Anti-Phishing Solutions for Technology Alliance Partners

Cofense Triage automatically submits email attachments to Hatching Triage at ingestion. Cofense Triage admins can also resubmit supported attachment types from Triage to Hatching using the API. Analysis results of the submitted attachments are available for review in Hatching’s platform.

IBM QRadar ingests Cofense Intelligence by using Cofense’s app within IBM App Exchange. The intelligence ingested is used in a SOC to monitor and alert on activity matching indicators.

Cofense Triage supports LEEF to send syslog events to QRadar based on rules, recipes, and categorizations. Analysts can then act based on recipe or report categorization as well as when a YARA rule is matched.

Cofense Triage operators can use a Cofense-provided Python script that can safely submit files from Cofense Triage at ingestion to an instance of Joe Sandbox using its API. Analysts can then view the file results in Joe Sandbox to assess its risk.

Cofense Intelligence and King & Union Avalaon deliver the ability to acquire, aggregate and act from phishing-specific intelligence. The Avalon Platform ingests phishing IOCs (domains, URLs, IPs, file hashes) via Cofense’s API. Avalon security teams can act based on Cofense Intelligence indicators through their existing infrastructure to alert or block ingress or egress traffic.

Libraesva’s secure email gateway can ingest reported phishing emails and IOCs via API from Cofense Triage. Libraesva can then apply the indicators to the secure email gateway used by mutual customers.

Cofense Intelligence is ingested into LogRhythm’s platform using Cofense’s API. The ingestion of intelligence is used in a SOC to monitor and alert on activity when a domain, URL, or IP address matches Cofense provided intelligence.

LogRhythm receives CEF-based syslog events from Cofense Triage. Triage will output events based on rules, recipes, and categorizations. Triage admins configure based recipe or report categorization as well as when a YARA rule is matched.

Cofense Intelligence ingested via API with CEF support into ArcSight. Operationalize from Cofense Intelligence phishing URLs, domains, hashes, IPs, malware families, contextual reports, and more.

Cofense Triage operators send their syslog events in CEF to their ArcSight instance. ArcSight will receive events based on rules, recipes, and categorizations. This is done matching recipes, report categorization, or when a YARA rule is matched by an analyst.

Cofense Intelligence imported into RSA NetWitness in STIX format. The ingestion of indicators can be used in a SOC to monitor and alert on activity when an indicator matches what Cofense Intelligence has produced.

Cofense Intelligence ingests into Palo Alto Networks MineMeld application. Create an open source MineMeld server which formats Cofense Intelligence and ingest indicators into Palo Alto Networks next-generation firewalls. The firewalls using external dynamic lists consume the indictors and are applied to firewall security policies.

Cofense Triage automatically submits hashes of attachments or full files to Palo Alto Networks WildFire at ingestion. Cofense Triage admins manually submit any hash or supported attachment type from Triage to WildFire using the API. WildFire will return the results to Cofense Triage with a full malware contextual report. Additionally, Cofense Triage integrates with MineMeld to obtain threat indicators.

Cofense Intelligence and Paterva’s Maltego application integrate, and analysts can gather, interrogate, and visualize data to find threat relationships. Cofense developed transforms for Maltego to visualize relationships between observables within a specific attack and explicitly pinpoint how attackers are delivering their malicious payloads.

Recorded Future has an extension available within the platform to leverage Cofense Intelligence API for human-verified phishing intelligence. Analysts in Recorded Future seamlessly pivot to Cofense Intelligence and obtain indicator validation on IPs, domains, and files.

Cofense Triage operators can query file hash values in the Recorded Future platform. Analysts can view information on the Recorded Future website to validate a file disposition. There is no account required to get “basic” information. The Triage analyst views information from Recorded Future with the option to create an account for more in-depth review.

Cofense Triage can bidirectionally communicate with Siemplify to ingest phishing indicators for Siemplify to process as part of a playbook. Cofense Triage sends reports, threat indicators, reporter information, and phishing incident observables for Siemplify to receive and orchestate. Categorized reports along with indicator analysis tags are capable of ingestion into Siemplify to use in playbooks.

Cofense Intelligence and SentinelOne Endpoint Protection Platform (EPP) provide analysts with the ability to investigate, validate, and remediate based on file hash indicators from phishing specific intelligence. With SentinelOne, security teams can operationalize Cofense Intelligence file hash indicators with SentinelOne blacklists.

ServiceNow Security Operations polls the Cofense Intelligence API in a search-based integration to validate incidents that may be related to phishing. Security Operations makes use of Cofense Intelligence indicator IPs, domains, URLs, and files. Analysts use the results and context for additional actions and orchestration.

Cofense Triage and ServiceNow Security Incident Response leverage Cofense Triage’s bidirectional API to ingest phishing events and create security incidents in ServiceNow SIR. ServiceNow analysts can update reported phishing data in Cofense Triage as well as enrich their threat indicator and observables table received from Cofense.

Cofense Intelligence can be ingested into Splunk using Cofense’s API and the Splunk App available from Splunkbase. Splunk will ingest human-verified phishing indicators and correlate with other events to act when indicators match Cofense Intelligence.

Cofense Triage has an Add-on with Splunk to ingest data from many endpoints. Reported phishing attributes are extracted from Cofense Triage and populate Splunk for enrichment, action, and response in the SOC. Splunk also receives CEF events from based on event criteria as well as when a YARA rule matches.

Leverage Cofense Intelligence to validate suspected phishing incidents. Splunk SOAR’s Cofense Intelligence supported app can be used in many actions to hunt URLs, IPs, files, and domains. Analysts then use Cofense’s results in additional actions and playbooks.

Cofense Triage has a bidirectional app with Splunk SOAR to take advantage of endpoints allowing to ingest phishing attributes and indicators. Categorized reports along with indicator analysis tags are capable of ingestion to use in playbooks.

Cofense Intelligence is used in Sumo Logic’s SOAR platform to validate phishing incident impact so that analysts can make efficient use of their time. Sumo Logic’s SOAR platform leverages Cofense Intelligence indicator IPs, domains, URLs, and files. Analysts use the results and context for additional actions and playbooks.

Cofense Intelligence is a value-added data source integrated with Swimlane’s orchestration platform. Swimlane correlates Cofense Intelligence’s IPs, hashes, domains, and URLs to prioritize and remediate events.

Cofense Triage is a supported application in Swimlane to ingest phishing indicators and employee-reported phishing attributes. Cofense Triage sends IPs, domains, URLs and hashes, for Swimlane to receive and act on. Categorized reports along with indicator analysis tags are capable of ingestion to use in playbooks.

Cofense Intelligence integrates with ThreatConnect to ingest phishing intelligence into the platform. Cofense’s API is leveraged to pull in actionable phishing indicators for analysts to create process around indicator impact ratings.

Cofense Intelligence can be ingested into the ThreatQuotient Threat Intelligence Platform (TIP) using Cofense’s API. Enable Cofense Intelligence from within ThreatQ platform and ingest threat IDs, malware families, URLs, IP addresses, and more.

ThreatQuotient ingests malicious, suspicious, and benign indicators from Cofense Triage by API. Analysts in Cofense Triage tag hashes, domains, URLs, senders, and subjects, that are malicious or suspicious and ThreatQuotient ingests, cross-correlate in its threat library, and allow next step actions based on intelligence results.

Cofense Intelligence is ingested into McAfee ESM using Cofense’s API via a standalone Python script. This CEF ingestion is then used in a SOC to monitor/alert on activity when a domain or IP address matches Cofense Intelligence.

McAfee ESM receives syslog events in CEF from Cofense Triage. ESM will receive the events based on rules, recipes, and categorizations. Analysts can then act based on recipe or report categorization as well as when a YARA rule is matched.

Cofense Intelligence and FireEye Helix Security Orchestrator deliver the ability to investigate, validate, and orchestrate based on indicator impact ratings from phishing-specific intelligence. Ingestion of phishing indicators allow analysts to investigate, search, and respond to phishing events.

Cofense Intelligence can be ingested into Trend Micro TippingPoint and then actionable rules applied. An indicator can have a block rule placed within TippingPoint against IPs, domains, or URLs. This allows analysts to block and monitor based on indicators from Cofense Intelligence.

Cofense Intelligence and Cb Response provide analysts with the ability to investigate, validate, and remediate based on indicator impact ratings from phishing specific intelligence. With Cb Response, security teams operationalize Cofense Intelligence indicators through features such as watchlists, binary and process search, banned hashes, and investigations.

Cofense Triage operators configure Triage to query Lastline Analyst (NSX Detonator) API for results on files and URLs. The files and URLs sent will return results to Triage to prioritize workload. Cofense Triage provides a link to the system for full malware report details.