Cofense - Security Awareness Training & Email Threat Detection

Power Splunk with Cofense Triage Phishing Indicators

Share This Article

By Mike Saurbaugh

Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions.

Regardless of the industry, phishing spares no one.

Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions.

Enhanced APIs Automate Collection and Indexing

Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real threats faster, protecting organizations from the risk of compromise. The add-on provides the ability to extract reported phishing email data from the Cofense Triage inbox, processed reports, threat indicators, reporters, operators and status endpoints. And many more!

The enhanced Add-on developed by Cofense for Splunk runs on scheduled intervals and ingests valuable phishing data from Cofense Triage. Data from 20 Cofense Triage endpoints are called by the add-on and stored in Splunk for easy reporting and use by the security team.

Getting Connected

In Cofense Triage, create version 2 API client credentials:

Administration > API Management > Version 2 > Applications > New Applications

Graphical user interface, text, application, email Description automatically generated

Figure 1: Triage API Client Configuration

Obtain the add-on from Splunkbase and install it in the Splunk instance.

In Splunk, add Cofense Triage API credentials. The client ID and client secret are obtained after generating the API application in Cofense Triage.

Text, application, table Description automatically generated

Figure 2: Add-on Account Setup to Access Cofense Triage

Input Configuration

With 20 endpoints to choose from, select and configure inputs based on desired polling intervals and the data required to empower the security team.

Table Description automatically generated

Table Description automatically generated

Figures 3 and 4: Add-on Accessible Data Input Fields to Configure

Assign Preferred Parameters to the Input Configuration