Phishing Triage

The Phishing Triage feature includes endpoints to retrieve prioritized phishing emails and their associated indicators, as well as to set the status of the email.

Endpoints

• Get Phishing Submissions
• Set Triage Status
• Get Phishing Indicators

Phishing Submissions

Phishing Submissions are emails ingested into a TruSTAR enclave.

Field	Description
submissionId	The ID of the phishing email submission.
title	The subject of the email submission.
priorityEventScore	The score of the email submission.
status	The current triage status of the email submission. Accepted status options: "CONFIRMED”, "IGNORED”, or "UNRESOLVED”.
context	An array of structures containing original and normalized scores for each indicator in the email submission.

Sample JSON

{
      "submissionId":"0a99ff45-72c5-49ff-b431-ab64239c7916",
      "title":"Potential Phishing Email",
      "priorityEventScore":"3",
      "status": "CONFIRMED",
      "context":[
            {
               "indicatorType": "URL",
               "indicatorValue":"www.example.com",
               "sourceKey":"crowdstrike_indicator",
               "normalizedIndicatorScore":3,
               "originalIndicatorScore": {
                   "name": "Malicious Confidence",
                   "value": "high"
               }
            },
            {
               "indicatorType": "URL",
               "indicatorValue":"www.example.com",
               "sourceKey":"virustotal",
               "normalizedIndicatorScore":3,
               "originalIndicatorScore": {
                   "name": "Risk Score",
                   "value": "78"
               }
            }
      ]
}

Phishing Indicators

Phishing Indicators are indicators found in phishing email submissions.

Field	Description
indicatorType	The type of indicator (IP, URL, EMAIL_ADDRESS, MD5, SHA1, SHA256).
value	The indicator’s value.
sourceKey	The intelligence source where the indicator came from.
normalizedIndicatorScore	The computed normalized value of the indicator score.
originalIndicatorScore	The OriginalIndicatorScore according to the intelligence source.

Original Indicator Score

The indicator’s score, as provided by the intelligence source.

Field	Type	Description
name	String	The name of the score type, e.g. “Risk Score” or “Malicious Confidence”
value	String	The value of the score, as directly extracted from the source, e.g. “HIGH” or “78”

Sample JSON

{
      "indicatorType": "URL",
      "value":"www.example.com",
      "sourceKey":"crowdstrike_indicator",
      "normalizedIndicatorScore":3,
      "originalIndicatorScore": {
          "name": "Malicious Confidence",
          "value": "high"
      }
}