Products
Products
Detection
Response
Intelligence
About Cofense
About Cofense
Leadership
Free Tools
Free Tools
Build Resilience
Create Transparency
Speed Response

Welcome to the Cofense Blog

Get the latest information on phishing threats and trends, BEC, ransomware and credential phishing, plus Cofense product updates.

Follow us on Social Media

Power Splunk with Cofense Triage Phishing Indicators

The Phishing Indicators You Want and the Add-on You Need

By Mike Saurbaugh

Security and operational technology teams rely on the data in Splunk. It’s also central to critical data used to make business decisions.

Regardless of the industry, phishing spares no one.

Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). It makes perfect sense to take all this enriched phishing data and feed it to Splunk for additional reporting and response actions.

Enhanced APIs Automate Collection and Indexing

Cofense Triage accelerates phishing email analysis, investigation and response by cutting through the noise automatically and surfacing the real threats faster, protecting organizations from the risk of compromise. The add-on provides the ability to extract reported phishing email data from the Cofense Triage inbox, processed reports, threat indicators, reporters, operators and status endpoints. And many more!

The enhanced Add-on developed by Cofense for Splunk runs on scheduled intervals and ingests valuable phishing data from Cofense Triage. Data from 20 Cofense Triage endpoints are called by the add-on and stored in Splunk for easy reporting and use by the security team.

Getting Connected

In Cofense Triage, create version 2 API client credentials:

Administration > API Management > Version 2 > Applications > New Applications

Graphical user interface, text, application, email Description automatically generated

Figure 1: Triage API Client Configuration

Obtain the add-on from Splunkbase and install it in the Splunk instance.

In Splunk, add Cofense Triage API credentials. The client ID and client secret are obtained after generating the API application in Cofense Triage.

Text, application, table Description automatically generated

Figure 2: Add-on Account Setup to Access Cofense Triage

Input Configuration

With 20 endpoints to choose from, select and configure inputs based on desired polling intervals and the data required to empower the security team.

Table Description automatically generated

Table Description automatically generated

Figures 3 and 4: Add-on Accessible Data Input Fields to Configure

Assign Preferred Parameters to the Input Configuration

Graphical user interface, text, application, email Description automatically generated

Figure 5: Add-on Input Field Configuration for Cofense Triage Processed Reports

Conduct Searches Across Data Input

Graphical user interface, text, application Description automatically generated

Figure 6: Add-on Search Example for Cofense Triage Processed Reports