By Mike Saurbaugh
Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions.
Regardless of the industry, phishing spares no one.
Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions.
Enhanced APIs Automate Collection and Indexing
Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real threats faster, protecting organizations from the risk of compromise. The add-on provides the ability to extract reported phishing email data from the Cofense Triage inbox, processed reports, threat indicators, reporters, operators and status endpoints. And many more!
The enhanced Add-on developed by Cofense for Splunk runs on scheduled intervals and ingests valuable phishing data from Cofense Triage. Data from 20 Cofense Triage endpoints are called by the add-on and stored in Splunk for easy reporting and use by the security team.
Getting Connected
In Cofense Triage, create version 2 API client credentials:
Administration > API Management > Version 2 > Applications > New Applications
Figure 1: Triage API Client Configuration
Obtain the add-on from Splunkbase and install it in the Splunk instance.
In Splunk, add Cofense Triage API credentials. The client ID and client secret are obtained after generating the API application in Cofense Triage.
Figure 2: Add-on Account Setup to Access Cofense Triage
Input Configuration
With 20 endpoints to choose from, select and configure inputs based on desired polling intervals and the data required to empower the security team.
Figures 3 and 4: Add-on Accessible Data Input Fields to Configure
Assign Preferred Parameters to the Input Configuration