ZeroFox
Version: 2.0.8
ZeroFox provides cloud-based software as a service for organizations to detect risks found on social media and digital channels, such as phishing, malware, scams, impersonator accounts, piracy, counterfeit and more.
Connect ZeroFox with LogicHub
- Navigate to Automations > Integrations.
- Search for ZeroFox.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Token: API Token for accessing Zerofox servers.
- After you've entered all the details, click Connect.
Actions for ZeroFox
Get Alerts
Returns alerts matching given/default filters and parameters. By default, no filters are applied and results are sorted by timestamp.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Account | Jinja-templated Social network account number (unique ID). | Optional |
| Assignee | Jinja-templated name of user assigned to alert. | Optional |
| Entity | Jinja-templated ZeroFox entity ID. | Optional |
| Entity_term | Jinja-templated ZeroFox entity term ID. | Optional |
| Last_modified | Jinja-templated number of seconds since an alert has changed. | Optional |
| Last Modified Min Date | Jinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Last Modified Max Date | Jinja-templated ISO-8601 date-time string. Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Entity_search | Jinja-templated substring matching for the protected entity. | Optional |
| Perpetrator | Jinja-templated substring to filter alerts by perpetrator username or display name. | Optional |
| Pro_social_obj_search | Jinja-templated substring to filter alerts by protected social object username, display name, or entity term name. | Optional |
| Post | Jinja-templated Social network post number (unique ID). | Optional |
| Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
| Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
| Network | Jinja-templated Network name CSV. | Optional |
| Alert_id | Jinja-templated CSV of alert IDs. | Optional |
| Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Tags | Jinja-templated alerts containing one or more of the tags in provided comma separated list. | Optional |
| Entity_type | Jinja-templated alert tags. Returns any alerts containing one or more of the tags in provided comma separated list. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts Data
{
"alert_type":"search query",
"asset":{
"entity_group":{
"id":4660,
"name":"Default"
},
"id":9284920,
"image":"",
"labels":[
],
"name":"Test"
},
"asset_term":{
"deleted":false,
"id":326992,
"name":"TestData"
},
"assignee":"",
"business_network":null,
"content_created_at":"2018-01-01T00:00:00+00:00",
"darkweb_term":null,
"entity":{
"entity_group":{
"id":4660,
"name":"Default"
},
"id":578470,
"image":"",
"labels":[
],
"name":"Test"
},
"entity_account":null,
"entity_email_receiver_id":null,
"entity_term":{
"deleted":false,
"id":326992,
"name":"TestData"
},
"error":null,
"escalated":false,
"has_error":false,
"id":154182828,
"last_modified":"2021-10-04T03:37:28Z",
"logs":[
{
"action":"invalidate",
"actor":"Platform Specialist",
"id":345634,
"subject":"",
"timestamp":"2021-10-04T03:37:28+00:00"
},
{
"action":"open",
"actor":"",
"id":76542,
"subject":"",
"timestamp":"2021-09-26T08:27:32+00:00"
}
],
"metadata":"",
"network":"test",
"notes":"",
"offending_content_url":"https://test.com",
"perpetrator":{
"content":"",
"display_name":"4r25a",
"id":245625444,
"name":"f2345",
"network":"test",
"timestamp":"2018-01-01T00:00:00+00:00",
"type":"page",
"url":"https://test.com"
},
"protected_locations":null,
"protected_social_object":"testData",
"reviewed":true,
"reviews":[
],
"rule_group_id":1460,
"rule_id":37572,
"rule_name":"credentials test",
"severity":4,
"status":"Closed",
"tags":[
],
"timestamp":"2021-09-26T08:27:32+00:00"
}
Get Alerts By Asset
Retrieves metrics on an Enterprise's alerts, grouped by entity
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Account | Jinja-templated Social network account number (unique ID). | Optional |
| Entity | Jinja-templated ZeroFox entity ID. | Optional |
| Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
| Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
| Network | Jinja-templated Network name CSV. | Optional |
| Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Post | Jinja-templated Social network post number (unique ID). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts By Asset Data
{
"count":3,
"display_name":"TestData",
"has_error":false,
"error":null,
"entity":535235
}
Get Alerts By Timerange
Retrieves metrics on an Enterprise's alerts, grouped by timerange.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Groups | Jinja-templated number of groups to break timerange down into. | Required |
| Min timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch start time). Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Max timestamp | Jinja-templated ISO-8601 date-time string. (Defaults to batch end time). Example: 2019-09-26T07:58:30.996+0200 | Optional |
| Account | Jinja-templated Social network account number (unique ID). | Optional |
| Entity | Jinja-templated ZeroFox entity ID. | Optional |
| Alert_type | Jinja-templated CSV of alert types. Possible values are account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, email, and location. | Optional |
| Rule_id | Jinja-templated ZeroFox rule ID CSV. | Optional |
| Rule_name | Jinja-templated ZeroFox rule name CSV. | Optional |
| Network | Jinja-templated Network name CSV. | Optional |
| Severity | Jinja-templated Severity level of alert. 1 - 5 (Critical). | Optional |
| Status | Jinja-templated Alert status. Possible values are closed, open, takedown_accepted, takedown_denied, takedown_requested, takedown_submitted, and whitelisted. | Optional |
| Post | Jinja-templated Social network post number (unique ID). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alerts By Timerange Data
{
"begin":"2021-09-26T07:58:30.996000+02:00",
"count":1,
"has_error":false,
"error":null,
"end":"2021-09-26T09:58:30.996000+02:00"
}
Get Labels
List all valid labels for a review
Input
Choose a connection that you have previously created complete the connection.
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Labels Data
{
"result":[
"NOT_HELPFUL",
"DUPLICATE",
"FALSE_POSITIVE",
"IRRELEVANT",
"VERIFIED"
],
"error":null,
"has_error":false
}
Get Alert Types
List all possible alert types
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of results:
- has_error: True/False
- error: message/null
- result: Get Alert Types Data
{
"count":15,
"previous":null,
"has_error":false,
"results":[
{
"id":1,
"name":"location"
},
{
"id":5,
"name":"query"
},
{
"id":6,
"name":"test data"
}
],
"error":null,
"next":null
}
Get Alert Type By ID
View an individual Alert Type.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert Type ID | Jinja-templated alert type ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alert Type By ID Data
{
"id":1,
"name":"location test",
"error":null,
"has_error":false
}
Get Alert By ID
Fetches an alert by ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Alert By ID Data
{
"alert":{
"alert_type":"test search query",
"logs":[
{
"id":238611,
"timestamp":"2021-09-01T02:35:01+00:00",
"actor":"Sample Platform Specialist",
"subject":"",
"action":"modify tags"
},
{
"id":4518610,
"timestamp":"2021-09-01T02:35:00+00:00",
"actor":"",
"subject":"",
"action":"open"
}
],
"offending_content_url":"https://testurl.com",
"asset_term":null,
"assignee":"",
"entity":{
"id":2345,
"name":"Web Domains Test",
"image":"",
"labels":[
],
"entity_group":{
"id":4660,
"name":"Default"
}
},
"entity_term":null,
"content_created_at":"2017-01-10T11:00:00+00:00",
"id":150764339,
"protected_account":null,
"severity":2,
"perpetrator":{
"name":"test",
"display_name":"test",
"id":3424,
"url":"https://testurl.com",
"content":"Variation of protected domain",
"type":"page",
"timestamp":"2017-01-10T11:00:00+00:00",
"network":"domains"
},
"rule_group_id":457,
"asset":{
"id":24356,
"name":"Web Domains Test",
"image":"",
"labels":[
],
"entity_group":{
"id":12341,
"name":"Default"
}
},
"metadata":"",
"status":"Open",
"timestamp":"2021-09-01T02:35:00+00:00",
"rule_name":"Domain Analysis",
"last_modified":"2021-09-01T02:35:01Z",
"protected_locations":null,
"darkweb_term":null,
"business_network":null,
"reviewed":false,
"escalated":false,
"network":"domains",
"protected_social_object":null,
"notes":"",
"reviews":[
],
"content_actions":[
],
"rule_id":2345,
"entity_account":null,
"entity_email_receiver_id":null,
"tags":[
"a-record",
"live-domain"
]
},
"error":null,
"has_error":false
}
Get Reviews for Alert
Lists all of the alert's current reviews.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Reviews for Alert Data
{
"result":[
{
"id":23451,
"label":"DUPLICATE",
"alert":123454,
"created_by":"",
"timestamp":"2021-10-06T15:09:54Z"
}
],
"error":null,
"has_error":false
}
Create Alert Review
Creates a custom, user-defined alert review on the company of the authorized user.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert_id for which review is to be created. | Required |
| Max timestamp | Jinja-templated alert. | Required |
| Label | Jinja-templated value of the review. | Required |
| Created By | Jinja-templated created By. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Create Alert Review Data
{
"result":[
....review data
],
"error":null,
"has_error":false
}
Get Review by ID
Fetches information about a given alerts review.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
| Review ID | Jinja-templated review ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Review by ID Data
{
"result":[
{
"id":123454,
"label":"DUPLICATE",
"alert":13452,
"created_by":"",
"timestamp":"2021-10-06T15:09:54Z"
}
],
"error":null,
"has_error":false
}
Get Subscriptions
List of subscriptions associated with an Alert
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Get Subscriptions Data
{
"error":null,
"has_error":false
}
Execute Action on Alert
Performs an action on an alert. Redundant actions (defined as actions that do not change alert status) cannot be performed
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated alert ID. | Required |
| Action | Jinja-templated action. | Required |
| Request Body | Jinja-templated Json request. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Execute Action on Alert Data
{
"result":"Successfully executed the action",
"error":null,
"has_error":false
}
Create Alert Tag Changeset
Create an Alert Tag Changeset to bulk modify Alert Tags for a set of Alerts.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Request Body | Jinja-templated JSON object HTTP payload to create alert tag changeset. Example: {"changes": [{"alert": 0000000000,"added": ["test"]}]} | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Create Alert Tag Changeset Data
{
"result":[
...changeset data
],
"error":null,
"has_error":false
}
List Alert Tags
Returns available alerts tags.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Enterprise ID | Jinja-templated enterprise ID. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List Alert Tags Data
{
"reserved_tags":[
{
"name":"test",
"description":"test desc"
}
],
"tags":[
{
"name":"AC"
},
{
"name":"Location"
},
{
"name":"Connection Error"
}
],
"error":null,
"has_error":false
}
Update the Case Notes
Update the case notes.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja templated text containing alert ID | Required |
| Notes | Jinja templated text containing notes | Required |
Output
JSON containing the following items:
{
"data": {
"msg": "Updated"
},
"error": null,
"has_error": false
}
Release Notes
v2.0.8- Jinja bug fix forGet Alertsv2.0.0- Updated architecture to support IO via filesystemv1.2.2- Added 1 new action:Update the Case Notesand added 2 optional field inGet Alertsaction namedLast Modified Min DateandLast Modified Max Date.
Updated about 2 months ago