Cofense Intelligence

the cofense intelligence connector allows for seamless integration of cofense's detailed threat intelligence into swimlane's automated workflows, enhancing threat detection and response activities cofense intelligence provides actionable threat insights, enabling security teams to proactively defend against emerging threats this connector facilitates the integration of cofense's rich threat intelligence data into swimlane turbine, allowing users to automate the retrieval and analysis of detailed threat reports and iocs by leveraging this integration, security operations can enhance incident response, streamline threat hunting, and maintain a proactive security posture with minimal manual intervention prerequisites to utilize the cofense intelligence connector within swimlane turbine, ensure you have the following prerequisites http basic authentication with the following parameters url the endpoint url for the cofense intelligence api api username your cofense intelligence account username api token a unique token used for authenticating api requests limitations none to date capabilities this connector provides the following capabilities fetch available feeds retrieve new/updated threats search for specific threats retrieve full malware threat details retrieve full phish threat details fetch/download threat reports in cef/stix/html/pdf fetch/download malware threat reports in cef/stix/html/pdf fetch/download phish threat reports in cef/stix/html/pdf retrieve threat screenshots search for indicators of compromise (iocs) submit new phish urls fetch available feeds retrieves the list of feeds our account can access (e g , “cofense,” “apwg”) this lets us confirm feed ids and permissions retrieve new/updated threats maintain near real time ingestion of newly published or updated cofense intelligence (malware) and cofense credential phish (phish) threat ids into swimlane search for specific threats allow on demand lookups of specific threat ids or indicators (ips, domains, file hashes) from within swimlane playbooks retrieve full malware threat details when a threat id is identified (either from /threat/updates or manual search), fetch the complete json object containing block sets, domain/ip lists, campaign metadata, etc retrieve full phish threat details when a threat id is identified (either from /threat/updates or manual search), fetch the complete json object containing block sets, domain/ip lists, campaign metadata, etc fetch/download threat reports in cef/stix/html/pdf generates standardized reports in cef/stix/html/pdf formats fetch/download malware threat reports in cef/stix/html/pdf generates standardized malware threat reports in cef/stix/html/pdf formats fetch/download phish threat reports in cef/stix/html/pdf generates standardized phish threat reports in cef/stix/html/pdf formats retrieve threat screenshots obtain cofense credential phish webpage screenshots to embed in incident tickets or dashboards search for indicators of compromise (iocs) pull metadata on individual iocs (hashes, domains, ips) so we can cross reference against alerts in swimlane playbooks submit new phish urls allow our analysts to submit new suspicious urls directly from swimlane into cofense for analysis configurations cofense intelligence api key authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username api username string required password api token for authentication string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions fetch available feeds retrieve a list of accessible feeds for the account, confirming feed ids and permissions in cofense intelligence endpoint url /feed method get output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data array response data id number unique identifier permissions object output field permissions read boolean output field read owner boolean output field owner write boolean output field write displayname string name of the resource example \[ { "status code" 200, "reason" "ok", "json body" { "success" true, "data" \[] } } ] fetch/download malware threat reports retrieve or download detailed malware threat reports from cofense intelligence using a specific threat id and format endpoint url /t3/malware/{{threat id}}/{{format}} method get input argument name type required description threat id number required the threat id to return format string required the format to be returned example \[ {} ] fetch/download phish threat reports retrieve or download detailed phish threat reports from cofense intelligence using a specific threat id and format endpoint url /t3/phish/{{threat id}}/{{format}} method get input argument name type required description threat id number required the threat id to return format string required the format to be returned example \[ {} ] fetch/download threat reports retrieve or download standardized threat reports from cofense intelligence in the specified format endpoint url /t3/{{format}} method post input argument name type required description format string required the format to be returned begintimestamp number optional the seconds since epoch from which we should start returning data if omitted, the current time minus 24 hours is used as the default endtimestamp number optional the seconds since epoch from which we should end returning data if omitted, the current time is used as the default example \[ {} ] retrieve full threat malware details fetches comprehensive threat details including block sets, domain/ip lists, and campaign metadata for a specified threat id in cofense intelligence endpoint url /threat/malware/{{threat id}} method get input argument name type required description threat id number required the numeric id of the cofense intelligence report output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data id number unique identifier relatedsearchtags array output field relatedsearchtags feeds array output field feeds id number unique identifier permissions object output field permissions read boolean output field read owner boolean output field owner write boolean output field write displayname string name of the resource blockset array output field blockset malwarefamily object output field malwarefamily familyname string name of the resource description string output field description impact string output field impact confidence number unique identifier blocktype string type of the resource role string output field role roledescription string output field roledescription data string response data data 1 string response data campaignbrandset array output field campaignbrandset example \[ { "status code" 200, "reason" "ok", "json body" { "success" true, "data" {} } } ] retrieve full threat phish details fetches comprehensive details for a specified threat id in cofense intelligence, including block sets, domain/ip lists, and campaign metadata endpoint url /threat/phish/{{threat id}} method get input argument name type required description threat id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data id number unique identifier relatedsearchtags array output field relatedsearchtags feeds array output field feeds id number unique identifier permissions object output field permissions read boolean output field read owner boolean output field owner write boolean output field write displayname string name of the resource blockset array output field blockset malwarefamily object output field malwarefamily familyname string name of the resource description string output field description impact string output field impact confidence number unique identifier blocktype string type of the resource role string output field role roledescription string output field roledescription data string response data data 1 string response data campaignbrandset array output field campaignbrandset example \[ { "status code" 200, "reason" "ok", "json body" { "success" true, "data" {} } } ] retrieve new/updated threats ingest new or updated threat ids from cofense intelligence for near real time updates in swimlane endpoint url /threat/updates method post input argument name type required description timestamp number optional the epoch in seconds from which data will be returned if not passed by the caller, it will default to a timestamp of 6 months before the current date position string optional a unique string used to identify the last record ready by this client includeindicators boolean optional a boolean value that controls whether to include indicator change log entries for each threat if not passed it will default to false output parameter type description status code number http status code of the response reason string response reason phrase nextposition string output field nextposition changelog array output field changelog threatid number unique identifier threattype string type of the resource occurredon number output field occurredon deleted boolean output field deleted example \[ { "status code" 200, "reason" "ok", "json body" { "nextposition" "latest", "changelog" \[] } } ] retrieve threat screenshots obtain webpage screenshots of cofense credential phish threats using the threat id to enhance incident tickets or dashboards endpoint url /screenshot/{{threat id}} method get input argument name type required description threat id number required the numeric id of the desired cofense credential phish example \[ {} ] search for indicators of compromise retrieve metadata on iocs including hashes, domains, and ips to cross reference with swimlane playbook alerts endpoint url /indicator/search method get input argument name type required description reporttype string optional choose whether to search for indicators related to phishing attacks, malware campaigns, or both indicatortype string optional the type of ioc to search for impact string optional choose the impace level of returned iocs sincelastpublished number optional the seconds since epoch from which we should start returning ioc data page number optional a zero based integer indicating the page of results to return resultsperpage number optional the number of threat ids to include in a page example \[ {} ] search for specific threats perform on demand lookups of threat ids or indicators such as ips, domains, and file hashes using cofense intelligence within swimlane playbooks endpoint url /threat/search method post input argument name type required description threattype string optional choose whether to search for phishing attacks, malware campaigns, or both page number optional a one based integer indicating the page of results to return resultsperpage number optional the number of threat ids to include in a page threatid string optional the unique identifier for a threat, the format of this value is a prefix of either a "p " for phish (cofense credential phish) or "m " for malware (cofense intelligence) followed by the threatnativeid value threatnativeid string optional the numeric native if of a given threat the threatnativeid and threattype make up a unique key for any individual threat begintimestamp number optional the secondds since epoch from which we should start returning data endtimestamp number optional the seconds since epoch from which we should end returning data extractedstring string optional search for extracted strings discovered within malware campaigns malwaresendername string optional search for the sender name of malware campaigns malwaresubject string optional search the message subject associated with malware campaigns dropmail string optional search drop mail addresses associated with threats phishingasn number optional search the asn associated with aphishing threat phishingasncountrycode string optional search the country code associated with phihing threats phishingasnorganization string optional search the asn organization associated with phishing threats brand string optional this may be specified multiple times search for brands associated with a threat this search criteria must match the exact brand name used to categorize a threat within cofense kitmd5 string optional may be specified multiple times search for threats associated with the provided kit hash value (md5, sha 1, sha 224, sha 256, sha 384, sha 512) kithash string optional may be specified multiple times search for threats associated with the provided kit hash value (md5, sha 1, sha 224, sha 256, sha 384, sha 512) malwareartifactmd5 string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) malwareartifacthash string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) webcomponentmd5 string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) webcomponenthash string optional may be specified multiple times search for threats associated with the provided malware artifact hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) allmd5 string optional may be specified multiple times search for threats associated with the provided hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) allhash string optional may be specified multiple times search for threats associated with the provided hash (md5, sha 1, sha 224, sha 256, sha 384, sha 512) haskit boolean optional search for threats which have an associated kit urlsearch string optional a specific url to search for, this supports exact and partial matching of urls output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data page object output field page page object output field page currentpage number output field currentpage currentelements number output field currentelements totalpages number output field totalpages totalelements number output field totalelements threats array output field threats id number unique identifier permissions object output field permissions owner boolean output field owner write boolean output field write read boolean output field read displayname string name of the resource screenshot object output field screenshot url string url endpoint for the request confirmeddate number date value ipdetail object output field ipdetail ip string output field ip lookupon number output field lookupon latitude number output field latitude longitude number output field longitude example \[ { "status code" 200, "reason" "ok", "json body" { "success" true, "data" {} } } ] submit new phish urls enables analysts to submit suspicious urls from swimlane to cofense intelligence for thorough analysis endpoint url /threat/phish method post input argument name type required description feed number optional parameter for submit new phish urls phishurl string required url endpoint for the request output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful data object response data urlcount number url endpoint for the request example \[ { "status code" 200, "reason" "ok", "json body" { "success" true, "data" {} } } ]