By Mike Saurbaugh
You’re gonna need a bigger boat!
An “or” won’t be enough. Phish evade secure email gateways, and those nets have holes. Cofense Triage™ AND Palo Alto Networks Cortex XSOAR™ are better together at phishing analysis and response.
Here’s why.
Cofense Triage is a phishing-specific solution to collect and analyze employee-reported phishing emails received by the security operations team (SOC). One-click reporting with Cofense Reporter ensures employees don’t have to fumble over a convoluted process to alert the SOC. As the suspicious email box receives reported emails, the SOC needs to quickly analyze and respond to reporters, as well as take additional steps to act on real phish.
With Cofense Triage performing the analysis, it’s likely threats will match Cofense-provided phishing rules or with integrations from one of Cofense’s Technology Alliance Partners.
Palo Alto Networks Cortex XSOAR customers can quickly enable their licensed instance with Cofense Triage. Mutual customers can also run Palo Alto Networks Wildfire Machine Learning in Cofense Triage. Furthermore, mutual customers will find integrations with Cofense Intelligence in the Cortex XSOAR Marketplace, the premiere digital storefront for security automation playbooks. The Cofense integration was developed for phishing threat lookups and enrichment as well as ingestion of the full intelligence feed into the Cortex XSOAR solution.
Cofense Triage and Cortex XSOAR combine two formidable platforms to receive, analyze, enrich and respond to phishing attacks in minutes rather than hours.
Here’s what’s new
The integration supports Cofense Triage v2 API, which has bidirectional endpoints. Security teams can ingest data from Triage such as email reporters, email reports and clusters, threat indicators, rule matching and more. In addition, the ability to ingest and create threat indicators, categorize reports and obtain second stage threat indicators from malicious emails is functionality that is available in the Cofense Triage v3 application.
Security teams can use Cofense Triage v2 to programmatically create extract and update data from Cofense Triage straight into the Cortex XSOAR War Room.
There’s also support for Cortex XSOAR releases 5.5 and above with mirroring functionality in 6.0.0 and greater.
Time to Configure
Start by creating an API application set of credentials in Cofense Triage (either a new API application or reuse an existing API application, if preferred).
Navigate to:
Administration > API Management > Version 2 > Applications > New Application. Document the API credentials Client ID and Client Secret once submitted, as they’ll be needed in the Cortex XSOAR instance.
Figure 1: New Application Configuration for API Credentials in Cofense Triage
Install Cofense Triage v3 in Cortex XSOAR from the Content Pack.
Figure 2: Cofense Triage v3 Application in the Marketplace
Configure instance in Cortex XSOAR.
Cofense Triage’s content pack allows customers to use Classifiers, Incident Type and Mapper settings. Security teams may want to create separate instances based on the data ingestion from Cofense Triage. For example, instance configuration based on report location such as Inbox, Processed or Reconnaissance. Each instance configuration can also contain other attributes that allow for unique incident criteria. Match Priority, Category ID and Categorization Tags (for Processed Reports), Tags (for Reconnaissance Reports), and Advanced Filters, are useful for granularity.
Figure 3: Instance Configuration to Connect to Cofense Triage with API Credentials
Figure 4: Parameters Available to Fetch Incidents
Upon polling intervals, criteria matching will ingest reported email attributes. Fetching as incidents will populate the queue. Navigating to the Incident Queue will provide a glance at reported emails capable of execution through playbooks. The following example is incident creation which can then be run through corresponding playbooks, in this case to categorize the inbox report back into Triage.
Figure 5: Incident Queue Information
Playbook execution will now run through a set of steps to ingest even more information into Cortex XSOAR and categorize the report in Cofense Triage. The value here is that emails residing in the Cofense Triage inbox can be ingested and further investigated by the security team. Sometimes members of the security team do not have access to Cofense Triage, however; if their central console is Cortex XSOAR then they are able to read from and write to Cofense Triage.
Figure 6: Report Categorization Playbook
As part of the playbook workflow, the report was processed by Cortex XSOAR into Cofense Triage. What was once an email report in the inbox has since been processed using a custom-defined category in Cofense Triage that aligns with this use case.
Figure 7: Processed Report in Cofense Triage
This is all just the beginning and there are many more commands that can be used between Cofense Triage and Cortex XSOAR. The following commands are available:
| cofense-attachment-payload-list | Retrieves attachment payloads based on the filter values provided in the command arguments. Attachment payloads identify the MIME type and MD5 and SHA256 hash signatures of a reported email. |
| cofense-category-list | Retrieves categories based on the provided parameters. Categories are applied while processing the email to indicate the type of threat (or non-threat) that reports and clusters pose to the organization. |
| cofense-cluster-list | Retrieves clusters based on the filter values provided in the command arguments. |
| cofense-comment-list | Retrieves comments based on the filter values provided in the command arguments. |
| cofense-integration-submission-get | Retrieves integration submission based on the filter values provided in the command arguments. |
| cofense-report-categorize | Categorizes a report into a specific category provided by the user. |
| cofense-report-download | Downloads the raw email for the report that matches the specified report ID. |
| cofense-report-image-download | Downloads the image of the report that matches the specified report ID. |
| cofense-report-list | Retrieves a report or a list of reports based on the filter values provided in the command arguments. |
| cofense-reporter-list | Retrieves the reporters that match the provided parameters. Reporters are employees of an organization who send, or report, suspicious emails to Cofense Triage. |
| cofense-rule-list | Retrieves rules based on the filter values provided in the command arguments. Rules identify specific characteristics for categorizing the reported emails. |
| cofense-threat-indicator-create | Creates a threat indicator based on the values provided in the command arguments. |
| cofense-threat-indicator-list | Retrieves the list of threat indicators based on the provided parameters. Threat indicators identify the threat level of an email’s subject, sender, domains, URLs, and MD5 and SHA256 attachment hash signatures. |
| cofense-threat-indicator-update | Updates a threat indicator based on the values provided in the command arguments. |
| cofense-url-list | Retrieves URLs based on the filter values provided in the command arguments. URLs are the threats (or non-threat) that are detected in the reported emails. |
Let’s wrap-up with a few quick win use cases…
Quick Win #1
Ingest reports and clusters to obtain data from Cofense Triage and populate Cortex XSOAR. Reports are in one of three locations – Inbox, Reconnaissance or Processed. Based on the criteria that is of interest, Cortex XSOAR will auto-populate with reported suspicious emails.
- Consider not ingesting processed reports that are non-malicious.
- Ingest processed reports that Cofense Triage either ran through automation or was processed by a security analyst. The category ID of a processed report, for example, crimeware, is useful information within Cortex XSOAR.
- Consider downloading full emails into Cortex XSOAR that match criteria the security team is interested in. In addition, full attachment downloads can be extracted and run through malware analysis tools to collect additional data for security researchers and incident responders.
Quick Win #2
Configure Cortex XSOAR to ingest and categorize reported emails received by Cofense Triage that reside in the Cofense Triage Inbox. These are unprocessed suspicious reports waiting for action. Failing to act on these emails in a timely manner can lead to a successful phishing attempt, harming the business.
- Ingest reports from the inbox (from above sample configuration).
- Conduct additional analysis in Cortex XSOAR and run playbooks to process the report.
- Extract threat indicators from the report and add them into Cortex XSOAR and Cofense Triage to use in additional analysis with future reports.
Quick Win #3
Ingest Cofense Triage threat indicators into Cortex XSOAR. The threat indicators in Cofense Triage consist of URLs, hostnames, headers and hashes. Along with the type, there is a threat level consisting of Malicious, Suspicious and Benign. Ingesting malicious and suspicious indicators can then be used in additional tools within the SOC.
- Automate cofense-threat-indicator-list, and add arguments for type and level.
As Cofense Triage continues to add phishing expertise to our products, there will be opportunity to enhance the integration. In the meantime, we hope security teams will find this integration useful and efficient, and that it reinforces the value the partnership provides. Send us a message letting us know how the integration is working for you!
