Phishing Triage¶
The Phishing Triage feature includes endpoints to retrieve prioritized phishing emails and their associated indicators, as well as to set the status of the email.
Endpoints¶
Phishing Submissions¶
Phishing Submissions are emails ingested into a TruSTAR enclave.
Field | Description |
---|---|
submissionId | The ID of the phishing email submission. |
title | The subject of the email submission. |
priorityEventScore | The score of the email submission. |
status | The current triage status of the email submission. Accepted status options: "CONFIRMED” , "IGNORED” , or
"UNRESOLVED” . |
context | An array of structures containing original and normalized scores for each indicator in the email submission. |
Sample JSON
{
"submissionId":"0a99ff45-72c5-49ff-b431-ab64239c7916",
"title":"Potential Phishing Email",
"priorityEventScore":"3",
"status": "CONFIRMED",
"context":[
{
"indicatorType": "URL",
"indicatorValue":"www.example.com",
"sourceKey":"crowdstrike_indicator",
"normalizedIndicatorScore":3,
"originalIndicatorScore": {
"name": "Malicious Confidence",
"value": "high"
}
},
{
"indicatorType": "URL",
"indicatorValue":"www.example.com",
"sourceKey":"virustotal",
"normalizedIndicatorScore":3,
"originalIndicatorScore": {
"name": "Risk Score",
"value": "78"
}
}
]
}
Phishing Indicators¶
Phishing Indicators are indicators found in phishing email submissions.
Field | Description |
---|---|
indicatorType | The type of indicator (IP, URL, EMAIL_ADDRESS, MD5, SHA1, SHA256). |
value | The indicator’s value. |
sourceKey | The intelligence source where the indicator came from. |
normalizedIndicatorScore | The computed normalized value of the indicator score. |
originalIndicatorScore | The OriginalIndicatorScore according to the intelligence source. |
Original Indicator Score¶
The indicator’s score, as provided by the intelligence source.
Field | Type | Description |
---|---|---|
name | String | The name of the score type, e.g. “Risk Score” or “Malicious Confidence” |
value | String | The value of the score, as directly extracted from the source, e.g. “HIGH” or “78” |
Sample JSON
{
"indicatorType": "URL",
"value":"www.example.com",
"sourceKey":"crowdstrike_indicator",
"normalizedIndicatorScore":3,
"originalIndicatorScore": {
"name": "Malicious Confidence",
"value": "high"
}
}