ZeroFox provides cloud-based software as a service for organizations to detect risks found on social media and digital channels, such as phishing, malware, scams, impersonator accounts, piracy, counterfeit and more.
Connect ZeroFox with LogicHub
- Navigate to Automations > Integrations.
- Search for ZeroFox.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Token: API Token for accessing Zerofox servers.
- After you've entered all the details, click Connect.
Actions for ZeroFox
Get Alerts
Returns alerts matching given/default filters and parameters. By default, no filters are applied and results are sorted by timestamp.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). | |
| Example: 2019-09-26T07:58:30.996+0200 | Optional | |
| Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). | |
| Example: 2019-09-26T07:58:30.996+0200 | Optional | |
| Account | Jinja-templated Social network account number (unique ID). | Optional |
| Assignee | Jinja-templated name of user assigned to alert. | Optional |
| Entity | Jinja-templated ZeroFox entity ID. | Optional |
| Entity_term | Jinja-templated ZeroFox entity term ID. | Optional |
| Last_modified | Jinja-templated number of seconds since an alert has changed. | Optional |
| Last Modified Min Date | Jinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Last Modified Max Date | Jinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Entity_search | Jinja-templated substring matching for the protected entity. | Optional |
| Perpetrator | Jinja-templated substring to filter alerts by perpetrator username or display name. | Optional |
| Pro_social_obj_search | Jinja-templated substring to filter alerts by protected social object username, display name, or entity term name. | Optional |
| Post | Jinja-templated Social network post number (unique ID). | Optional |
| Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
| Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
| Network | Jinja-templated Network name CSV. | Optional |
| Alert_id | Jinja-templated CSV of alert IDs. | Optional |
| Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Tags | Jinja-templated alerts containing one or more of the tags in provided comma separated list. | Optional |
| Entity_type | Jinja-templated alert tags. Returns any alerts containing one or more of the tags in provided comma separated list. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts Data
``` {json}{ "alert_type":"search query", "asset":{ "entity_group":{ "id":4660, "name":"Default" }, "id":9284920, "image":"", "labels":[
], "name":"Test"
}, "asset_term":{ "deleted":false, "id":326992, "name":"TestData" }, "assignee":"", "business_network":null, "content_created_at":"2018-01-01T00:00:00+00:00", "darkweb_term":null, "entity":{ "entity_group":{ "id":4660, "name":"Default" }, "id":578470, "image":"", "labels":[
], "name":"Test"
}, "entity_account":null, "entity_email_receiver_id":null, "entity_term":{ "deleted":false, "id":326992, "name":"TestData" }, "error":null, "escalated":false, "has_error":false, "id":154182828, "last_modified":"2021-10-04T03:37:28Z", "logs":[ { "action":"invalidate", "actor":"Platform Specialist", "id":345634, "subject":"", "timestamp":"2021-10-04T03:37:28+00:00" }, { "action":"open", "actor":"", "id":76542, "subject":"", "timestamp":"2021-09-26T08:27:32+00:00" } ], "metadata":"", "network":"test", "notes":"", "offending_content_url":"https://test.com", "perpetrator":{ "content":"", "display_name":"4r25a", "id":245625444, "name":"f2345", "network":"test", "timestamp":"2018-01-01T00:00:00+00:00", "type":"page", "url":"https://test.com" }, "protected_locations":null, "protected_social_object":"testData", "reviewed":true, "reviews":[
], "rule_group_id":1460, "rule_id":37572, "rule_name":"credentials test", "severity":4, "status":"Closed", "tags":[
], "timestamp":"2021-09-26T08:27:32+00:00" }
## Get Alerts By Asset
Retrieves metrics on an Enterprise's alerts, grouped by entity
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Min timestamp | [Jinja-templated](doc:jinja-template) ISO-8601 date-time string. (Defaults to batch start time).
Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Max timestamp | [Jinja-templated](doc:jinja-template) ISO-8601 date-time string. (Defaults to batch end time).
Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Account | [Jinja-templated](doc:jinja-template) Social network account number (unique ID). | Optional |
| Entity | [Jinja-templated](doc:jinja-template) ZeroFox entity ID. | Optional |
| Alert_type | [Jinja-templated](doc:jinja-template) CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | [Jinja-templated](doc:jinja-template) ZeroFox rule ID CSV. | Optional |
| Rule_name | [Jinja-templated](doc:jinja-template) ZeroFox rule name CSV. | Optional |
| Network | [Jinja-templated](doc:jinja-template) Network name CSV. | Optional |
| Severity | [Jinja-templated](doc:jinja-template) Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | [Jinja-templated](doc:jinja-template) Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Post | [Jinja-templated](doc:jinja-template) Social network post number (unique ID). | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts By Asset Data
``` {json}{
"count":3,
"display_name":"TestData",
"has_error":false,
"error":null,
"entity":535235
}
Get Alerts By Timerange
Retrieves metrics on an Enterprise's alerts, grouped by timerange.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Groups | Jinja-templated number of groups to break timerange down into. | Required |
| Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). | |
| Example: 2019-09-26T07:58:30.996+0200 | Optional | |
| Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). | |
| Example: 2019-09-26T07:58:30.996+0200 | Optional | |
| Account | Jinja-templated Social network account number (unique ID). | Optional |
| Entity | Jinja-templated ZeroFox entity ID. | Optional |
| Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
| Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
| Network | Jinja-templated Network name CSV. | Optional |
| Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Post | Jinja-templated Social network post number (unique ID). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts By Timerange Data
``` {json}{ "begin":"2021-09-26T07:58:30.996000+02:00", "count":1, "has_error":false, "error":null, "end":"2021-09-26T09:58:30.996000+02:00" }
## Get Labels
List all valid labels for a review
### Input
Choose a connection that you have previously created complete the connection.
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Labels Data
``` {json}{
"result":[
"NOT_HELPFUL",
"DUPLICATE",
"FALSE_POSITIVE",
"IRRELEVANT",
"VERIFIED"
],
"error":null,
"has_error":false
}
Get Alert Types
List all possible alert types
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- result: Get Alert Types Data
``` {json}{ "count":15, "previous":null, "has_error":false, "results":[ { "id":1, "name":"location" }, { "id":5, "name":"query" }, { "id":6, "name":"test data" } ], "error":null, "next":null }
## Get Alert Type By ID
View an individual Alert Type.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------ | :--------------------------------------------------- | :------- |
| Alert Type ID | [Jinja-templated](doc:jinja-template) alert type ID. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alert Type By ID Data
``` {json}{
"id":1,
"name":"location test",
"error":null,
"has_error":false
}
Get Alert By ID
Fetches an alert by ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alert By ID Data
``` {json}{ "alert":{ "alert_type":"test search query", "logs":[ { "id":238611, "timestamp":"2021-09-01T02:35:01+00:00", "actor":"Sample Platform Specialist", "subject":"", "action":"modify tags" }, { "id":4518610, "timestamp":"2021-09-01T02:35:00+00:00", "actor":"", "subject":"", "action":"open" } ], "offending_content_url":"https://testurl.com", "asset_term":null, "assignee":"", "entity":{ "id":2345, "name":"Web Domains Test", "image":"", "labels":[
],
"entity_group":{
"id":4660,
"name":"Default"
}
},
"entity_term":null,
"content_created_at":"2017-01-10T11:00:00+00:00",
"id":150764339,
"protected_account":null,
"severity":2,
"perpetrator":{
"name":"test",
"display_name":"test",
"id":3424,
"url":"https://testurl.com",
"content":"Variation of protected domain",
"type":"page",
"timestamp":"2017-01-10T11:00:00+00:00",
"network":"domains"
},
"rule_group_id":457,
"asset":{
"id":24356,
"name":"Web Domains Test",
"image":"",
"labels":[
],
"entity_group":{
"id":12341,
"name":"Default"
}
},
"metadata":"",
"status":"Open",
"timestamp":"2021-09-01T02:35:00+00:00",
"rule_name":"Domain Analysis",
"last_modified":"2021-09-01T02:35:01Z",
"protected_locations":null,
"darkweb_term":null,
"business_network":null,
"reviewed":false,
"escalated":false,
"network":"domains",
"protected_social_object":null,
"notes":"",
"reviews":[
],
"content_actions":[
],
"rule_id":2345,
"entity_account":null,
"entity_email_receiver_id":null,
"tags":[
"a-record",
"live-domain"
]
}, "error":null, "has_error":false }
## Get Reviews for Alert
Lists all of the alert's current reviews.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :---------------------------------------------- | :------- |
| Alert ID | [Jinja-templated](doc:jinja-template) alert ID. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Reviews for Alert Data
``` {json}{
"result":[
{
"id":23451,
"label":"DUPLICATE",
"alert":123454,
"created_by":"",
"timestamp":"2021-10-06T15:09:54Z"
}
],
"error":null,
"has_error":false
}
Create Alert Review
Creates a custom, user-defined alert review on the company of the authorized user.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert_id for which review is to be created. | Required |
| Max timestamp | Jinja-templated alert. | Required |
| Label | Jinja-templated value of the review. | Required |
| Created By | Jinja-templated created By. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Create Alert Review Data
``` {json}{ "result":[ ....review data ], "error":null, "has_error":false }
## Get Review by ID
Fetches information about a given alerts review.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :--------- | :----------------------------------------------- | :------- |
| Alert ID | [Jinja-templated](doc:jinja-template) alert ID. | Required |
| Review ID | [Jinja-templated](doc:jinja-template) review ID. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Review by ID Data
``` {json}{
"result":[
{
"id":123454,
"label":"DUPLICATE",
"alert":13452,
"created_by":"",
"timestamp":"2021-10-06T15:09:54Z"
}
],
"error":null,
"has_error":false
}
Get Subscriptions
List of subscriptions associated with an Alert
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Subscriptions Data
``` {json}{ "error":null, "has_error":false }
## Execute Action on Alert
Performs an action on an alert. Redundant actions (defined as actions that do not change alert status) cannot be performed
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :----------- | :-------------------------------------------------- | :------- |
| Alert ID | [Jinja-templated](doc:jinja-template) alert ID. | Required |
| Action | [Jinja-templated](doc:jinja-template) action. | Required |
| Request Body | [Jinja-templated](doc:jinja-template) Json request. | Required |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Execute Action on Alert Data
``` {json}{
"result":"Successfully executed the action",
"error":null,
"has_error":false
}
Create Alert Tag Changeset
Create an Alert Tag Changeset to bulk modify Alert Tags for a set of Alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Request Body | Jinja-templated JSON object HTTP payload to create alert tag changeset. | |
| Example: {"changes": [{"alert": 0000000000,"added": ["test"]}]} | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Create Alert Tag Changeset Data
``` {json}{ "result":[ ...changeset data ], "error":null, "has_error":false }
## List Alert Tags
Returns available alerts tags.
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| :------------ | :--------------------------------------------------- | :------- |
| Enterprise ID | [Jinja-templated](doc:jinja-template) enterprise ID. | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Alert Tags Data
``` {json}{
"reserved_tags":[
{
"name":"test",
"description":"test desc"
}
],
"tags":[
{
"name":"AC"
},
{
"name":"Location"
},
{
"name":"Connection Error"
}
],
"error":null,
"has_error":false
}
Update the Case Notes
Update the case notes.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja templated text containing alert ID | Required |
| Notes | Jinja templated text containing notes | Required |
Output
JSON containing the following items:
{json}{
"data": {
"msg": "Updated"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.8- Jinja bug fix forGet Alertsv2.0.0- Updated architecture to support IO via filesystemv1.2.2- Added 1 new action:Update the Case Notesand added 2 optional field inGet Alertsaction namedLast Modified Min DateandLast Modified Max Date.