By Mike Saurbaugh
Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions.
Regardless of the industry, phishing spares no one.
Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions.
Enhanced APIs Automate Collection and Indexing
Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real threats faster, protecting organizations from the risk of compromise. The add-on provides the ability to extract reported phishing email data from the Cofense Triage inbox, processed reports, threat indicators, reporters, operators and status endpoints. And many more!
The enhanced Add-on developed by Cofense for Splunk runs on scheduled intervals and ingests valuable phishing data from Cofense Triage. Data from 20 Cofense Triage endpoints are called by the add-on and stored in Splunk for easy reporting and use by the security team.
Getting Connected
In Cofense Triage, create version 2 API client credentials:
Administration > API Management > Version 2 > Applications > New Applications
Figure 1: Triage API Client Configuration
Obtain the add-on from Splunkbase and install it in the Splunk instance.
In Splunk, add Cofense Triage API credentials. The client ID and client secret are obtained after generating the API application in Cofense Triage.
Figure 2: Add-on Account Setup to Access Cofense Triage
Input Configuration
With 20 endpoints to choose from, select and configure inputs based on desired polling intervals and the data required to empower the security team.
Figures 3 and 4: Add-on Accessible Data Input Fields to Configure
Assign Preferred Parameters to the Input Configuration
Figure 5: Add-on Input Field Configuration for Cofense Triage Processed Reports
Conduct Searches Across Data Input
Figure 6: Add-on Search Example for Cofense Triage Processed Reports
Figure 7: Example of Processed Report Attributes Ingested into Splunk
Figure 8: Additional Searchable Fields Available from Ingestion into Splunk
Additional Guidelines to Consider
- Status and Executive Summary are summary data, therefore the Start Time, End Time, and Re Ingest fields will be disabled for those endpoint values.
- Once the input is created, the following fields will be disabled on Edit to prevent data duplication or data loss.
- Endpoint
- Start Time
- End Time
- If an End Time is provided, the add-on will collect data between Start Time and End Time and will stop collecting data after the data in the range is collected.
- If Re Ingest is checked, the add-on will collect data in the given time range (default values will be used in case they are left empty), and then the checkbox will be un-checked and regular data collection will continue for that input.
- The add-on is not restricting users with limited historical data, but it is recommended not to collect data older than 12 months as it might impact add-on performance.
Phish bypassing secure email gateways and reported by employees provide security teams with the insight they need to disrupt attacks in progress. Ingesting this information into Splunk is something customers have been asking for. Cofense is happy to provide teams with what they need to make their security program stronger and more efficient. Get in touch with us at any time to learn more.