integer | 50 | Yes | Specify, what should be the risk score threshold for Google Security Operations SOAR to label that URL as suspicious. Maximum is 100. |
Run On
This action runs on the URL entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| COFENSE_TRG_id | If available in JSON Result. |
| COFENSE_TRG_risk_score | If available in JSON Result. |
| COFENSE_TRG_created_at | If available in JSON Result. |
| COFENSE_TRG_updated_at | If available in JSON Result. |
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"id": "1",
"type": "urls",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/1"
},
"attributes": {
"url": "https://www.paypal.com/us",
"risk_score": null,
"created_at": "2019-04-12T02:58:20.008Z",
"updated_at": "2019-04-12T02:58:20.008Z"
},
"relationships": {
"hostname": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/1/relationships/hostname",
"related": "https://tap.phishmecloud.com/api/public/v2/urls/1/hostname"
},
"data": {
"type": "hostnames",
"id": "2"
}
},
"clusters": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/1/relationships/clusters",
"related": "https://tap.phishmecloud.com/api/public/v2/urls/1/clusters"
}
},
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/1/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/urls/1/reports"
}
}
}
},
{
"id": "2",
"type": "urls",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/2"
},
"attributes": {
"url": "http://cie.org.mx/leather.php?amount=1qw2f60krdrf8c",
"risk_score": null,
"created_at": "2019-04-12T02:58:20.011Z",
"updated_at": "2019-04-12T02:58:20.011Z"
},
"relationships": {
"hostname": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/2/relationships/hostname",
"related": "https://tap.phishmecloud.com/api/public/v2/urls/2/hostname"
},
"data": {
"type": "hostnames",
"id": "1"
}
},
"clusters": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/2/relationships/clusters",
"related": "https://tap.phishmecloud.com/api/public/v2/urls/2/clusters"
}
},
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/urls/2/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/urls/2/reports"
}
}
}
}
],
"links": {
"first": "https://tap.phishmecloud.com/api/public/v2/urls?filter%5Burl%5D=https%3A%2F%2Fwww.paypal.com%2Fus%2Chttp%3A%2F%2Fcie.org.mx%2Fleather.php%3Famount%3D1qw2f60krdrf8c&page%5Bnumber%5D=1&page%5Bsize%5D=20",
"last": "https://tap.phishmecloud.com/api/public/v2/urls?filter%5Burl%5D=https%3A%2F%2Fwww.paypal.com%2Fus%2Chttp%3A%2F%2Fcie.org.mx%2Fleather.php%3Famount%3D1qw2f60krdrf8c&page%5Bnumber%5D=1&page%5Bsize%5D=20"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful for at least one URL(is_success = true): print "Successfully enriched the following URLs using Cofense Triage: \n {0}".format(entity.identifier list) if successful for at least one URL(is_success = true): print "Action wasn't able to enrich the following URLs using Cofense Triage: \n {0}".format(entity.identifier list) If fail to enrich for all entities (is_success = false): Print: "No URLs were enriched." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Enrich URL". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Fields that are in the Enrichment table section, but without the prefix "COFENSE_TRG_" | Entity |
Execute Playbook
Description
Initiate a playbook execution in Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the ID of the report on which you want to execute the playbook. |
| Playbook Name | String | N/A | Yes | Specify the name of the playbook that needs to be executed. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If the 204 status code is reported (is_success=true): "Successfully executed playbook {playbook name} on report {report id} in Cofense Triage." The action should fail and stop a playbook execution: If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "Execute Playbook". Reason: {0}''.format(error.Stacktrace)" If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Playbooks". Reason: {0}''.format(error.Stacktrace) If errors are reported in the response: "Error executing action "Execute Playbook". Reason: {0}''.format(detail)" If the playbook is not found: "Error executing action "Execute Playbook". Reason: playbook with name {name} is not found." |
General |
Get Domain Details
Description
Return information about the domain from Cofense Triage.
Parameters
| Parameter Display Name |
|---|
| N/A |
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"id": "1",
"type": "hostnames",
"attributes": {
"hostname": "cie.org.mx",
"risk_score": null,
"created_at": "2019-04-12T02:58:19.893Z",
"updated_at": "2019-04-12T02:58:19.974Z"
},
"relationships": {
"clusters": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/relationships/clusters",
"related": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/clusters"
}
},
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/reports"
}
},
"urls": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/relationships/urls",
"related": "https://tap.phishmecloud.com/api/public/v2/hostnames/1/urls"
}
}
}
},
{
"id": "2",
"type": "hostnames",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2"
},
"attributes": {
"hostname": "www.paypal.com",
"risk_score": null,
"created_at": "2019-04-12T02:58:19.898Z",
"updated_at": "2019-04-12T02:58:19.965Z"
},
"relationships": {
"clusters": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/relationships/clusters",
"related": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/clusters"
}
},
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/reports"
}
},
"urls": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/relationships/urls",
"related": "https://tap.phishmecloud.com/api/public/v2/hostnames/2/urls"
}
}
}
}
],
"links": {
"first": "https://tap.phishmecloud.com/api/public/v2/hostnames?filter%5Bhostname%5D=www.paypal.com%2Ccie.org.mx&page%5Bnumber%5D=1&page%5Bsize%5D=20",
"last": "https://tap.phishmecloud.com/api/public/v2/hostnames?filter%5Bhostname%5D=www.paypal.com%2Ccie.org.mx&page%5Bnumber%5D=1&page%5Bsize%5D=20"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful for at least one URL(is_success = true): print "Successfully returned details about the following domains using Cofense Triage: \n {0}".format(entity.identifier list) if successful for at least one URL(is_success = true): print "Action wasn't able to get details about the following domains using Cofense Triage: \n {0}".format(entity.identifier list) If fail to enrich for all entities (is_success = false): Print: "No information about the domains was found." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Get Domain Details". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Table Name: Domain Details Table Columns: Name - hostname Risk Score - risk_score |
General |
Get Report Headers
Description
Return information about the header related to the report from Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the id of the report for which you want to retrieve headers. |
| Max Headers To Return | Integer | 50 | No | Specify how many headers to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"id": "4",
"type": "headers",
"attributes": {
"key": "Mime-Version",
"value": "1.0",
"created_at": "2020-11-03T16:43:33.767Z",
"updated_at": "2020-11-03T16:43:33.767Z"
},
"relationships": {
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/headers/4/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/headers/4/reports"
}
}
}
}
],
"links": {
"first": "https://tap.phishmecloud.com/api/public/v2/reports/13507/headers?page%5Bnumber%5D=1&page%5Bsize%5D=20",
"last": "https://tap.phishmecloud.com/api/public/v2/reports/13507/headers?page%5Bnumber%5D=1&page%5Bsize%5D=20"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful(is_success = true): print "Successfully returned related headers to the report with ID {0} in Cofense Triage.".format(report_id) if unsuccessful aka status code 404(is_success = false): print "Action wasn't able to return related headers to the report with ID {0} in Cofense Triage. Reason: \n {1}".format(report_id, errors/detail) If no rules found (is_success = false): Print: "No related headers were found to the report with ID {0} in Cofense Triage.".format(report_id) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Get Report Headers". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Table Name: Report {0} Headers Table Columns: Name - key Value - value |
General |
Get Report Reporters
Description
Return information about the reporter related to the report from Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Report ID | String | N/A | Yes | Specify the id of the report for which you want to retrieve reporters. |
| Max Reporters To Return | Integer | 50 | No | Specify how many reporters to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
"data": {
"id": "5331",
"type": "reporters",
"attributes": {
"email": "user@example.com",
"reports_count": 277,
"last_reported_at": "2020-11-06T18:32:47.000Z",
"reputation_score": 561,
"vip": true,
"created_at": "2019-10-24T01:05:28.649Z",
"updated_at": "2020-11-06T18:33:59.004Z"
},
"relationships": {
"clusters": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reporters/5331/relationships/clusters",
"related": "https://tap.phishmecloud.com/api/public/v2/reporters/5331/clusters"
}
},
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reporters/5331/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/reporters/5331/reports"
}
}
}
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful(is_success = true): print "Successfully returned related reporters to the report with ID {0} in Cofense Triage.".format(report_id) if unsuccessful aka status code 404(is_success = false): print "Action wasn't able to return related reporters to the report with ID {0} in Cofense Triage. Reason: \n {1}".format(report_id, errors/detail) If no rules found (is_success = false): Print: "No related reporters were found to the report with ID {0} in Cofense Triage.".format(report_id) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Get Report Reporters". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Table Name: Report {0} Reporters Table Columns: Email - email Reports Count - reports_count Reputation Score - reputation_score VIP - vip |
General |
Get Threat Indicator Details
Description
Return information about the entities based on the threat indicator details from Cofense Triage.
Parameters
| Parameter Display Name |
|---|
| N/A |
Run On
This action runs on all entity.
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| COFENSE_TRG_ti_id | If available in JSON Result. |
| COFENSE_TRG_ti_type | If available in JSON Result. |
| COFENSE_TRG_ti_threat_level | If available in JSON Result. |
| COFENSE_TRG_ti_threat_source | If available in JSON Result. |
| COFENSE_TRG_ti_created_at | If available in JSON Result. |
| COFENSE_TRG_id_updated_at | If available in JSON Result. |
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"id": "1",
"type": "threat_indicators",
"attributes": {
"threat_level": "Malicious",
"threat_type": "MD5",
"threat_value": "f1364ab115332cb44b5d7bb734d2cbf6",
"threat_source": "Triage-UI",
"created_at": "2019-06-06T18:55:38.107Z",
"updated_at": "2020-11-03T16:41:19.972Z"
},
"relationships": {
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/threat_indicators/1/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/threat_indicators/1/reports"
}
}
}
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful for at least one entity(is_success = true): print "Successfully returned threat indicator details about the following entities using Cofense Triage: \n {0}".format(entity.identifier list) if successful for at least one entity(is_success = true): print "Action wasn't able to return threat indicator details about the following entities using Cofense Triage: \n {0}".format(entity.identifier list) If fail to enrich for all entities (is_success = false): Print: "No threat indicator information about the entities was found." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Get Threat Indicator Details". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Fields that are in the Enrichment table section, but without the prefix "COFENSE_TRG_" | Entity |
List Categories
Description
List available categories in Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Names | CSV | N/A | No | Specify a comma-separated list of category names. This parameter is useful to check, whether a category with the specified name exists. |
| Lowest Score To Fetch | Integer | N/A | No | Specify the lowest accepted score for the category. This parameter can work with negative values. |
| Only Malicious | Checkbox | Unchecked | No | If enabled, the action only returns malicious categories. |
| Only Archived | Checkbox | Unchecked | No | If enabled, the action only returns archived categories. |
| Only Non Archived | Checkbox | Unchecked | No | If enabled, the action only returns non-archived categories. |
| Only Non Malicious | Checkbox | Unchecked | No | If enabled, the action only returns non-malicious categories. |
| Max Categories To Return | Integer | N/A | No | Specify the number of categories to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": [
{
"id": "1",
"type": "categories",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/categories/1"
},
"attributes": {
"name": "Non-Malicious",
"score": -5,
"malicious": false,
"color": "#739d75",
"archived": false,
"created_at": "2019-04-11T08:24:49.787Z",
"updated_at": "2019-11-12T19:15:37.849Z"
},
"relationships": {
"one_clicks": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/categories/1/relationships/one_clicks",
"related": "https://tap.phishmecloud.com/api/public/v2/categories/1/one_clicks"
}
},
"reports": {
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/categories/1/relationships/reports",
"related": "https://tap.phishmecloud.com/api/public/v2/categories/1/reports"
}
}
}
}
],
"links": {
"first": "https://tap.phishmecloud.com/api/public/v2/categories?filter%5Barchived%5D=false&filter%5Bmalicious%5D=false&filter%5Bname%5D=Non-Malicious&filter%5Bscore_gteq%5D=-5&page%5Bnumber%5D=1&page%5Bsize%5D=20",
"last": "https://tap.phishmecloud.com/api/public/v2/categories?filter%5Barchived%5D=false&filter%5Bmalicious%5D=false&filter%5Bname%5D=Non-Malicious&filter%5Bscore_gteq%5D=-5&page%5Bnumber%5D=1&page%5Bsize%5D=20"
}
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success=true): "Successfully returned available categories from Cofense Triage." If no categories are found (is_success=false) "No categories were found for the criteria." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Categories". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: Available Categories Table Column:
|
General |
List Playbooks
Description
List available playbooks in Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Filter Key | DDL | Select One Possible Values:
|
No | Specify the key that needs to be used to filter playbooks. |
| Filter Logic | DDL | Not Specified Possible values:
|
No | Specify the type of filter logic that should be applied. Filtering logic works based on the value provided in the "Filter Key" parameter. Note: The "Equals" logic is case sensitive, while "Contains" is case insensitive. |
| Filter Value | String | N/A | No | Specify the value that should be used in the filter. If "Equal" is selected, the action tries to find the exact match among results. If "Contains" is selected, the action tries to find results that contain that substring. If nothing is provided in this parameter, the filter is not applied. Filtering logic works based on the value provided in the "Filter Key" parameter. |
| Max Records To Return | Integer | 50 | No | Specify the number of records to return. If nothing is provided, the action returns 50 records. Maximum: 200 |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"id": "1",
"type": "playbooks",
"links": {
"self": "https://reltest6.phishmecloud.com/api/public/v2/playbooks/1"
},
"attributes": {
"name": "SN_Test",
"description": "",
"active": true,
"button_color": "#204d74",
"add_rule_tags_to_report_tags": true,
"remove_existing_report_tags": false,
"remove_existing_cluster_tags": false,
"report_tags": [
"SN_Test"
],
"cluster_tags": [
"SN_Cluster_Test",
"test1"
],
"delete_report": false,
"guid": "b443a844-ffc2-49d2-8903-1a5f7fde7526",
"created_at": "2021-05-28T01:29:22.080Z",
"updated_at": "2022-04-08T06:04:17.016Z"
}
}
]
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available (is_success=true): "Successfully found playbooks for the provided criteria in Cofense Triage." If data is not available (is_success=false): "No playbooks were found for the provided criteria in Cofense Triage." If the "Filter Value" parameter is empty (is_success=true): "The filter was not applied, because parameter "Filter Value" has an empty value." If the "Filter Logic" parameter is set to "Not Specified" (is_success=true): "The filter was not applied, because parameter "Filter Logic" is not specified." The action should fail and stop a playbook execution: If the "Filter Key" parameter is set to "Select One" and the "Filter Logic" parameter is set to "Equal" or "Contains": "Error executing action "{action name}". Reason: you need to select a field from the "Filter Key" parameter." If an invalid value is provided for the "Max Records to Return" parameter: "Error executing action "{action name}". Reason: "Invalid value was provided for "Max Records to Return": If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Playbooks". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Table Name: Available Playbooks Table Column:
|
General |
List Reports Related To Threat Indicators
Description
List reports related to threat indicators in Cofense Triage.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Create Case Wall Table | Checkbox | Unchecked | No | If enabled, action will create a case wall table with information about reports. |
| Max Reports To Return | Integer | 100 | No | Specify how many reports to return. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"reports": [
{
"id": "13219",
"type": "reports",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13219"
},
"attributes": {
"location": "Inbox",
"risk_score": null,
"from_address": null,
"subject": "Delivery reports about your e-mail",
"received_at": "2019-05-17T01:25:07.642Z",
"reported_at": "2019-05-16T23:01:50.000Z",
"raw_headers": "Date: Fri, 17 May 2019 01:25:07 +0000\r\nMessage-ID: <5cde0d73994b2_10902aea1885332418512@ip-10-132-9-226.ec2.internal.mail>\r\nSubject: Delivery reports about your e-mail\r\nMime-Version: 1.0\r\nContent-Type: multipart/mixed;\r\n boundary=\"--==_mimepart_5cde0d7399130_10902aea18853324184a7\";\r\n charset=UTF-8\r\nContent-Transfer-Encoding: 7bit",
"md5": "3e4c2e6e85695569ae7a11aac8a774c6",
"sha256": "1434d565d7735a841f39cb953cfdbbba1d0793324900d42c25b212b454a77993",
"match_priority": 4,
"tags": [],
"categorization_tags": [],
"processed_at": null,
"created_at": "2019-05-17T01:25:07.652Z",
"updated_at": "2019-05-17T01:25:10.032Z"
},
"meta": {
"risk_score_summary": null
}
},
{
"id": "13227",
"type": "reports",
"links": {
"self": "https://tap.phishmecloud.com/api/public/v2/reports/13227"
},
"attributes": {
"location": "Inbox",
"risk_score": null,
"from_address": null,
"subject": "Delivery reports about your e-mail",
"received_at": "2019-05-17T14:53:54.318Z",
"reported_at": "2019-05-16T23:01:50.000Z",
"raw_headers": "Date: Fri, 17 May 2019 14:53:54 +0000\r\nMessage-ID: <5cdecb024a663_107f2b040f2cd3306399@ip-10-132-9-226.ec2.internal.mail>\r\nSubject: Delivery reports about your e-mail\r\nMime-Version: 1.0\r\nContent-Type: multipart/mixed;\r\n boundary=\"--==_mimepart_5cdecb024a2fd_107f2b040f2cd3306387b\";\r\n charset=UTF-8\r\nContent-Transfer-Encoding: 7bit",
"md5": "92bb365c3fe712216610e884621c771a",
"sha256": "da37a508cd47987e9989fc8a2af12352c6652fa5c421f4556ef6a198bf73821e",
"match_priority": 4,
"tags": [],
"categorization_tags": [],
"processed_at": null,
"created_at": "2019-05-17T14:53:54.327Z",
"updated_at": "2019-05-17T14:53:56.453Z"
},
"meta": {
"risk_score_summary": null
}
}
],
}
Case Wall
| Result type | Value/Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful: "Successfully returned reports related to provided entities from Cofense Triage." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Reports Related To Threat Indicators". Reason: (error.Stacktrace) |
General |
| Case Wall Table | Table Name: Related Reports Table Column: ID Subject Created At Location |
General |
Ping
Description
Test connectivity to Cofense Triage with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
This action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
|
General |
Connector
Cofense Triage - Reports Connector
Pull reports from Cofense Triage.
Configure Cofense Triage - Reports Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory< | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | location | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://tap.phishmecloud.com | Yes | API Root of the Cofense Triage instance. |
| Client ID | String | N/A | Yes | Client ID of the Cofense Triage account. |
| Client Secret | Password | N/A | Yes | Client Secret of the Cofense Triage account. |
| Lowest Risk Score To Fetch | Integer | 0 | Yes | Lowest risk score that will be used to fetch emails. Maximum is 100. |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch emails. |
| Max Reports To Fetch | Integer | 10 | No | How many reports to process per one connector iteration. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the Cofense Triage server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |