ZeroFox
- Jonas Gonzalez
ZeroFox provides cloud-based software as a service for organizations to detect risks found on social media and digital channels, such as phishing, malware, scams, impersonator accounts, piracy, counterfeit and more.
Connect ZeroFox with LogicHub
Navigate to Automations > Integrations.
Search for ZeroFox.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the LogicHub Remote Agent.
API Token: API Token for accessing Zerofox servers.
After you've entered all the details, click Connect.
Actions for ZeroFox
Get Alerts
Returns alerts matching given/default filters and parameters. By default, no filters are applied and results are sorted by timestamp.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). | Â |
Example: 2019-09-26T07:58:30.996+0200 | Optional | Â |
Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). | Â |
Example: 2019-09-26T07:58:30.996+0200 | Optional | Â |
Account | Jinja-templated Social network account number (unique ID). | Optional |
Assignee | Jinja-templated name of user assigned to alert. | Optional |
Entity | Jinja-templated ZeroFox entity ID. | Optional |
Entity_term | Jinja-templated ZeroFox entity term ID. | Optional |
Last_modified | Jinja-templated number of seconds since an alert has changed. | Optional |
Last Modified Min Date | Jinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200 | Optional |
Last Modified Max Date | Jinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200 | Optional |
Entity_search | Jinja-templated substring matching for the protected entity. | Optional |
Perpetrator | Jinja-templated substring to filter alerts by perpetrator username or display name. | Optional |
Pro_social_obj_search | Jinja-templated substring to filter alerts by protected social object username, display name, or entity term name. | Optional |
Post | Jinja-templated Social network post number (unique ID). | Optional |
Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
Network | Jinja-templated Network name CSV. | Optional |
Alert_id | Jinja-templated CSV of alert IDs. | Optional |
Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
Tags | Jinja-templated alerts containing one or more of the tags in provided comma separated list. | Optional |
Entity_type | Jinja-templated alert tags. Returns any alerts containing one or more of the tags in provided comma separated list. | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Get Alerts Data
``` {json}{ "alert_type":"search query", "asset":{ "entity_group":{ "id":4660, "name":"Default" }, "id":9284920, "image":"", "labels":[
],
"name":"Test"}, "asset_term":{ "deleted":false, "id":326992, "name":"TestData" }, "assignee":"", "business_network":null, "content_created_at":"2018-01-01T00:00:00+00:00", "darkweb_term":null, "entity":{ "entity_group":{ "id":4660, "name":"Default" }, "id":578470, "image":"", "labels":[
],
"name":"Test"}, "entity_account":null, "entity_email_receiver_id":null, "entity_term":{ "deleted":false, "id":326992, "name":"TestData" }, "error":null, "escalated":false, "has_error":false, "id":154182828, "last_modified":"2021-10-04T03:37:28Z", "logs":[ { "action":"invalidate", "actor":"Platform Specialist", "id":345634, "subject":"", "timestamp":"2021-10-04T03:37:28+00:00" }, { "action":"open", "actor":"", "id":76542, "subject":"", "timestamp":"2021-09-26T08:27:32+00:00" } ], "metadata":"", "network":"test", "notes":"", "offending_content_url":"https://test.com", "perpetrator":{ "content":"", "display_name":"4r25a", "id":245625444, "name":"f2345", "network":"test", "timestamp":"2018-01-01T00:00:00+00:00", "type":"page", "url":"https://test.com" }, "protected_locations":null, "protected_social_object":"testData", "reviewed":true, "reviews":[
], "rule_group_id":1460, "rule_id":37572, "rule_name":"credentials test", "severity":4, "status":"Closed", "tags":[
], "timestamp":"2021-09-26T08:27:32+00:00" }
## Get Alerts By Asset
Retrieves metrics on an Enterprise's alerts, grouped by entity
### Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
| : -------- | : -------- | : -------- |
| Min timestamp | [Jinja-templated](doc:jinja-template) ISO-8601 date-time string. (Defaults to batch start time).
Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Max timestamp | [Jinja-templated](doc:jinja-template) ISO-8601 date-time string. (Defaults to batch end time).
Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Account | [Jinja-templated](doc:jinja-template) Social network account number (unique ID). | Optional |
| Entity | [Jinja-templated](doc:jinja-template) ZeroFox entity ID. | Optional |
| Alert_type | [Jinja-templated](doc:jinja-template) CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | [Jinja-templated](doc:jinja-template) ZeroFox rule ID CSV. | Optional |
| Rule_name | [Jinja-templated](doc:jinja-template) ZeroFox rule name CSV. | Optional |
| Network | [Jinja-templated](doc:jinja-template) Network name CSV. | Optional |
| Severity | [Jinja-templated](doc:jinja-template) Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | [Jinja-templated](doc:jinja-template) Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Post | [Jinja-templated](doc:jinja-template) Social network post number (unique ID). | Optional |
### Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts By Asset Data
``` {json}{
"count":3,
"display_name":"TestData",
"has_error":false,
"error":null,
"entity":535235
}Get Alerts By Timerange
Retrieves metrics on an Enterprise's alerts, grouped by timerange.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Groups | Jinja-templated number of groups to break timerange down into. | Required |
Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). | Â |
Example: 2019-09-26T07:58:30.996+0200 | Optional | Â |
Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). | Â |
Example: 2019-09-26T07:58:30.996+0200 | Optional | Â |
Account | Jinja-templated Social network account number (unique ID). | Optional |
Entity | Jinja-templated ZeroFox entity ID. | Optional |
Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
Network | Jinja-templated Network name CSV. | Optional |
Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
Post | Jinja-templated Social network post number (unique ID). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Get Alerts By Timerange Data
``` {json}{ "begin":"2021-09-26T07:58:30.996000+02:00", "count":1, "has_error":false, "error":null, "end":"2021-09-26T09:58:30.996000+02:00" }
Get Alert Types
List all possible alert types
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of results:
has_error: True/False
error: message/null
result: Get Alert Types Data
``` {json}{ "count":15, "previous":null, "has_error":false, "results":[ { "id":1, "name":"location" }, { "id":5, "name":"query" }, { "id":6, "name":"test data" } ], "error":null, "next":null }
Get Alert By ID
Fetches an alert by ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Get Alert By ID Data
``` {json}{ "alert":{ "alert_type":"test search query", "logs":[ { "id":238611, "timestamp":"2021-09-01T02:35:01+00:00", "actor":"Sample Platform Specialist", "subject":"", "action":"modify tags" }, { "id":4518610, "timestamp":"2021-09-01T02:35:00+00:00", "actor":"", "subject":"", "action":"open" } ], "offending_content_url":"https://testurl.com", "asset_term":null, "assignee":"", "entity":{ "id":2345, "name":"Web Domains Test", "image":"", "labels":[
}, "error":null, "has_error":false }
Create Alert Review
Creates a custom, user-defined alert review on the company of the authorized user.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert ID | Jinja-templated alert_id for which review is to be created. | Required |
Max timestamp | Jinja-templated alert. | Required |
Label | Jinja-templated value of the review. | Required |
Created By | Jinja-templated created By. | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Create Alert Review Data
``` {json}{ "result":[ ....review data ], "error":null, "has_error":false }
Get Subscriptions
List of subscriptions associated with an Alert
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Get Subscriptions Data
``` {json}{ "error":null, "has_error":false }
Create Alert Tag Changeset
Create an Alert Tag Changeset to bulk modify Alert Tags for a set of Alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Request Body | Jinja-templated JSON object HTTP payload to create alert tag changeset. | Â |
Example: {"changes": [{"alert": 0000000000,"added": ["test"]}]} | Required | Â |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
result: Create Alert Tag Changeset Data
``` {json}{ "result":[ ...changeset data ], "error":null, "has_error":false }
Update the Case Notes
Update the case notes.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
|---|---|---|
Alert ID | Jinja templated text containing alert ID | Required |
Notes | Jinja templated text containing notes | Required |
Output
JSON containing the following items:
{json}{
"data": {
"msg": "Updated"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.8- Jinja bug fix forGet Alertsv2.0.0- Updated architecture to support IO via filesystemv1.2.2- Added 1 new action:Update the Case Notesand added 2 optional field inGet Alertsaction namedLast Modified Min DateandLast Modified Max Date.