Why
Reported emails that are not Collie simulations are real threats. Cofense Triage clusters them by payload fingerprint and pushes to SOC.
Scope
- New table
real_mail_reports (id, reporter_employee_id, headers, body_hash, urls, attachments_meta, cluster_id, severity).
- Clustering: hash(URLs ∪ attachment SHA-256 ∪ sender) → cluster_id.
- Triage UI: cluster list, contained reports, suggested IOC export.
- Webhook out to SIEM/SOAR.
Acceptance
- 100 reports of the same threat collapse into one cluster.
- Cluster export emits STIX 2.1 indicators.
Why
Reported emails that are not Collie simulations are real threats. Cofense Triage clusters them by payload fingerprint and pushes to SOC.
Scope
real_mail_reports(id, reporter_employee_id, headers, body_hash, urls, attachments_meta, cluster_id, severity).Acceptance