Cofense Intelligence

the cofense intelligence connector allows for seamless integration of cofense's detailed threat intelligence into swimlane's automated workflows, enhancing threat detection and response activities cofense intelligence provides actionable threat insights, enabling security teams to proactively defend against emerging threats this connector facilitates the integration of cofense's rich threat intelligence data into swimlane turbine, allowing users to automate the retrieval and analysis of detailed threat reports and iocs by leveraging this integration, security operations can enhance incident response, streamline threat hunting, and maintain a proactive security posture with minimal manual intervention prerequisites to utilize the cofense intelligence connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the cofense intelligence api api username your cofense intelligence account username api token a unique token used for authenticating api requests limitations none to date capabilities this connector provides the following capabilities fetch available feeds retrieve new/updated threats search for specific threats retrieve full malware threat details retrieve full phish threat details fetch/download threat reports in cef/stix/html/pdf fetch/download malware threat reports in cef/stix/html/pdf fetch/download phish threat reports in cef/stix/html/pdf retrieve threat screenshots search for indicators of compromise (iocs) submit new phish urls fetch available feeds retrieves the list of feeds our account can access (e g , “cofense,” “apwg”) this lets us confirm feed ids and permissions retrieve new/updated threats maintain near real time ingestion of newly published or updated cofense intelligence (malware) and cofense credential phish (phish) threat ids into swimlane search for specific threats allow on demand lookups of specific threat ids or indicators (ips, domains, file hashes) from within swimlane playbooks retrieve full malware threat details when a threat id is identified (either from /threat/updates or manual search), fetch the complete json object containing block sets, domain/ip lists, campaign metadata, etc retrieve full phish threat details when a threat id is identified (either from /threat/updates or manual search), fetch the complete json object containing block sets, domain/ip lists, campaign metadata, etc fetch/download threat reports in cef/stix/html/pdf generates standardized reports in cef/stix/html/pdf formats fetch/download malware threat reports in cef/stix/html/pdf generates standardized malware threat reports in cef/stix/html/pdf formats fetch/download phish threat reports in cef/stix/html/pdf generates standardized phish threat reports in cef/stix/html/pdf formats retrieve threat screenshots obtain cofense credential phish webpage screenshots to embed in incident tickets or dashboards search for indicators of compromise (iocs) pull metadata on individual iocs (hashes, domains, ips) so we can cross reference against alerts in swimlane playbooks submit new phish urls allow our analysts to submit new suspicious urls directly from swimlane into cofense for analysis configurations cofense intelligence api key authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username api username string required password api token for authentication string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch available feeds retrieve a list of accessible feeds for the account, confirming feed ids and permissions in cofense intelligence endpoint url /feed method get output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data array response data data id number response data data permissions object response data data permissions read boolean response data data permissions owner boolean response data data permissions write boolean response data data displayname string response data output example {"status code" 200,"reason" "ok","json body" {"success"\ true,"data" \[{}]}} fetch/download malware threat reports retrieve or download detailed malware threat reports from cofense intelligence using a specific threat id and format endpoint url /t3/malware/{{threat id}}/{{format}} method get input argument name type required description path parameters threat id number required the threat id to return path parameters format string required the format to be returned input example {"path parameters" {"threat id" 123456789,"format" "html"}} fetch/download phish threat reports retrieve or download detailed phish threat reports from cofense intelligence using a specific threat id and format endpoint url /t3/phish/{{threat id}}/{{format}} method get input argument name type required description path parameters threat id number required the threat id to return path parameters format string required the format to be returned input example {"path parameters" {"threat id" 123456789,"format" "html"}} fetch/download threat reports retrieve or download standardized threat reports from cofense intelligence in the specified format endpoint url /t3/{{format}} method post input argument name type required description path parameters format string required the format to be returned parameters begintimestamp number optional the seconds since epoch from which we should start returning data if omitted, the current time minus 24 hours is used as the default parameters endtimestamp number optional the seconds since epoch from which we should end returning data if omitted, the current time is used as the default input example {"parameters" {"begintimestamp" 620000000,"endtimestamp" 630000000},"path parameters" {"format" "cef"}} retrieve full threat malware details fetches comprehensive threat details including block sets, domain/ip lists, and campaign metadata for a specified threat id in cofense intelligence endpoint url /threat/malware/{{threat id}} method get input argument name type required description path parameters threat id number required the numeric id of the cofense intelligence report input example {"path parameters" {"threat id" 123456789}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data data id number response data data relatedsearchtags array response data data feeds array response data data feeds id number response data data feeds permissions object response data data feeds permissions read boolean response data data feeds permissions owner boolean response data data feeds permissions write boolean response data data feeds displayname string response data data blockset array response data data blockset malwarefamily object response data data blockset malwarefamily familyname string response data data blockset malwarefamily description string response data data blockset impact string response data data blockset confidence number response data data blockset blocktype string response data data blockset role string response data data blockset roledescription string response data data blockset data string response data data blockset data 1 string response data data campaignbrandset array response data output example {"status code" 200,"reason" "ok","json body" {"success"\ true,"data" {"id" 211729,"relatedsearchtags" \[],"feeds" \[],"blockset" \[],"campaignbrandset" \[],"extractedstringset" \[],"domainset" \[],"senderemailset" \[],"executableset" \[],"senderipset" \[],"sendernameset" \[],"spamurlset" \[],"subjectset" \[],"campaignlanguageset" \[],"campaignscreenshotset" \[]}}} retrieve full threat phish details fetches comprehensive details for a specified threat id in cofense intelligence, including block sets, domain/ip lists, and campaign metadata endpoint url /threat/phish/{{threat id}} method get input argument name type required description path parameters threat id number required parameters for the retrieve full threat phish details action input example {"path parameters" {"threat id" 123456789}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data data id number response data data relatedsearchtags array response data data feeds array response data data feeds id number response data data feeds permissions object response data data feeds permissions read boolean response data data feeds permissions owner boolean response data data feeds permissions write boolean response data data feeds displayname string response data data blockset array response data data blockset malwarefamily object response data data blockset malwarefamily familyname string response data data blockset malwarefamily description string response data data blockset impact string response data data blockset confidence number response data data blockset blocktype string response data data blockset role string response data data blockset roledescription string response data data blockset data string response data data blockset data 1 string response data data campaignbrandset array response data output example {"status code" 200,"reason" "ok","json body" {"success"\ true,"data" {"id" 211729,"relatedsearchtags" \[],"feeds" \[],"blockset" \[],"campaignbrandset" \[],"extractedstringset" \[],"domainset" \[],"senderemailset" \[],"executableset" \[],"senderipset" \[],"sendernameset" \[],"spamurlset" \[],"subjectset" \[],"campaignlanguageset" \[],"campaignscreenshotset" \[]}}} retrieve new/updated threats ingest new or updated threat ids from cofense intelligence for near real time updates in swimlane endpoint url /threat/updates method post input argument name type required description parameters timestamp number optional the epoch in seconds from which data will be returned if not passed by the caller, it will default to a timestamp of 6 months before the current date parameters position string optional a unique string used to identify the last record ready by this client parameters includeindicators boolean optional a boolean value that controls whether to include indicator change log entries for each threat if not passed it will default to false input example {"parameters" {"timestamp" 123456789,"position" "latest","includeindicators"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase nextposition string output field nextposition changelog array output field changelog changelog threatid number unique identifier changelog threattype string type of the resource changelog occurredon number output field changelog occurredon changelog deleted boolean output field changelog deleted output example {"status code" 200,"reason" "ok","json body" {"nextposition" "latest","changelog" \[{}]}} retrieve threat screenshots obtain webpage screenshots of cofense credential phish threats using the threat id to enhance incident tickets or dashboards endpoint url /screenshot/{{threat id}} method get input argument name type required description path parameters threat id number required the numeric id of the desired cofense credential phish input example {"path parameters" {"threat id" 123456789}} search for indicators of compromise retrieve metadata on iocs including hashes, domains, and ips to cross reference with swimlane playbook alerts endpoint url /indicator/search method get input argument name type required description parameters reporttype string optional choose whether to search for indicators related to phishing attacks, malware campaigns, or both parameters indicatortype string optional the type of ioc to search for parameters impact string optional choose the impace level of returned iocs parameters sincelastpublished number optional the seconds since epoch from which we should start returning ioc data parameters page number optional a zero based integer indicating the page of results to return parameters resultsperpage number optional the number of threat ids to include in a page input example {"parameters" {"reporttype" "all","indicatortype" "all","impact" "all","sincelastpublished" 30,"page" 0,"resultsperpage" 100}} search for specific threats perform on demand lookups of threat ids or indicators such as ips, domains, and file hashes using cofense intelligence within swimlane playbooks endpoint url /threat/search method post input argument name type required description parameters threattype string optional choose whether to search for phishing attacks, malware campaigns, or both parameters page number optional a one based integer indicating the page of results to return parameters resultsperpage number optional the number of threat ids to include in a page parameters threatid string optional the unique identifier for a threat, the format of this value is a prefix of either a "p " for phish (cofense credential phish) or "m " for malware (cofense intelligence) followed by the threatnativeid value parameters threatnativeid string optional the numeric native if of a given threat the threatnativeid and threattype make up a unique key for any individual threat parameters begintimestamp number optional the secondds since epoch from which we should start returning data parameters endtimestamp number optional the seconds since epoch from which we should end returning data parameters extractedstring string optional search for extracted strings discovered within malware campaigns parameters malwaresendername string optional search for the sender name of malware campaigns parameters malwaresubject string optional search the message subject associated with malware campaigns parameters dropmail string optional search drop mail addresses associated with threats parameters phishingasn number optional search the asn associated with aphishing threat parameters phishingasncountrycode string optional search the country code associated with phihing threats parameters phishingasnorganization string optional search the asn organization associated with phishing threats parameters brand string optional this may be specified multiple times search for brands associated with a threat this search criteria must match the exact brand name used to categorize a threat within cofense parameters kitmd5 string optional may be specified multiple times search for threats associated with the provided kit hash value (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters kithash string optional may be specified multiple times search for threats associated with the provided kit hash value (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters malwareartifactmd5 string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters malwareartifacthash string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters webcomponentmd5 string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters webcomponenthash string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters allmd5 string optional may be specified multiple times search for threats associated with the provided hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters allhash string optional may be specified multiple times search for threats associated with the provided hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) parameters haskit boolean optional search for threats which have an associated kit parameters urlsearch string optional a specific url to search for, this supports exact and partial matching of urls input example {"parameters" {"threattype" "all","page" 1,"resultsperpage" 10,"threatid" "p 123456","threatnativeid" "native 123456","begintimestamp" 123456789,"endtimestamp" 987654321,"extractedstring" "example","malwaresendername" "malware sender","malwaresubject" "malware subject","dropmail" "drop mail","phishingasn" 1234,"phishingasncountrycode" "us","phishingasnorganization" "phishing org","brand" "example brand","kitmd5" "md5","kithash" "sha 1","malwareartifactmd5" "md5hex","malwareartifacthash" "sha 1","webcomponentmd5" "md5","webcomponenthash" "sha 1","allmd5" "md5","allhash" "sha 224","haskit"\ true,"urlsearch" "http //example com","threaturlsearch" "http //threat example com","reportedurlsearch" "http //reported example com","actionurlsearch" "http //action example com","malwarewatchlisturlsearch" "http //watchlist example com","threatip" "10 10 10 10","malwaresenderip" "10 10 10 10","malwarewatchlistip" "10 10 10 10","ip" "10 10 10 10","threatdomain" "example com","reporteddomain" "reported example com","malwaredomain" "malware example com","malwarewatchlistdomain" "watchlist example com","domain" "example com","kitfile" "kit file txt","malwarefile" "malware file txt","webcomponentfile" "web component file txt","file" "file txt","phishingtitle" "phishing title","language" "en","malwarefamily" "malware family","watchlistemail" "test\@doc com"}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data data page object response data data page page object response data data page page currentpage number response data data page page currentelements number response data data page page totalpages number response data data page page totalelements number response data data page threats array response data data page threats id number response data data page threats permissions object response data data page threats permissions owner boolean response data data page threats permissions write boolean response data data page threats permissions read boolean response data data page threats displayname string response data data page screenshot object response data data page screenshot url string response data data page confirmeddate number response data data page ipdetail object response data data page ipdetail ip string response data data page ipdetail lookupon number response data data page ipdetail latitude number response data data page ipdetail longitude number response data output example {"status code" 200,"reason" "ok","json body" {"success"\ true,"data" {"page" {}}}} submit new phish urls enables analysts to submit suspicious urls from swimlane to cofense intelligence for thorough analysis endpoint url /threat/phish method post input argument name type required description feed number optional parameter for submit new phish urls phishurl string optional url endpoint for the request input example {"json body" {"feed" 2,"phishurl" "http //downloadpdf lixter com/secure/cecaccountstatement/"}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data data urlcount number response data output example {"status code" 200,"reason" "ok","json body" {"success"\ true,"data" {"urlcount" 1}}} response headers header description example content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt