Cofense Vision

the cofense vision connector enables automated phishing threat detection and response by integrating with swimlane turbine's low code automation platform cofense vision is a phishing detection and response platform that enables security teams to identify and quarantine phishing threats proactively this connector allows swimlane turbine users to integrate cofense vision's capabilities directly into their security workflows, automating the search and quarantine of phishing threats by leveraging this integration, users can streamline their phishing response process, reduce manual tasks, and enhance their organization's overall email security posture prerequisites to effectively utilize the cofense vision connector within swimlane turbine, ensure you have the following prerequisites oauth2 client credentials authentication with the following parameters url host for the cofense vision client name unique identifier provided by cofense vision client password a secure password associated with your client name capabilities this connector provides the following capabilities create a new quarantine job create new search get all searches get search results asset setup the following permissions are required to run each of the tasks create a new quarantine job quarantine admin , quarantine user , or system admin create new search search admin , search user , or system admin get all searches search admin , search user , or system admin get search results search admin , search user , or system admin configurations cofense vision client credentials authentication authenticates using client name and client password configuration parameters parameter description type required url a url to the target host string required client id account name for the client string required client secret password for the account name specified string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create new quarantine job initiates a new quarantine job in cofense vision using specified email addresses for targeted action endpoint url api/v5/quarantinejobs method post input argument name type required description quarantineemails array required parameter for create new quarantine job recipientaddress string optional parameter for create new quarantine job internetmessageid string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier createdby string output field createdby createddate string date value modifiedby string output field modifiedby modifieddate string date value stoprequested boolean output field stoprequested emailcount number count value quarantineemails array output field quarantineemails id number unique identifier recipientaddress string output field recipientaddress internetmessageid string unique identifier ewsmessageid object unique identifier status string status value errormessage object response message createddate string date value quarantineddate object date value originalfolderid object unique identifier quarantinejobruns array output field quarantinejobruns id number unique identifier jobruntype string type of the resource status string status value starteddate object date value completeddate object date value example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "date" "tue, 05 mar 2024 06 06 52 gmt", "cache control" "private,max age=0,no cache,no store,must revalidate", "pragma" "no cache", "content type" "application/json", "content length" "538", "x envoy upstream service time" "28", "server" "envoy" }, "reason" "ok", "json body" { "id" 2, "createdby" "someclient", "createddate" "2023 01 17t07 05 02 469278z", "modifiedby" "someclient", "modifieddate" "2023 01 17t07 05 02 469278z", "stoprequested" false, "emailcount" 2, "quarantineemails" \[], "quarantinejobruns" \[], "autoquarantine" false, "matchingiocs" null, "matchingsources" null } } ] create new search creates a new search in cofense vision using specified criteria provided in the json body endpoint url api/v5/searches method post input argument name type required description subjects array optional the email subject must match one of the subjects in the list exactly, including spaces vision supports the use of one or more wildcard characters ( ) in any position of a subject senders array optional the email sender must match one of the email addresses in the list vision supports the use of one or more wildcard characters ( ) in any position of a sender email address attachmentnames array optional list of strings representing file names the email must include at least one attachment matching one of the specified file names vision supports the use of one or more wildcard characters ( ) in any position of an attachment file name attachmenthashcriteria object optional parameter for create new search type string optional type of the resource attachmenthashes array optional parameter for create new search hashtype string optional either md5 or sha256 hashstring string optional file hash of the attachment attachmentmimetypes array optional list of mime types this property returns emails with at least one attachment of one of the listed mime types domaincriteria object optional parameter for create new search type string optional type of the resource domains array optional parameter for create new search receivedafterdate string optional filters for emails that vision processed on or after this date and time the date and time must be in utc in iso 8601 format receivedbeforedate string optional filters for emails that vision processed before or on this date and time the date and time must be in utc in iso 8601 format url string optional email content or attachment must contain the full url exactly as specified, including http // or https // vision supports the use of one or more wildcard characters ( ) in any position of the url internetmessageid string optional unique identifier of the email, enclosed in angle brackets this attribute is case sensitive headers array optional list of one or more additional criteria to search for in the email header key string optional parameter for create new search values array optional value for the parameter partialingest boolean optional whether to search for partially ingested emails (true) or not search for partially ingested emails (false) recipient string optional email address of the recipient vision supports the use of one or more wildcard characters ( ) in any position of a recipient email address output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier createdby string output field createdby createddate string date value modifiedby string output field modifiedby modifieddate string date value subjects array output field subjects senders array output field senders recipient object output field recipient attachmentnames array name of the resource attachmenthashcriteria object output field attachmenthashcriteria type string type of the resource attachmenthashes array output field attachmenthashes hashtype string type of the resource hashstring string output field hashstring domaincriteria object output field domaincriteria type string type of the resource domains array output field domains whitelisturls array url endpoint for the request file name string name of the resource file string output field file attachmentmimetypes array type of the resource receivedafterdate string date value receivedbeforedate string date value example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "date" "tue, 05 mar 2024 06 06 52 gmt", "cache control" "private,max age=0,no cache,no store,must revalidate", "pragma" "no cache", "content type" "application/json", "content length" "538", "x envoy upstream service time" "28", "server" "envoy" }, "reason" "ok", "json body" { "id" 3, "createdby" "someclient", "createddate" "2023 01 17t04 32 42 94003z", "modifiedby" "someclient", "modifieddate" "2023 01 17t04 32 42 94003z", "subjects" \[], "senders" \[], "recipient" null, "attachmentnames" \[], "attachmenthashcriteria" {}, "domaincriteria" {}, "attachmentmimetypes" \[], "receivedafterdate" "2023 08 01t00 00 00 000z", "receivedbeforedate" "2023 08 02t00 00 00 000z", "url" "http //www foo com/bar" } } ] get all searches retrieves a list of all searches conducted within cofense vision, including details and statuses endpoint url api/v5/searches method get input argument name type required description page number optional start page of the results the value must be a positive integer or 0 default 0 size number optional number of results per page the value must be a positive integer up to 2000 default 20 sort array optional name value pair defining the order of search properties in the response multiple values are supported format propertyname,sortorder output parameter type description status code number http status code of the response reason string response reason phrase searches array output field searches id number unique identifier createdby string output field createdby createddate string date value modifiedby string output field modifiedby modifieddate string date value subjects array output field subjects file name string name of the resource file string output field file senders array output field senders file name string name of the resource file string output field file recipient object output field recipient attachmentnames array name of the resource file name string name of the resource file string output field file attachmenthashcriteria object output field attachmenthashcriteria type string type of the resource attachmenthashes array output field attachmenthashes file name string name of the resource file string output field file domaincriteria object output field domaincriteria type string type of the resource example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "date" "tue, 05 mar 2024 06 06 52 gmt", "cache control" "private,max age=0,no cache,no store,must revalidate", "pragma" "no cache", "content type" "application/json", "content length" "538", "x envoy upstream service time" "28", "server" "envoy" }, "reason" "ok", "json body" { "searches" \[] } } ] get search results retrieves the results of a previously initiated search in cofense vision using a unique identifier endpoint url api/v5/searches/{{id}}/results method get input argument name type required description page number optional start page of the results the value must be a positive integer or 0 default 0 size number optional number of results per page the value must be a positive integer up to 2000 default 20 sort array optional name value pair defining the order of search properties in the response multiple values are supported format propertyname,sortorder id number required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase messages array response message id number unique identifier storageuri string output field storageuri subject string output field subject receivedon string output field receivedon senton string output field senton deliveredon object output field deliveredon processedon string output field processedon md5 string output field md5 sha1 object output field sha1 sha256 string output field sha256 internetmessageid string unique identifier from array output field from id number unique identifier personal string output field personal address string output field address headers array http headers for the request id number unique identifier name string name of the resource value string value for the parameter seq number output field seq recipients array output field recipients id number unique identifier example \[ { "status code" 200, "response headers" { "x frame options" "sameorigin", "x content type options" "nosniff", "x xss protection" "1", "referrer policy" "no referrer", "strict transport security" "max age=63072000; includesubdomains;", "content security policy" "default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 's ", "date" "tue, 05 mar 2024 06 06 52 gmt", "cache control" "private,max age=0,no cache,no store,must revalidate", "pragma" "no cache", "content type" "application/json", "content length" "538", "x envoy upstream service time" "28", "server" "envoy" }, "reason" "ok", "json body" { "messages" \[], "search" {} } } ] response headers header description example cache control directives for caching mechanisms private,max age=0,no cache,no store,must revalidate content length the length of the response body in bytes 538 content security policy http response header content security policy default src 'self';script src 'self' 'unsafe eval';frame src 'self';child src 'self';worker src 'self';media src 'self';style src 'self' 'unsafe inline';img src data blob 'self';frame ancestors 'self';font src 'self' data ;upgrade insecure requests;connect src data blob 'unsafe inline';block all mixed content; content type the media type of the resource application/json date the date and time at which the message was originated tue, 05 mar 2024 06 06 52 gmt pragma http response header pragma no cache referrer policy http response header referrer policy no referrer server information about the software used by the origin server envoy strict transport security http response header strict transport security max age=63072000; includesubdomains; x content type options http response header x content type options nosniff x envoy upstream service time http response header x envoy upstream service time 28 x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1 notes this connector supports cofense vision api version 5