Skip to main content

Cyware Threat Intelligence eXchange

ZeroFox

Connector Category: API Feed Source

About Integration

ZeroFox provides threat intelligence data related to digital risks, such as social media threats, phishing attacks, malware campaigns, and other online threats. Intel Exchange (CTIX) integrates with ZeroFox to retrieve intel feeds related to malware, botnet, ransomware, exploits, campaigns, command and control domains, disruptions, and phishing attacks.

Use Cases 

  • Understand the threat patterns and reveal unknown threats.

  • Review evidence details to make an informed decision on the intel

  • Get rich context for faster analysis of real-time threat intelligence feeds.

Benefits 

Identify and mitigate potential risks related to online presence, brand reputation, and overall cybersecurity posture.

Configure ZeroFox as an API Feed Source

Configure ZeroFox as an API feed source in Intel Exchange to retrieve threat intel feeds.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.

  • You must have the base URL, username, and password of your ZeroFox account.

Important

Ensure that the account includes permission to retrieve malware, botnet, ransomware, exploits, campaigns, domains, disruptions, and phishing data. If the account does not have permission to retrieve a threat data feed, then the respective feed channel is disabled automatically and displays a connection error.

Steps 

To configure ZeroFox as an API feed source in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management and select APIs under FEED SOURCES.

  2. Click Add API Source.

  3. Search and select the Zerofox app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance. For example, Prod-ZeroFox.

  6. Enter the base URL of your ZeroFox instance. The default base URL is https://api.zerofox.com/.

  7. Enter the username and password of your ZeroFox account to authenticate communication between the Intel Exchange and ZeroFox servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and ZeroFox servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you verify the SSL certificate If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

The ZeroFox instance is configured and you can view the ZeroFox feed channels. You can configure multiple instances of this integration by clicking Manage > Add More.

Configure ZeroFox Feed Channel

Configure the respective feed channels to retrieve the domain, vulnerability, hash, IP, and URL intelligence feeds from ZeroFox and store the feeds in a collection.

Steps 

To configure a ZeroFox channel, follow these steps:

  1. Go to Administration > Integration Management and select APIs under FEED SOURCES.

  2. Search and select the Zerofox app.

  3. Click the ellipsis on the upper right and select Manage.

  4. Click Manage Feed Channels and select a feed channel.

  5. Enable the feed channel and enter the following details:

    • Start Date and Time: Enter a date from which you want to retrieve intel feeds. You can retrieve feeds for a maximum of 15 days from the current date.

    • Collection Name: Enter a name for the collection to group the feed data. For example, ZeroFox Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

    • Polling Cron Schedule: Select one of the following Polling Cron Schedule types to define when to poll intel:

      • Manual: Allows you to manually poll intel from the API feed source.

      • Auto: Allows you to automatically poll intel from the API feed source at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

    • Default TLP: Set a default TLP to assign to the feeds that do not include a TLP from the source. By default, the default TLP is Amber.

    • Default Source Confidence: Set a Confidence Score to assign to the feeds that do not include a Confidence Score from the source. By default, the default Confidence Score is 100.

    • Default Tags: Select the tags to automatically attach to the intel ingested from the feed channel.

  6. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Test ZeroFox Feed Channel Connectivity

Test the connectivity of the ZeroFox API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.

Before you Start 

  • Ensure that the ZeroFox API integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, follow these steps:

  1. Go to Administration > Integration Management and select APIs under FEED SOURCES.

  2. Search and select the Zerofox app.

  3. Select a feed channel, click the vertical ellipses, and select View Details.

  4. In Working Status, click Test Connectivity.

If the connection is established, then the working status displays as Running. If the connectivity is broken, the working status displays a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When the connectivity of a feed channel breaks, Intel Exchange disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, Intel Exchange enables the feed channel automatically.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

ZeroFox Feed Channels

Intel Exchange provides multiple channels to poll feeds from ZeroFox. The following table lists all the feed channels and the ZeroFox API endpoints used for each feed channel.

Feed Channel

API URL

Fetch Exploits Feeds

{{base_url}}cti/exploits 

Fetch Malware Feeds

{{base_url}}cti/malware 

Fetch Ransomware Feeds

{{base_url}cti/ransomware 

Fetch Botnet Infection Feeds

{{base_url}}cti/botnet 

Fetch Phishing Feeds

{{base_url}}cti/phishing 

Fetch Disruption Feeds

{{base_url}}cti/disruption 

Fetch C2 Domain Feeds

{{base_url}}cti/c2-domains 

Fetch Email Address Feeds

{{base_url}}cti/email-addresses 

Threat intel polled from the C2 Domains, Botnet Infection, and Email Address feed channels may include tags with the prefix family. These tags indicate the name of the related malware family. In such cases, in addition to the domain, botnet, or email address object, the related malware object and the relationship object are ingested.