Cofense Email Security

Power Splunk with Cofense Triage Phishing Indicators

By Mike Saurbaugh

Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions.

Regardless of the industry, phishing spares no one.

Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions.

Enhanced APIs Automate Collection and Indexing

Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real threats faster, protecting organizations from the risk of compromise. The add-on provides the ability to extract reported phishing email data from the Cofense Triage inbox, processed reports, threat indicators, reporters, operators and status endpoints. And many more!

The enhanced Add-on developed by Cofense for Splunk runs on scheduled intervals and ingests valuable phishing data from Cofense Triage. Data from 20 Cofense Triage endpoints are called by the add-on and stored in Splunk for easy reporting and use by the security team.

Getting Connected

In Cofense Triage, create version 2 API client credentials:

Administration > API Management > Version 2 > Applications > New Applications

Graphical user interface, text, application, email Description automatically generated

Figure 1: Triage API Client Configuration

Obtain the add-on from Splunkbase and install it in the Splunk instance.

In Splunk, add Cofense Triage API credentials. The client ID and client secret are obtained after generating the API application in Cofense Triage.

Text, application, table Description automatically generated

Figure 2: Add-on Account Setup to Access Cofense Triage

Input Configuration

With 20 endpoints to choose from, select and configure inputs based on desired polling intervals and the data required to empower the security team.

Table Description automatically generated

Table Description automatically generated

Figures 3 and 4: Add-on Accessible Data Input Fields to Configure

Assign Preferred Parameters to the Input Configuration

Graphical user interface, text, application, email Description automatically generated

Figure 5: Add-on Input Field Configuration for Cofense Triage Processed Reports

Conduct Searches Across Data Input

Graphical user interface, text, application Description automatically generated

Figure 6: Add-on Search Example for Cofense Triage Processed Reports

Graphical user interface, text, application Description automatically generated

Figure 7: Example of Processed Report Attributes Ingested into Splunk

Figure 8: Additional Searchable Fields Available from Ingestion into Splunk

Additional Guidelines to Consider

  • Status and Executive Summary are summary data, therefore the Start Time, End Time, and Re Ingest fields will be disabled for those endpoint values.
  • Once the input is created, the following fields will be disabled on Edit to prevent data duplication or data loss.
    • Endpoint
    • Start Time
    • End Time
  • If an End Time is provided, the add-on will collect data between Start Time and End Time and will stop collecting data after the data in the range is collected.
  • If Re Ingest is checked, the add-on will collect data in the given time range (default values will be used in case they are left empty), and then the checkbox will be un-checked and regular data collection will continue for that input.
  • The add-on is not restricting users with limited historical data, but it is recommended not to collect data older than 12 months as it might impact add-on performance.

Phish bypassing secure email gateways and reported by employees provide security teams with the insight they need to disrupt attacks in progress. Ingesting this information into Splunk is something customers have been asking for. Cofense is happy to provide teams with what they need to make their security program stronger and more efficient. Get in touch with us at any time to learn more.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.
Share This Article
Facebook
Twitter
LinkedIn

Search

We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.