Versions Compared

Old Version 1

changes.mady.by.user Jonas Gonzalez

Saved on

compared with

New Version Current

changes.mady.by.user Jonas Gonzalez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ZeroFox provides cloud-based software as a service for organizations to detect risks found on social media and digital channels, such as phishing, malware, scams, impersonator accounts, piracy, counterfeit and more.

Connect ZeroFox with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for ZeroFox.
  3. Click Details, then the + icon. Enter the required information in the following fields.
  4. Label: Enter a connection name.
  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
  7. Remote Agent: Run this integration using the LogicHub Remote Agent.
  8. API Token: API Token for accessing Zerofox servers.
  9. After you've entered all the details, click Connect.

Actions for ZeroFox

Get Alerts

Returns alerts matching given/default filters and parameters. By default, no filters are applied and results are sorted by timestamp.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Min timestampJinja-templated ISO-8601 date-time string. (Defaults to batch start time).
Example: 2019-09-26T07:58:30.996+0200Optional
Max timestampJinja-templated ISO-8601 date-time string. (Defaults to batch end time).
Example: 2019-09-26T07:58:30.996+0200Optional
AccountJinja-templated Social network account number (unique ID).Optional
AssigneeJinja-templated name of user assigned to alert.Optional
EntityJinja-templated ZeroFox entity ID.Optional
Entity_termJinja-templated ZeroFox entity term ID.Optional
Last_modifiedJinja-templated number of seconds since an alert has changed.Optional
Last Modified Min DateJinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200Optional
Last Modified Max DateJinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200Optional
Entity_searchJinja-templated substring matching for the protected entity.Optional
PerpetratorJinja-templated substring to filter alerts by perpetrator username or display name.Optional
Pro_social_obj_searchJinja-templated substring to filter alerts by protected social object username, display name, or entity term name.Optional
PostJinja-templated Social network post number (unique ID).Optional
Alert_typeJinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location.Optional
Rule_idJinja-templated ZeroFox rule ID CSV.Optional
Rule_nameJinja-templated ZeroFox rule name CSV.Optional
NetworkJinja-templated Network name CSV.Optional
Alert_idJinja-templated CSV of alert IDs.Optional
SeverityJinja-templated Severity level of alert. 1 - 5 (Critical).Optional
StatusJinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted.Optional
TagsJinja-templated alerts containing one or more of the tags in provided comma separated list.Optional
Entity_typeJinja-templated alert tags. Returns any alerts containing one or more of the tags in provided comma separated list.Optional

Output

A JSON object containing multiple rows of result:

...

Code Block
## Get Alerts By Asset

Retrieves metrics on an Enterprise's alerts, grouped by entity

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description | Required |
| : --------  | : --------  | : --------  |
| Min timestamp | [Jinja-templated](doc:jinja-template) ISO-8601 date-time string. (Defaults to batch start time).  
Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Max timestamp | [Jinja-templated](doc:jinja-template) ISO-8601 date-time string. (Defaults to batch end time).  
Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Account | [Jinja-templated](doc:jinja-template) Social network account number (unique ID). | Optional |
| Entity | [Jinja-templated](doc:jinja-template) ZeroFox entity ID. | Optional |
| Alert_type | [Jinja-templated](doc:jinja-template) CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | [Jinja-templated](doc:jinja-template) ZeroFox rule ID CSV. | Optional |
| Rule_name | [Jinja-templated](doc:jinja-template) ZeroFox rule name CSV. | Optional |
| Network | [Jinja-templated](doc:jinja-template) Network name CSV. | Optional |
| Severity | [Jinja-templated](doc:jinja-template) Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | [Jinja-templated](doc:jinja-template) Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Post | [Jinja-templated](doc:jinja-template) Social network post number (unique ID). | Optional |


### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: Get Alerts By Asset Data


``` {json}{
   "count":3,
   "display_name":"TestData",
   "has_error":false,
   "error":null,
   "entity":535235
}

Get Alerts By Timerange

Retrieves metrics on an Enterprise's alerts, grouped by timerange.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
GroupsJinja-templated number of groups to break timerange down into.Required
Min timestampJinja-templated ISO-8601 date-time string. (Defaults to batch start time).
Example: 2019-09-26T07:58:30.996+0200Optional
Max timestampJinja-templated ISO-8601 date-time string. (Defaults to batch end time).
Example: 2019-09-26T07:58:30.996+0200Optional
AccountJinja-templated Social network account number (unique ID).Optional
EntityJinja-templated ZeroFox entity ID.Optional
Alert_typeJinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location.Optional
Rule_idJinja-templated ZeroFox rule ID CSV.Optional
Rule_nameJinja-templated ZeroFox rule name CSV.Optional
NetworkJinja-templated Network name CSV.Optional
SeverityJinja-templated Severity level of alert. 1 - 5 (Critical).Optional
StatusJinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted.Optional
PostJinja-templated Social network post number (unique ID).Optional

Output

A JSON object containing multiple rows of result:

...

Code Block
## Get Labels

List all valid labels for a review

### Input

Choose a connection that you have previously created complete the connection.

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: Get Labels Data


``` {json}{
   "result":[
      "NOT_HELPFUL",
      "DUPLICATE",
      "FALSE_POSITIVE",
      "IRRELEVANT",
      "VERIFIED"
   ],
   "error":null,
   "has_error":false
}

Get Alert Types

List all possible alert types

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of results:

...

Code Block
## Get Alert Type By ID

View an individual Alert Type.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name    | Description                                          | Required |
| :------------ | :--------------------------------------------------- | :------- |
| Alert Type ID | [Jinja-templated](doc:jinja-template) alert type ID. | Required |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: Get Alert Type By ID Data


``` {json}{
   "id":1,
   "name":"location test",
   "error":null,
   "has_error":false
}

Get Alert By ID

Fetches an alert by ID

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IDJinja-templated alert ID.Required

Output

A JSON object containing multiple rows of result:

...

Code Block
## Get Reviews for Alert

Lists all of the alert's current reviews.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description                                     | Required |
| :--------- | :---------------------------------------------- | :------- |
| Alert ID   | [Jinja-templated](doc:jinja-template) alert ID. | Required |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: Get Reviews for Alert Data


``` {json}{
   "result":[
      {
         "id":23451,
         "label":"DUPLICATE",
         "alert":123454,
         "created_by":"",
         "timestamp":"2021-10-06T15:09:54Z"
      }
   ],
   "error":null,
   "has_error":false
}

Create Alert Review

Creates a custom, user-defined alert review on the company of the authorized user.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IDJinja-templated alert_id for which review is to be created.Required
Max timestampJinja-templated alert.Required
LabelJinja-templated value of the review.Required
Created ByJinja-templated created By.Optional

Output

A JSON object containing multiple rows of result:

...

Code Block
## Get Review by ID

Fetches information about a given alerts review.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name | Description                                      | Required |
| :--------- | :----------------------------------------------- | :------- |
| Alert ID   | [Jinja-templated](doc:jinja-template) alert ID.  | Required |
| Review ID  | [Jinja-templated](doc:jinja-template) review ID. | Required |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: Get Review by ID Data


``` {json}{
   "result":[
      {
         "id":123454,
         "label":"DUPLICATE",
         "alert":13452,
         "created_by":"",
         "timestamp":"2021-10-06T15:09:54Z"
      }
   ],
   "error":null,
   "has_error":false
}

Get Subscriptions

List of subscriptions associated with an Alert

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IDJinja-templated alert ID.Required

Output

A JSON object containing multiple rows of result:

...

Code Block
## Execute Action on Alert

Performs an action on an alert. Redundant actions (defined as actions that do not change alert status) cannot be performed

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name   | Description                                         | Required |
| :----------- | :-------------------------------------------------- | :------- |
| Alert ID     | [Jinja-templated](doc:jinja-template) alert ID.     | Required |
| Action       | [Jinja-templated](doc:jinja-template) action.       | Required |
| Request Body | [Jinja-templated](doc:jinja-template) Json request. | Required |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: Execute Action on Alert Data


``` {json}{
   "result":"Successfully executed the action",
   "error":null,
   "has_error":false
}

Create Alert Tag Changeset

Create an Alert Tag Changeset to bulk modify Alert Tags for a set of Alerts.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Request BodyJinja-templated JSON object HTTP payload to create alert tag changeset.
Example: {"changes": [{"alert": 0000000000,"added": ["test"]}]}Required

Output

A JSON object containing multiple rows of result:

...

Code Block
## List Alert Tags

Returns available alerts tags.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name    | Description                                          | Required |
| :------------ | :--------------------------------------------------- | :------- |
| Enterprise ID | [Jinja-templated](doc:jinja-template) enterprise ID. | Optional |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- result: List Alert Tags Data


``` {json}{
   "reserved_tags":[
      {
         "name":"test",
         "description":"test desc"
      }
   ],
   "tags":[
      {
         "name":"AC"
      },
      {
         "name":"Location"
      },
      {
         "name":"Connection Error"
      }
   ],
   "error":null,
   "has_error":false
}

Update the Case Notes

Update the case notes.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IDJinja templated text containing alert IDRequired
NotesJinja templated text containing notesRequired

Output

JSON containing the following items:

{json}{ "data": { "msg": "Updated" }, "error": null, "has_error": false }


Release Notes

  • v2.0.8 - Jinja bug fix for Get Alerts
  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.2.2 - Added 1 new action: Update the Case Notes and added 2 optional field in Get Alerts action named Last Modified Min Date and Last Modified Max Date.

...