Cofense Vision¶
About¶
When it comes to phishing threats, every second counts. Undetected threats can lurk in your network for weeks or months, and can cost your organization millions of dollars. With Cofense Vision, you can search and quarantine emails within minutes, or set a policy to autoquarantine with no intervention — across your entire organization.
Product Details¶
Vendor URL: Cofense Vision
Product Type: Email
Product Tier: Tier III
Integration Method: Syslog
Integration URL: N/A
Log Guide: N/A
Parser Details¶
Log Format: Syslog/JSON
Expected Normalization Rate: 95%
Data Label: COFENSE_VISION
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| security_result.about.email | |
| eventtype | metadata.product_event_type |
| internetMessageId | network.email.mail_id |
| msg1 | metadata.description |
| observer | observer.hostname |
| observerapp | observer.application |
| recipientAddress | network.email.to |
| Searchsubjects | network.email.subject |
| user | principal.user.userid |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all | GENERIC_EVENT |
Log Sample¶
<14>Oct 22 20:37:21 number [poolthread] serviceurl No primary addresses were found for email
Sample Parsing¶
metadata.event_timestamp = "2021-10-22T20:37:21Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Cofense"
metadata.product_name = "Vision"
metadata.product_event_type = "poolthread"
metadata.description = "No primary addresses were found"
metadata.ingested_timestamp = "2021-10-22T20:37:58.899825Z"
observer.hostname = "number"
observer.application = "serviceurl"
security_result.about.email = "email"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon