Phishing Triage

The Phishing Triage feature includes endpoints to retrieve prioritized phishing emails and their associated indicators, as well as to set the status of the email.

Endpoints

Phishing Submissions

Phishing Submissions are emails ingested into a TruSTAR enclave.

Field Description
submissionId The ID of the phishing email submission.
title The subject of the email submission.
priorityEventScore The score of the email submission.
status The current triage status of the email submission. Accepted status options: "CONFIRMED”, "IGNORED”, or "UNRESOLVED”.
context An array of structures containing original and normalized scores for each indicator in the email submission.

Sample JSON

{
      "submissionId":"0a99ff45-72c5-49ff-b431-ab64239c7916",
      "title":"Potential Phishing Email",
      "priorityEventScore":"3",
      "status": "CONFIRMED",
      "context":[
            {
               "indicatorType": "URL",
               "indicatorValue":"www.example.com",
               "sourceKey":"crowdstrike_indicator",
               "normalizedIndicatorScore":3,
               "originalIndicatorScore": {
                   "name": "Malicious Confidence",
                   "value": "high"
               }
            },
            {
               "indicatorType": "URL",
               "indicatorValue":"www.example.com",
               "sourceKey":"virustotal",
               "normalizedIndicatorScore":3,
               "originalIndicatorScore": {
                   "name": "Risk Score",
                   "value": "78"
               }
            }
      ]
}

Phishing Indicators

Phishing Indicators are indicators found in phishing email submissions.

Field Description
indicatorType The type of indicator (IP, URL, EMAIL_ADDRESS, MD5, SHA1, SHA256).
value The indicator’s value.
sourceKey The intelligence source where the indicator came from.
normalizedIndicatorScore The computed normalized value of the indicator score.
originalIndicatorScore The OriginalIndicatorScore according to the intelligence source.

Original Indicator Score

The indicator’s score, as provided by the intelligence source.

Field Type Description
name String The name of the score type, e.g. “Risk Score” or “Malicious Confidence”
value String The value of the score, as directly extracted from the source, e.g. “HIGH” or “78”

Sample JSON

{
      "indicatorType": "URL",
      "value":"www.example.com",
      "sourceKey":"crowdstrike_indicator",
      "normalizedIndicatorScore":3,
      "originalIndicatorScore": {
          "name": "Malicious Confidence",
          "value": "high"
      }
}