Cofense Triage AND (not OR) Cortex XSOAR – Next Level Phishing Analysis and Response

Share Now


By Mike Saurbaugh

You’re gonna need a bigger boat!

An “or” won’t be enough. Phish evade secure email gateways, and those nets have holes. Cofense Triage™ AND Palo Alto Networks Cortex XSOAR™ are better together at phishing analysis and response.

Here’s why.

Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). One-click reporting with Cofense Reporter ensures employees don’t have to fumble over a convoluted process to alert the SOC. As the suspicious email box receives reported emails, the SOC needs to quickly analyze and respond to reporters, as well as take additional steps to act on real phish.

With Cofense Triage performing the analysis, it’s likely threats will match Cofense-provided phishing rules or with integrations from one of Cofense’s Technology Alliance Partners.

Palo Alto Networks Cortex XSOAR customers can quickly enable their licensed instance with Cofense Triage. Mutual customers can also run Palo Alto Networks Wildfire Machine Learning in Cofense Triage. Furthermore, mutual customers will find integrations with Cofense Intelligence in the Cortex XSOAR Marketplace, the premiere digital storefront for security automation playbooks. The Cofense integration was developed for phishing threat lookups and enrichment as well as ingestion of the full intelligence feed into the Cortex XSOAR solution.

Cofense Triage and Cortex XSOAR combine two formidable platforms to receive, analyze, enrich and respond to phishing attacks in minutes rather than hours.

Here’s what’s new

The integration supports Cofense Triage v2 API, which has bidirectional endpoints. Security teams can ingest data from Triage such as email reporters, email reports and clusters, threat indicators, rule matching and more. In addition, the ability to ingest and create threat indicators, categorize reports and obtain second stage threat indicators from malicious emails is functionality that is available in the Cofense Triage v3 application.

Security teams can use Cofense Triage v2 to programmatically create extract and update data from Cofense Triage straight into the Cortex XSOAR War Room.

There’s also support for Cortex XSOAR releases 5.5 and above with mirroring functionality in 6.0.0 and greater.

Time to Configure

Start by creating an API application set of credentials in Cofense Triage (either a new API application or reuse an existing API application, if preferred).

Navigate to:

Administration > API Management > Version 2 > Applications > New Application. Document the API credentials Client ID and Client Secret once submitted, as they’ll be needed in the Cortex XSOAR instance.

Graphical user interface, text, application, email Description automatically generated

Figure 1: New Application Configuration for API Credentials in Cofense Triage

Install Cofense Triage v3 in Cortex XSOAR from the Content Pack.

Graphical user interface, text Description automatically generated

Figure 2: Cofense Triage v3 Application in the Marketplace

Configure instance in Cortex XSOAR.

Cofense Triage’s content pack allows customers to use Classifiers, Incident Type and Mapper settings. Security teams may want to create separate instances based on the data ingestion from Cofense Triage. For example, instance configuration based on report location such as Inbox, Processed or Reconnaissance. Each instance configuration can also contain other attributes that allow for unique incident criteria. Match Priority, Category ID and Categorization Tags (for Processed Reports), Tags (for Reconnaissance Reports), and Advanced Filters, are useful for granularity.