ZeroFox Core 2.0.0
App Vendor: ZeroFox
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.0.0
API Version: 1.0.0
About App
The ZeroFox Core app allows security teams to integrate with the ZeroFox enterprise application. The app provides actions to manage alerts, accounts, and indicators to detect risks on digital channels.
The ZeroFox Core app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
List Alerts | This action retrieves the list of alerts matching the provided filters and parameters. By default, no filters are applied and results are sorted by timestamp. |
Read Alert | This action retrieves details of an alert using the alert ID. |
List Related Entity Accounts | This action retrieves all entity accounts belonging to the calling user's enterprise. |
Add Indicator | This action adds an indicator to a specific alert. |
Assign An Alert | This action assigns an alert to a user. |
Cancel Takedown For An Alert | This action cancels a takedown action for an alert. |
Close An Alert | This action closes an alert. |
Delete An Alert | This action deletes an alert. |
Deny Takedown For An Alert | This action denies a request for taking down an alert. |
Email An Alert | This action is used to email an alert. |
Open An Alert | This action opens an alert. |
Reopen An Alert | This action reopens an alert. |
Request Takedown For An Alert | This action requests a takedown of an alert. |
Whitelist An Alert | This action whitelists an alert. |
Archive An Alert | This action archives an alert. |
Unarchive An Alert | This action unarchives an alert. |
Review An Alert | This action reviews an alert. |
Mark An Alert As Not Helpful | This action marks an alert as not helpful. |
Configuration Parameters
The following configuration parameters are required for the ZeroFox Core app to communicate with the ZeroFox Core enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Key | Enter the API key to authenticate the ZeroFox Core application API endpoint. Example: "457894hjao3c5657nvshjkbicbda76rjgsh22ad1" | Password | Required |
Action: List Alerts
This action retrieves the list of alerts matching the provided filters and parameters. By default, no filters are applied and results are sorted by timestamp.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of alerts to retrieve. Example: 40 | Integer | Optional | Default value: 20 |
Alert type | Enter the alert type to retrieve. Example: "account_information" | Text | Optional | Allowed values:
|
Max timestamp | Enter the maximum timestamp in ISO-8601 to filter alerts before the specified time. Example: "1524570920" | Text | Optional | |
Min timestamp | Enter the minimum timestamp in ISO-8601 to filter alerts after the specified time. Example: "1433810886000" | Text | Optional | |
Severity | Enter the severity level of the alert. Example: 3 | Integer | Optional | Allowed values:
|
Sort by descending order | Enter your preference to sort the results by descending order. Example: Yes/No | Boolean | Optional | Allowed values:
Default value: No |
Sort field | Enter your preference to sort the results based on provided parameter. Example: "alert_status" | Text | Optional | Allowed values:
|
Status | Enter the status of the alert to retrieve. Example: "open" | Text | Optional | Allowed values:
|
Extra params | Enter any extra parameters to retrieve the list of alerts. | Key Value | Optional | Allowed parameters:
|
Example Request
[
{
"limit": 40,
"alert_type": "account_information",
"max_timestamp": "1524570920",
"min_timestamp": "1433810886000",
"severity": 3,
"sort_by_descending_order": True,
"sort_field": "alert_status",
"status": "open",
"extra_params": {
"offset": 5
}
}
]Action: Read Alert
This action retrieves details of an alert using the alert ID.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to read and retrieve the details. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Add Indicator
This action adds an indicator to a specific alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to add the indicator. Example: 135985017 | Integer | Required | |
Indicator Type | Enter the indicator type for the indicator. Example: "Email" | Text | Required | Allowed values:
|
Indicator Value | Enter the indicator value for the threat feed indicator. Example: "sampleuser@exampledomain.com" | Text | Required |
Example Request
[
{
"alert_id": 135985017,
"indicator_type": "email",
"indicator_value": "sampleuser@exampledomain.com"
}
]Action: Assign An Alert
This action assigns an alert to a user.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the Alert ID for the alert to assign. Example: 135985017 | Integer | Required | |
User name to assign | Enter the username to assign the alert. Example: "John Doe" | Text | Required | |
Subject email | Enter the subject content for the email. Example: "Phishing Alert" | Text | Optional |
Example Request
[
{
"alert_id": 135985017,
"user_name_to_assign": "John Doe",
"subject_email": "Phishing Alert"
}
]Action: Cancel Takedown For An Alert
This action cancels a takedown action for an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to cancel the takedown. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Close An Alert
This action closes an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to close an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Delete An Alert
This action deletes an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to delete the alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Deny Takedown For An Alert
This action denies a request for taking down an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to stop takedown for an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Email An Alert
This action is used to email an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to send the alert as an email to recipients. Example: 135985017 | Integer | Required | |
Emails to send to | Enter the recipient email IDs to send the email. Example: "sampleuser1@domain.com, sampleuser2@domain.com" | Text | Required |
Example Request
[
{
"alert_id": 135985017
"emails_to_send_to": "sampleuser1@domain.com, sampleuser2@domain.com",
}
]Action: Open An Alert
This action opens an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to open. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Reopen An Alert
This action reopens an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to reopen the alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Request Takedown For An Alert
This action requests a takedown of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to request a takedown for an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Whitelist An Alert
This action whitelists an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to whitelist an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Archive An Alert
This action archives an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to archive an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Unarchive An Alert
This action unarchives an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to unarchive an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Review An Alert
This action reviews an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to review an alert. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]Action: Mark An Alert As Not Helpful
This action marks an alert as not helpful.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID to mark the alert as not helpful. Example: 135985017 | Integer | Required |
Example Request
[
{
"alert_id": 135985017
}
]