Cofense Triage

the cofense triage connector provides streamlined incident response and threat intelligence capabilities by connecting with the cofense triage phishing response platform cofense triage is a comprehensive phishing response platform that enables security teams to identify, analyze, and mitigate email based threats by integrating with swimlane turbine, users can automate the categorization of reports, creation of threat indicators, and management of response actions directly within the security workflow this connector streamlines incident handling and enhances the efficiency of phishing defense mechanisms, providing a robust defense against sophisticated email threats prerequisites before integrating cofense triage with swimlane turbine, ensure you have the following prerequisites oauth 2 0 client credentials authentication with the following parameters url endpoint for cofense triage api access client id unique identifier for oauth 2 0 authentication client secret confidential key for oauth 2 0 authentication capabilities this connector provides the following capabilities categorize a report create a threat indicator create category create response delete to many relationship delete to one relationship get a category get a cluster get a header get a hostname get a report get a reporter get a response get a rule get a threat indicator and so on installation you will need to generate a cofense triage api token to use this connector to generate the api token open administration > account management > operators in the api token actions column of the superuser who will access the api, click (+) to generate the token for that superuser cofense triage generates the token and displays the token in the api token column you will use the token and associated email address in the asset of this connection filtering lists as explained in the api documentation, the general form of the url is https //hostname/api/public/v2/example resources?filter\[attribute op]=value given that a query string can be of arbitrary size, swimlane accepts a query string with the format filter\[attribute name 1 op]=value 1,value 2 value n\&filter\[attribute name 2 op]=value 1,value 2 value n\&filter\[attribute name n op]=value 1,value 2 value n this string, if given, will be appended to the request query limit results some tasks receive an optional limit parameter when given, buckets of 50 records are going to be returned up to the limit defined filter ops comparison operators eq this is the default comparison operator if no operator is specified returns results when an attribute is equal to the supplied value not eq returns results when an attribute is not equal to the supplied value lt returns results when an attribute is less than the supplied value lteq returns results when an attribute is less than or equal to the supplied value gt returns results when an attribute is greater than the supplied value gteq returns results when an attribute is greater than or equal to the supplied value examples filter\[report count]=5 filter\[report count eq]=5 filter\[report count not eq]=5 filter\[report count not lt]=100 filter\[report count not lteq]=101 filter\[report count not gt]=0 filter\[report count not gteq]=1 filter\[id]=1,2,3,4 filter\[id gteq]=5 string comparison operators the cofense triage api also permits string comparison operators in addition to the standard operators above start returns results when an attribute starts with the supplied value not start returns results when an attribute does not start with the supplied value end returns results when an attribute ends with the supplied value not end returns results when an attribute does not end with the supplied value cont returns results when an attribute contains the supplied value not cont returns results when an attribute does not contain the supplied value examples filter\[subject start]=congratulations filter\[subject not start]=voice filter\[subject end]=urgent payment filter\[subject not end]=payment filter\[subject cont]=gift,present filter\[subject not cont]=notification array comparison operators some resources have an array attribute that contains a list of values array attributes follow a common usage pattern, but the filters supported will vary reference the resource description for available filters any op returns resources where any value in the array matches the standard or string comparison operator ( op ) examples filter\[filenames any]= png filter\[filenames any start]=taco filter\[filenames any end]=png filter\[filenames any cont]=menu tag list comparison operators some resources have a tag list attribute that contains a list of triage tags that were applied to that resource for example, the report resourceʼs categorization tag list attribute contains any tags assigned to a report when the report was processed tag list attributes do not support the standard or string comparison operators attributes of this type support the following comparison operators any returns results when a resource is tagged with any of the specified tags all returns results when a resource is tagged with all of the specified tags none returns results when a resource is not tagged with any of the specified tags examples filter\[categorization tag list any]=tag1 filter\[categorization tag list any]=tag1,tag2 filter\[categorization tag list all]=tag1,tag3 filter\[categorization tag list none]=tag4 spare fieldsets all api resources can be instructed to only return specific attributes in the endpoint's response by using the fields query parameter limiting the amount of returned data in this way can improve the performance of the query the general fields syntax is as follows fields\[type]=attribute type is the name of the resource type attribute is the name of the attribute to return to return multiple attributes, specify attribute as a comma separated list for example fields\[reports]=name,address examples fields\[reports]=subject fields\[reports]=subject,match priority for more information, access the cofense triage api documentation with your cofense triage customer account \[here]\(https //community cofense com) this connector was last tested against product version api version 2 configurations oauth 2 0 client credentials authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url server host address string required client id client id used for authentication string required client secret client secret used for authentication string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions categorize a report categorizes a report in cofense triage using the specified report id, allowing for email responses and tagging endpoint url /api/public/v2/reports/{{id}}/categorize method post input argument name type required description path parameters id number required the category id data body object required response data data body data object required response data data body data category id string required a category id property set to the unique identifier of the category data body data outbound template id string optional an outbound template id property set to the unique identifier of the outbound template data body data categorization tags array optional a categorization tags property set to an array of strings containing the tags to apply to the categorized report headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"id" 1},"data body" {"data" {"category id" "1","outbound template id" "2","categorization tags" \["one","two","three"]}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok"} create a threat indicator generates a new threat indicator in cofense triage using the specified data body and headers endpoint url /api/public/v2/threat indicators method post input argument name type required description data body object required response data data body data object required response data data body data id string optional an id property set to the unique identifier for the object data body data type string required a type property set to threat indicators data body data attributes object required an attributes section containing, at a minimum, these attributes threat level , threat type , and threat value data body data attributes threat level string required response data data body data attributes threat type string required response data data body data attributes threat value string required response data data body data attributes threat source string optional response data data body data attributes created at string optional response data data body data attributes updated at string optional response data headers object required http headers for the request headers content type string required http headers for the request input example {"data body" {"data" {"id" "1","type" "categories","attributes" {"threat level" "malicious","threat type" "sender","threat value" "zoe watts\@example org","threat source" "triage ui","created at" "2022 07 13t09 07 22 562z","updated at" "2022 07 13t09 07 22 562z"}}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes threat level string response data data attributes threat type string response data data attributes threat value string response data data attributes threat source string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships owner object response data data relationships owner links object response data data relationships owner links self string response data data relationships owner links related string response data data relationships owner data object response data data relationships owner data type string response data data relationships owner data id string response data data relationships comments object response data data relationships comments links object response data data relationships comments links self string response data output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "threat indicators","links" {},"attributes" {},"relationships" {}}}} create category creates a new category in cofense triage with the provided data body and headers endpoint url /api/public/v2/categories method post input argument name type required description data body object required response data data body data object required response data data body data id string optional an id property set to the unique identifier for the object data body data type string required a type property set to categories data body data attributes object required an attributes section containing, at a minimum, these attributes name , score , and color data body data attributes name string required response data data body data attributes score number required response data data body data attributes malicious boolean optional response data data body data attributes color string required response data headers object required http headers for the request headers content type string required http headers for the request input example {"data body" {"data" {"id" "1","type" "categories","attributes" {"name" "crimeware","score" 5,"malicious"\ true,"color" "#c6911f"}}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes name string response data data attributes score number response data data attributes malicious boolean response data data attributes color string response data data attributes archived boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships playbooks object response data data relationships playbooks links object response data data relationships playbooks links self string response data data relationships playbooks links related string response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 201,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "categories","links" {},"attributes" {},"relationships" {}}}} create response creates a new response in cofense triage using the specified data body, enabling targeted incident handling endpoint url /api/public/v2/responses method post input argument name type required description data body object required response data data body data object required response data data body data id string optional response data data body data type string required response data data body data attributes object required response data data body data attributes name string required response data data body data attributes subject string required response data data body data attributes body string required response data input example {"data body" {"data" {"id" "1","type" "responses","attributes" {"name" "example response","subject" "email '\[subject]' reported \[report date] is safe","body" "\<p>the email '\[subject]' that you reported on \[report date] is safe \</p>"}}}} output parameter type description status code number http status code of the response reason string response reason phrase data links self string response data data attributes bcc address string response data data type string response data data id number response data data relationships one clicks links self string response data data attributes cc address string response data raw json string output field raw json data attributes description string response data data attributes to other number response data data attributes to reporter number response data data attributes attach original number response data data relationships one clicks links related string response data data attributes updated at string response data data attributes to other address string response data data attributes name string response data data attributes created at string response data data attributes subject string response data data attributes body string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data links self" "data links self","data attributes bcc address" "data attributes bcc address","data type" "data type","data id" 1,"data relationships one clicks links self" "data relationships one clicks links self","data attributes cc address" "data attributes cc address","raw json" "raw json","data attributes description" "data att delete to many relationship removes a specified to many relationship in cofense triage using resource type, id, and relationship name endpoint url /api/public/v2/{{resource type}}/{{id}}/relationships/{{relationship name}} method delete input argument name type required description path parameters resource type string required the value identified in the type section of the resource description path parameters id string required the resource id path parameters relationship name string required the plural name of the related resource, e g "categories", not "category" data body object required response data data body data array required response data data body data id string required an id property set to the unique identifier for the related resource data body data type string required a type property set to the type of the related resource headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"resource type" "responses","id" "24","relationship name" "recipes"},"data body" {"data" \[{"id" "1","type" "recipes"},{"id" "2","type" "recipes"}]},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok"} delete to one relationship removes a specified to one relationship in cofense triage using the provided resource type, id, and relationship name endpoint url /api/public/v2/{{resource type}}/{{id}}/relationships/{{relationship name}} method delete input argument name type required description path parameters resource type string required the value identified in the type section of the resource description path parameters id string required the resource id path parameters relationship name string required the singular name of the related resource, e g "category", not "categories" input example {"path parameters" {"resource type" "responses","id" "24","relationship name" "recipes"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok"} get a category retrieve detailed information for a specific category in cofense triage using the provided id endpoint url /api/public/v2/categories/{{id}} method get input argument name type required description path parameters id string required category resource id parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes name string response data data attributes score number response data data attributes malicious boolean response data data attributes color string response data data attributes archived boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships playbooks object response data data relationships playbooks links object response data data relationships playbooks links self string response data data relationships playbooks links related string response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "categories","links" {},"attributes" {},"relationships" {}}}} get a cluster retrieves a specific cluster from cofense triage using the provided unique identifier (id) endpoint url /api/public/v2/clusters/{{id}} method get input argument name type required description path parameters id string required the id of the cluster to fetch parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes risk score number response data data attributes first reported at string response data data attributes oldest unprocessed reported at string response data data attributes last reported at string response data data attributes last received at string response data data attributes last from address string response data data attributes last subject string response data data attributes average reporter reputation string response data data attributes match priority number response data data attributes tags array response data data attributes host source string response data data attributes attachments count number response data data attributes unprocessed reports count number response data data attributes processed reports count number response data data attributes total reports count number response data data attributes rules count number response data data attributes urls count number response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "clusters","links" {},"attributes" {},"relationships" {}}}} get a header retrieves header information for a specified id in cofense triage, utilizing the provided path parameter endpoint url /api/public/v2/headers/{{id}} method get input argument name type required description path parameters id string required the header id parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes key string response data data attributes value string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "headers","links" {},"attributes" {},"relationships" {}}}} get a hostname retrieve detailed host information for a specified id from cofense triage using path parameters endpoint url /api/public/v2/hostnames/{{id}} method get input argument name type required description path parameters id string required the host id parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes hostname string response data data attributes risk score number response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships domain object response data data relationships domain links object response data data relationships domain links self string response data data relationships domain links related string response data data relationships domain data object response data data relationships domain data type string response data data relationships domain data id string response data data relationships clusters object response data data relationships clusters links object response data data relationships clusters links self string response data data relationships clusters links related string response data data relationships reports object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "hostnames","links" {},"attributes" {},"relationships" {}}}} get a report retrieves detailed information for a specific report in cofense triage using the unique identifier provided endpoint url /api/public/v2/reports/{{id}} method get input argument name type required description path parameters id string required the report id parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes location string response data data attributes risk score number response data data attributes from address string response data data attributes subject string response data data attributes received at string response data data attributes reported at string response data data attributes raw headers string response data data attributes text body string response data data attributes html body string response data data attributes md5 string response data data attributes sha256 string response data data attributes match priority number response data data attributes attachments count number response data data attributes comments count number response data data attributes rules count number response data data attributes urls count number response data data attributes tags array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "reports","links" {},"attributes" {},"relationships" {}}}} get a reporter retrieves detailed information for a specific reporter in cofense triage using their unique id endpoint url /api/public/v2/reporters/{{id}} method get input argument name type required description path parameters id string required the reporter id parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes email string response data data attributes reports count number response data data attributes last reported at string response data data attributes reputation score number response data data attributes vip boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships clusters object response data data relationships clusters links object response data data relationships clusters links self string response data data relationships clusters links related string response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "reporters","links" {},"attributes" {},"relationships" {}}}} get a response retrieves a specific response from cofense triage using the provided unique identifier (id) endpoint url /api/public/v2/responses/{{id}} method get input argument name type required description path parameters id string required the response id input example {"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase attributes attach original number output field attributes attach original links self string output field links self attributes name string name of the resource raw json string output field raw json attributes body string request body data attributes subject string output field attributes subject attributes to reporter number output field attributes to reporter relationships one clicks links related string output field relationships one clicks links related relationships one clicks links self string output field relationships one clicks links self id number unique identifier attributes updated at string output field attributes updated at type string type of the resource attributes to other number output field attributes to other attributes created at string output field attributes created at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"attributes attach original" 1,"links self" "links self","attributes name" "attributes name","raw json" "raw json","attributes body" "attributes body","attributes subject" "attributes subject","attributes to reporter" 1,"relationships one clicks links related" "relationships one clicks links related","relationships one clicks links sel get a rule retrieves a specific cofense triage rule by its unique identifier (id) endpoint url /api/public/v2/rules/{{id}} method get input argument name type required description path parameters id string required the id of the rule to fetch parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes name string response data data attributes description string response data data attributes priority number response data data attributes tags array response data data attributes scope string response data data attributes author name string response data data attributes rule context string response data data attributes active boolean response data data attributes content string response data data attributes time to live string response data data attributes share with cofense boolean response data data attributes reports count number response data data attributes imported at string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships cluster context object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "rules","links" {},"attributes" {},"relationships" {}}}} get a threat indicator retrieve a specific threat indicator from cofense triage using the provided unique identifier endpoint url /api/public/v2/threat indicators/{{id}} method get input argument name type required description path parameters id string required the id of the indicator to fetch parameters fields string optional parameters for the get a threat indicator action input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes threat level string response data data attributes threat type string response data data attributes threat value string response data data attributes threat source string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships owner object response data data relationships owner links object response data data relationships owner links self string response data data relationships owner links related string response data data relationships owner data object response data data relationships owner data type string response data data relationships owner data id string response data data relationships comments object response data data relationships comments links object response data data relationships comments links self string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "threat indicators","links" {},"attributes" {},"relationships" {}}}} get a url retrieves detailed information for a specific url in cofense triage using the unique identifier (id) provided endpoint url /api/public/v2/urls/{{id}} method get input argument name type required description path parameters id string required the url id parameters fields string optional parameters for the get a url action input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes url string response data data attributes risk score number response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships domain object response data data relationships domain links object response data data relationships domain links self string response data data relationships domain links related string response data data relationships hostname object response data data relationships hostname links object response data data relationships hostname links self string response data data relationships hostname links related string response data data relationships hostname data object response data data relationships hostname data type string response data data relationships hostname data id string response data data relationships clusters object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "urls","links" {},"attributes" {},"relationships" {}}}} get an attachment retrieves a specific attachment from cofense triage using the provided resource id endpoint url /api/public/v2/attachments/{{id}} method get input argument name type required description path parameters id string required id of the resource to which the attachment belongs parameters fields string optional parameters for the get an attachment action input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes filename string response data data attributes size number response data data attributes is child boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships attachment payload object response data data relationships attachment payload links object response data data relationships attachment payload links self string response data data relationships attachment payload links related string response data data relationships attachment payload data object response data data relationships attachment payload data type string response data data relationships attachment payload data id string response data data relationships parent object response data data relationships parent links object response data data relationships parent links self string response data data relationships parent links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "attachments","links" {},"attributes" {},"relationships" {}}}} get an operator retrieves details for a specific operator in cofense triage using the provided unique id endpoint url /api/public/v2/operators/{{id}} method get input argument name type required description path parameters id string required the id of the operator to fetch parameters fields string optional optional field, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes email string response data data attributes first name string response data data attributes last name string response data data attributes nickname string response data data attributes time zone string response data data attributes permissions object response data data attributes permissions triage string response data data attributes permissions vision string response data data attributes sso enabled boolean response data data attributes two factor enabled boolean response data data attributes locked boolean response data data attributes sign in count number response data data attributes last sign in at string response data data attributes password changed at string response data data attributes created at string response data data attributes updated at string response data data relationships object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "operators","links" {},"attributes" {},"relationships" {}}}} get attachment list retrieve a list of attachments from cofense triage for further analysis or processing endpoint url /api/public/v2/attachments method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= name) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes filename string response data data attributes size number response data data attributes is child boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships attachment payload object response data data relationships attachment payload links object response data data relationships attachment payload links self string response data data relationships attachment payload links related string response data data relationships attachment payload data object response data data relationships attachment payload data type string response data data relationships attachment payload data id string response data data relationships parent object response data data relationships parent links object response data data relationships parent links self string response data data relationships parent links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get attachment payload retrieves the payload of an attachment from cofense triage using a specified id endpoint url /api/public/v2/attachment payloads/{{id}} method get input argument name type required description path parameters id string required id of the resource to which the attachment payload belongs parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"fields" "fields\[reports]=subject"},"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes mime type string response data data attributes md5 string response data data attributes sha256 string response data data attributes risk score number response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships attachments object response data data relationships attachments links object response data data relationships attachments links self string response data data relationships attachments links related string response data data relationships clusters object response data data relationships clusters links object response data data relationships clusters links self string response data data relationships clusters links related string response data data relationships integration submissions object response data data relationships integration submissions links object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "attachment payloads","links" {},"attributes" {},"relationships" {}}}} get attachment payload list retrieve a list of attachment payloads from cofense triage for analysis or processing endpoint url /api/public/v2/attachment payloads method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes mime type string response data data attributes md5 string response data data attributes sha256 string response data data attributes risk score number response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships attachments object response data data relationships attachments links object response data data relationships attachments links self string response data data relationships attachments links related string response data data relationships clusters object response data data relationships clusters links object response data data relationships clusters links self string response data data relationships clusters links related string response data data relationships integration submissions object response data data relationships integration submissions links object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get category list retrieve and classify a list of categories from cofense triage to organize reports effectively endpoint url /api/public/v2/categories method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes name string response data data attributes score number response data data attributes malicious boolean response data data attributes color string response data data attributes archived boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships playbooks object response data data relationships playbooks links object response data data relationships playbooks links self string response data data relationships playbooks links related string response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get comments lists all comments within cofense triage, providing a comprehensive overview of user feedback and annotations endpoint url /api/public/v2/comments method get input argument name type required description parameters sort string optional parameters for the get comments action parameters filter\[tags any] string optional parameters for the get comments action parameters filter\[created at gt] string optional parameters for the get comments action parameters page\[size] string optional parameters for the get comments action input example {"parameters" {"sort" "id","filter\[tags any]" "escalation ticket","filter\[created at gt]" "string","page\[size]" "50"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data meta object output field meta meta record count number count value meta page count number count value links object output field links links first string output field links first links last string output field links last output example {"status code" 200,"response headers" {"date" "mon, 02 sep 2024 08 51 33 gmt","content type" "application/vnd api+json","transfer encoding" "chunked","connection" "keep alive","x frame options" "sameorigin","x xss protection" "1; mode=block","x content type options" "nosniff","x download options" "noopen","x permitted cross domain policies" "none","referrer policy" "strict origin when cross origin","vary" "accept, origin","etag" "w/\\"acbbf2b0841e547967b280c8f81aff6f\\"","cache control" "max age=0 get download original file retrieve the original file from cofense triage using a specific resource id endpoint url /api/public/v2/reports/{{id}}/download method get input argument name type required description path parameters id string required the report id input example {"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file file file name string name of the resource file file string output field file file output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","file" \[]} get download preview(jpg) retrieve a jpeg preview of a report from cofense triage using the provided report id endpoint url /api/public/v2/reports/{{id}}/download jpg method get input argument name type required description path parameters id string required the report id input example {"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get download preview(png) retrieve a png preview of a specific report from cofense triage using the provided report id endpoint url /api/public/v2/reports/{{id}}/download png method get input argument name type required description path parameters id string required the report id input example {"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {}} get email preview image (png) downloads a png preview image of an email from cofense triage using a unique identifier endpoint url /api/public/v2/reports/{{id}}/download png method get input argument name type required description path parameters id string required the id of the report containing the email to generate the preview from input example {"path parameters" {"id" "1"}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file file file name string name of the resource file file string output field file file output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","file" \[]} get header list retrieves a list of email headers from cofense triage for further analysis endpoint url /api/public/v2/headers method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= name) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes key string response data data attributes value string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get hostnames list retrieve a comprehensive list of hostnames from cofense triage for enhanced analysis or investigative purposes endpoint url /api/public/v2/hostnames method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" " id","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes hostname string response data data attributes risk score number response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships domain object response data data relationships domain links object response data data relationships domain links self string response data data relationships domain links related string response data data relationships domain data object response data data relationships domain data type string response data data relationships domain data id string response data data relationships clusters object response data data relationships clusters links object response data data relationships clusters links self string response data data relationships clusters links related string response data data relationships reports object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get relationship to many retrieves to many relationship data for a specified resource in cofense triage, utilizing the relationship name, id, and resource type endpoint url /api/public/v2/{{resource type}}/{{id}}/{{relationship name}} method get input argument name type required description path parameters relationship name string required the plural name of the related resource path parameters id string required the resource id path parameters resource type string required the value identified in the type section of the resource description input example {"path parameters" {"relationship name" "rules","id" "24","resource type" "reports"}} output parameter type description status code number http status code of the response reason string response reason phrase attributes updated at string output field attributes updated at relationships reports links related string output field relationships reports links related links self string output field links self attributes score number score value type string type of the resource raw json string output field raw json relationships reports links self string output field relationships reports links self relationships one clicks links self string output field relationships one clicks links self attributes malicious number output field attributes malicious attributes color string output field attributes color relationships one clicks links related string output field relationships one clicks links related attributes created at string output field attributes created at attributes name string name of the resource id number unique identifier attributes archived number output field attributes archived output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"attributes updated at" "attributes updated at","relationships reports links related" "relationships reports links related","links self" "links self","attributes score" 1,"type" "type","raw json" "raw json","relationships reports links self" "relationships reports links self","relationships one clicks links self" "relationships one cli get relationship to one retrieves to one relationship data in cofense triage by specifying the relationship name, id, and resource type endpoint url /api/public/v2/{{resource type}}/{{id}}/{{relationship name}} method get input argument name type required description path parameters relationship name string required the singular name of the related resource, e g "category", not "categories" path parameters id string required the resource id path parameters resource type string required the value identified in the type section of the resource description input example {"path parameters" {"relationship name" "rules","id" "24","resource type" "reports"}} output parameter type description status code number http status code of the response reason string response reason phrase attributes updated at string output field attributes updated at relationships reports links related string output field relationships reports links related links self string output field links self attributes score number score value type string type of the resource raw json string output field raw json relationships reports links self string output field relationships reports links self relationships one clicks links self string output field relationships one clicks links self attributes malicious number output field attributes malicious attributes color string output field attributes color relationships one clicks links related string output field relationships one clicks links related attributes created at string output field attributes created at attributes name string name of the resource id number unique identifier attributes archived number output field attributes archived output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"attributes updated at" "attributes updated at","relationships reports links related" "relationships reports links related","links self" "links self","attributes score" 1,"type" "type","raw json" "raw json","relationships reports links self" "relationships reports links self","relationships one clicks links self" "relationships one cli get report list retrieve a detailed list of reports from cofense triage, including identifiers, status, and threat levels endpoint url /api/public/v2/reports method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes location string response data data attributes risk score number response data data attributes from address string response data data attributes subject string response data data attributes received at string response data data attributes reported at string response data data attributes raw headers string response data data attributes text body string response data data attributes html body string response data data attributes md5 string response data data attributes sha256 string response data data attributes match priority number response data data attributes attachments count number response data data attributes comments count number response data data attributes rules count number response data data attributes urls count number response data data attributes tags array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get reporter list retrieve a detailed list of reporters from cofense triage, including contact information and report history endpoint url /api/public/v2/reporters method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes email string response data data attributes reports count number response data data attributes last reported at string response data data attributes reputation score number response data data attributes vip boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships clusters object response data data relationships clusters links object response data data relationships clusters links self string response data data relationships clusters links related string response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get response list retrieve an overview of all available response actions from cofense triage endpoint url /api/public/v2/responses method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase attributes attach original number output field attributes attach original attributes to other number output field attributes to other links self string output field links self type string type of the resource raw json string output field raw json attributes updated at string output field attributes updated at attributes subject string output field attributes subject attributes to reporter number output field attributes to reporter relationships one clicks links related string output field relationships one clicks links related id number unique identifier relationships one clicks links self string output field relationships one clicks links self attributes name string name of the resource attributes body string request body data attributes created at string output field attributes created at output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"attributes attach original" 1,"attributes to other" 1,"links self" "links self","type" "type","raw json" "raw json","attributes updated at" "attributes updated at","attributes subject" "attributes subject","attributes to reporter" 1,"relationships one clicks links related" "relationships one clicks links related","id" 1,"relationships get rule list fetches the list of rules from cofense triage for analysis and processing endpoint url /api/public/v2/rules method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes name string response data data attributes description string response data data attributes priority number response data data attributes tags array response data data attributes scope string response data data attributes author name string response data data attributes rule context string response data data attributes active boolean response data data attributes content string response data data attributes time to live string response data data attributes share with cofense boolean response data data attributes reports count number response data data attributes imported at string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships cluster context object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get status retrieve the current operational health and performance metrics from cofense triage endpoint url /api/public/v2/system/status method get output parameter type description status code number http status code of the response reason string response reason phrase data object response data data health object response data data health cpu usage percent string response data data health memory in kilobytes object response data data health memory in kilobytes total memory number response data data health memory in kilobytes used memory number response data data health memory in kilobytes active memory number response data data health memory in kilobytes inactive memory number response data data health memory in kilobytes free memory number response data data health partition used percent object response data data health partition used percent /dev/mapper/triage root string response data data health partition used percent devtmpfs string response data data health partition used percent /dev/sda1 string response data data health partition used percent /dev/mapper/triage pgsqldumps string response data data health partition used percent /dev/mapper/triage varlibpgsql string response data data health partition used percent /dev/mapper/triage srv string response data data health partition used percent /dev/mapper/triage pgsqlbu string response data data health last time ingested string response data data health last user login string response data data health license expiration string response data data status object response data data status mail account worker boolean response data data status postgresql boolean response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"health" {},"status" {},"version" "1 21 0"}}} get threat indicator list retrieve a list of indicators of compromise (iocs) classified as malicious, suspicious, or benign from cofense triage endpoint url /api/public/v2/threat indicators method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes threat level string response data data attributes threat type string response data data attributes threat value string response data data attributes threat source string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships owner object response data data relationships owner links object response data data relationships owner links self string response data data relationships owner links related string response data data relationships owner data object response data data relationships owner data type string response data data relationships owner data id string response data data relationships comments object response data data relationships comments links object response data data relationships comments links self string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} get url list retrieve a comprehensive list of urls from cofense triage for subsequent analysis or action endpoint url /api/public/v2/urls method get input argument name type required description parameters page string optional optional page to apply to the list i e page\[number]=value1\&page\[size]=value2 page\[number] is the page number to return the default is 1 page\[size] is the number of returned objects to display per page valid values are 1 through 200 the default is 20 parameters sort string optional optional sorting filter to apply to the list; must be a comma separated string to sort an attribute in descending order, prefix the attribute with a hyphen (for example, sort= d) parameters filter string optional optional filter to apply to the list; more than one filter can be defined, i e filter\[attribute1 op]=value1\&filter\[attribute2 op]=value2 see readme for further details parameters limit number optional maximum number of results to return defaults to all results parameters fields string optional optional field to apply to the list, i e fields\[type]=attribute input example {"parameters" {"page" "page\[number]=2\&page\[size]=50","sort" "name","filter" "filter\[id eq]=26,27\&filter\[filename]=image006 png","limit" 200,"fields" "fields\[reports]=subject"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes url string response data data attributes risk score number response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships domain object response data data relationships domain links object response data data relationships domain links self string response data data relationships domain links related string response data data relationships hostname object response data data relationships hostname links object response data data relationships hostname links self string response data data relationships hostname links related string response data data relationships hostname data object response data data relationships hostname data type string response data data relationships hostname data id string response data data relationships clusters object response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" \[{}]}} update a category updates a specific cofense triage category by id, requiring path parameters and data body with attributes endpoint url /api/public/v2/categories/{{id}} method put input argument name type required description path parameters id string required the category id data body object required response data data body data object required response data data body data id string required an id property set to the unique identifier for the object data body data type string required a type property set to categories data body data attributes object required an attributes section containing the attributes to update data body data attributes name string optional response data data body data attributes score number optional response data data body data attributes malicious boolean optional response data data body data attributes color string optional response data headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"id" "1"},"data body" {"data" {"id" "1","type" "categories","attributes" {"name" "crimeware","score" 5,"malicious"\ true,"color" "#c6911f"}}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes name string response data data attributes score number response data data attributes malicious boolean response data data attributes color string response data data attributes archived boolean response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships playbooks object response data data relationships playbooks links object response data data relationships playbooks links self string response data data relationships playbooks links related string response data data relationships reports object response data data relationships reports links object response data data relationships reports links self string response data data relationships reports links related string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "categories","links" {},"attributes" {},"relationships" {}}}} update a report updates a specific cofense triage report by id with provided attributes, including path parameters and data body endpoint url /api/public/v2/reports/{{id}} method put input argument name type required description path parameters id string required the report id data body object required response data data body data object required response data data body data id string required an id property set to the unique identifier for the object data body data type string required a type property set to reports data body data attributes object required an attributes section containing the attributes to update data body data attributes tags array required response data headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"id" "1"},"data body" {"data" {"id" "1","type" "reports","attributes" {"tags" \["one","two"]}}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes location string response data data attributes risk score number response data data attributes from address string response data data attributes subject string response data data attributes received at string response data data attributes reported at string response data data attributes raw headers string response data data attributes text body string response data data attributes html body string response data data attributes md5 string response data data attributes sha256 string response data data attributes match priority number response data data attributes attachments count number response data data attributes comments count number response data data attributes rules count number response data data attributes urls count number response data data attributes tags array response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "reports","links" {},"attributes" {},"relationships" {}}}} update a response updates a specific response in cofense triage using the provided id and attributes, including path parameters and data body endpoint url /api/public/v2/responses/{{id}} method put input argument name type required description path parameters id string required the response id data body object required response data data body data object required response data data body data id string required response data data body data type string required response data data body data attributes object required response data data body data attributes name string optional response data data body data attributes description string optional response data data body data attributes to reporter boolean optional response data headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"id" "1"},"data body" {"data" {"id" "1","type" "responses","attributes" {"name" "example response","description" "this is an example response for documentation purposes ","to reporter"\ true}}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase data links self string response data data attributes bcc address string response data data type string response data data id number response data data relationships one clicks links self string response data data attributes cc address string response data raw json string output field raw json data attributes description string response data data attributes to other number response data data attributes to reporter number response data data attributes attach original number response data data relationships one clicks links related string response data data attributes updated at string response data data attributes to other address string response data data attributes name string response data data attributes created at string response data data attributes subject string response data data attributes body string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data links self" "data links self","data attributes bcc address" "data attributes bcc address","data type" "data type","data id" 1,"data relationships one clicks links self" "data relationships one clicks links self","data attributes cc address" "data attributes cc address","raw json" "raw json","data attributes description" "data att update a threat indicator updates a specific threat indicator in cofense triage using the provided id and attribute data, including necessary headers endpoint url /api/public/v2/threat indicators/{{id}} method put input argument name type required description path parameters id string required the id of the indicator to fetch data body object required response data data body data object required response data data body data id string required an id property set to the unique identifier for the object data body data type string required a type property set to threat indicators data body data attributes object required an attributes section containing the attributes to update data body data attributes threat level string required response data data body data attributes threat source string required response data headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"id" "1"},"data body" {"data" {"id" "1","type" "threat indicators","attributes" {"threat level" "malicious","threat source" "triage ui"}}},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data type string response data data links object response data data links self string response data data attributes object response data data attributes threat level string response data data attributes threat type string response data data attributes threat value string response data data attributes threat source string response data data attributes created at string response data data attributes updated at string response data data relationships object response data data relationships owner object response data data relationships owner links object response data data relationships owner links self string response data data relationships owner links related string response data data relationships owner data object response data data relationships owner data type string response data data relationships owner data id string response data data relationships comments object response data data relationships comments links object response data data relationships comments links self string response data output example {"status code" 200,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok","json body" {"data" {"id" "1","type" "threat indicators","links" {},"attributes" {},"relationships" {}}}} update to many relationship updates a 'to many' relationship for a specified resource in cofense triage using path parameters and a data body endpoint url /api/public/v2/{{resource type}}/{{id}}/relationships/{{relationship name}} method post input argument name type required description path parameters resource type string required resource type is the value identified in the type section of the resource description path parameters id string required resource id is the unique identifier of an instance of the resource path parameters relationship name string required relationship name is the name of the relationship the plural name of the related resource, e g "categories", not "category" data body object required response data data body data array required response data data body data id string required an id property set to the unique identifier for the related resource data body data type string required a type property set to the type of the related resource headers object required http headers for the request headers content type string required http headers for the request input example {"path parameters" {"resource type" "reports","id" "24","relationship name" "category"},"data body" {"data" \[{"id" "1","type" "one clicks"},{"id" "2","type" "one clicks"}]},"headers" {"content type" "application/vnd api+json"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok"} update to one relationship updates a specific to one relationship in cofense triage using the provided resource type, id, and relationship name endpoint url /api/public/v2/{{resource type}}/{{id}}/relationships/{{relationship name}} method patch input argument name type required description path parameters resource type string required the value identified in the type section of the resource description path parameters id string required set to the unique identifier for the related resource path parameters relationship name string required relationship name is the name of the relationship the singular name of the related resource, e g "category", not "categories" data body object required response data data body data object required response data data body data id string required an id property set to the unique identifier for the related resource data body data type string required property set to the type of the related resource input example {"path parameters" {"resource type" "reports","id" "24","relationship name" "rules"},"data body" {"data" {"id" "1","type" "responses"}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {"content length" "140","content type" "application/json","date" "tue, 19 dec 2023 20 37 23 gmt"},"reason" "ok"} response headers header description example alt svc http response header alt svc h3=" 443 "; ma=86400 cache control directives for caching mechanisms max age=0, private, must revalidate cf cache status http response header cf cache status dynamic cf ray http response header cf ray 8bcc4241ecfca053 sin connection http response header connection keep alive content encoding http response header content encoding gzip content length the length of the response body in bytes 140 content security policy report only http response header content security policy report only default src 'self' triage insights cofense triage com; font src 'self' data ; img src 'self' data content triage insights cofense triage com data triage insights cofense triage com pendo static 5635959691542528 storage googleapis com; object src 'none'; script src 'self' 'unsafe inline' 'unsafe eval' triage insights cofense triage com; style src 'self'; style src attr 'self' 'unsafe inline'; script src attr 'self' 'unsafe inline'; style src elem 'self' 'unsafe inline' content triage insights cofense triage com pendo static 5635959691542528 storage googleapis com; script src elem 'self' 'unsafe inline' content triage insights cofense triage com data triage insights cofense triage com; connect src 'self' data triage insights cofense triage com api feedback us pendo io; report uri /csp report content type the media type of the resource application/vnd api+json date the date and time at which the message was originated tue, 19 dec 2023 20 37 23 gmt etag an identifier for a specific version of a resource w/"acbbf2b0841e547967b280c8f81aff6f" nel http response header nel {"success fraction" 0 ,"report to" "cf nel","max age" 604800 } referrer policy http response header referrer policy strict origin when cross origin report to http response header report to {"endpoints" \[{"url" " https //a nel cloudflare com/report/v4?s=%2bcmx2o%2fh7vcp9pf1ztt14qjgankfk2onrzq3tyx1umyo2%2btvqi23ukefvl4hqoznu4ioldstsshwljkezn8mkdxxanxfbsqotlemmjzo7k8qz%2bkcohryj%2fa%2f2oxpzuxu%2f9xc2ttclc5uj2nugg%3d%3d"}],"group" "cf nel","max age " 604800 } server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=63072000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept, origin x content type options http response header x content type options nosniff x download options http response header x download options noopen x frame options http response header x frame options sameorigin x permitted cross domain policies http response header x permitted cross domain policies none x request id a unique identifier for the request cb702bdb 99e1 4cd5 9d54 25a8e1f19338 x runtime http response header x runtime 0 025454 x served by http response header x served by triage curbsidebrewing dev x xss protection http response header x xss protection 1; mode=block