User Reported Phishing with PhishMe aka Cofense Triage

Go to solution
R34rvi3w
Mega Expert

‎04-29-2019 08:51 AM

Hello all,

 

 I know there is a means to use the "User Reported Phishing" options in the new release, however - most of our user reported phishing does not go to an analyst internally for review in a mailbox. This feature states that it parses an eml file type for header info, subject, etc and creates an incident. I need to use this with a enterprise-ready service known as PhishMe aka Cofense. When people submit these, they are delivered to their Triage managed product and analyzed there. As their API is a little lacking at the moment (Cofense Intel API is fine, just not the Triage) so we have all these massive emails which are now being sent into this solution and then still have to be manually entered on firewalls, etc.

 This is really challenging and I know there are some email parsing options possibly from looking at the following - https://community.servicenow.com/community?id=community_question&sys_id=6d4631a5db44f7880be6a345ca9619d6

 While I don't manage the SNOW SecOps instance or SNOW at all, I do use it and really need this to parse all data listed in the email, under a section marked Indicators of Compromise. This may have IP, hash or Domain/URL listed. 

 

 Is there a means to parse all of these fields from this one alert source and use them in the same way as above?

 Is there a means to also use this data as observables to enrich against Recorded Future without having to manually add observables that are already in the incident?

0 Helpfuls
  • 2,136 Views
1 ACCEPTED SOLUTION

Go to solution
qcj3
Kilo Guru

‎04-30-2019 08:09 AM

Phish Me Triage user here.  We looked into integrating the two about a year ago and we weren't impressed with Cofense's plan for integration.  The store.servicenow.com integration is just for their Threat Feed lookup.  The closest thing they suggested to integrating with ServiceNow for response was their One Time notification, which means sending the email off to ServiceNow to parse.  Not exactly an integration in my book.  My anglers weren't impressed and found it lacking.  We were hoping there future integration plans would include something we could use for response.  Their delay is actually moving us to look at the ServiceNow solution instead.  We were looking for a method of pushing from Cofense to ServiceNow if response is needed.

ServiceNow is missing some key requirements that Cofense offers.  Once they add these features we will need to seriously re-evaluation our Cofense solution.

If you find a better method, please post back here.

 

Please indicate below if you found this post helpful.

View solution in original post

5 REPLIES 5

Go to solution
Alex Cox
ServiceNow Employee
ServiceNow Employee

‎04-29-2019 03:35 PM

Hey, it's me again!

Have you seen this Cofense integration on the app store? 

https://store.servicenow.com/sn_appstore_store.do#!/store/application/e1fa98580f96d740cdc648dce1050e62/1.0.3?referer=sn_appstore_store.do%23!%2Fstore%2Fsearch%3Fq%3Dcofense

I'm not sure if it gets you what you need, but it looks promising. If you're already using that then using Business Rules to parse incoming data may do the trick.

As far as manually looking up observables that are already in the incident:

You should be able to use the "Run Threat Lookup" feature against a checked list of those observables to force a lookup, but these lookups should be run automatically when the observables are added to the incident. 

Go to solution
qcj3
Kilo Guru

‎04-30-2019 08:09 AM

Phish Me Triage user here.  We looked into integrating the two about a year ago and we weren't impressed with Cofense's plan for integration.  The store.servicenow.com integration is just for their Threat Feed lookup.  The closest thing they suggested to integrating with ServiceNow for response was their One Time notification, which means sending the email off to ServiceNow to parse.  Not exactly an integration in my book.  My anglers weren't impressed and found it lacking.  We were hoping there future integration plans would include something we could use for response.  Their delay is actually moving us to look at the ServiceNow solution instead.  We were looking for a method of pushing from Cofense to ServiceNow if response is needed.

ServiceNow is missing some key requirements that Cofense offers.  Once they add these features we will need to seriously re-evaluation our Cofense solution.

If you find a better method, please post back here.

 

Please indicate below if you found this post helpful.

Go to solution
R34rvi3w
Mega Expert
In response to qcj3

‎04-30-2019 09:28 AM

I actually do have one, it's called their TriAPI which is in beta. I have been working with them to complete it for use with Microsoft Power BI. 

 

As far as email notifications from the PDC, I think I should be able to get those to come in via email as they do now, but strip off or parse everything from the Indicators of Compromise below and get that into observables. It's gotta happen because its a PITA to input  into Panorama and Minemeld manually. I know their documentation claims the same, even referencing Triage to do that - but it was not as is only the Intel product like before. They are about to start sending emails with a json file attached - I expected more however I'd think we could leverage this somehow...

 

Looks like we are in a similar boat! Thank you qcj3!

Go to solution
qcj3
Kilo Guru
In response to R34rvi3w

‎04-30-2019 11:29 AM

Glad to hear that they are taking SOAR seriously now.  

In regard to parsing: you may want to look at the parser that Mike Saurbaugh shared in the dev community.  It may be a good starting point for you but it does come with a AS IS warning.

 

https://developer.servicenow.com/app.do#!/share/contents/5425194_cofense_triage_phishing_email_parse...

 

Good luck.

0 Helpfuls