ZeroFox Intelligence
App Vendor: ZeroFox
App Category: Data Enrichment & Threat Intelligence
Connector Version: 1.0.0
API Version: 1.0.0
About App
ZeroFox is a leader in external threat intelligence. ZeroFox Intelligence protects organizations from digital risks, and provides them with actionable intelligence.
ZeroFox Intelligence app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Fetch Disruption Data | This action retrieves the disruption data. |
Lookup Malicious Email | This action searches for malicious email addresses. |
Lookup C2 Domain | This action searches for C2 domains (command and control domains). |
Lookup Malware Hash | This action searches for a malware using their hash value . |
Lookup Phishing Domain | This action searches for phishing domains. |
Configuration Parameters
The following configuration parameters are required for the ZeroFox Intelligence app to communicate with the ZeroFox Intelligence enterprise application. The parameters can be configured by creating instances in the ZeroFox Intelligence app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Username | Enter the username to connect to the ZeroFox Intelligence app. Example: "john.doe@example.com" | Text | Required | |
Password or Platform/Legacy Token | Enter any one of the following to connect to the ZeroFox Intelligence app:
| Password | Required |
Action: Fetch Disruption Data
This action retrieves the disruption data.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Created After | Enter the date-time to filter the disruption data created on or after the input value. Example: "2022-02-22T12:00:00" | Text | Optional | |
Created Before | Enter the date-time to filter the disruption data created on or before the input value. Example: "2022-02-26T12:00:00" | Text | Optional | |
Page Size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 Maximum Value: 9999 |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"created_after": "2022-02-22T12:00:00",
"created_before": "2022-02-26T12:00:00",
"page_size": 100
}
]Action: Lookup Malicious Email
This action searches for malicious email addresses.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Created After | Enter the date-time to filter the results created on or after the input value. Example: "2022-02-22T12:00:00" | Text | Optional | |
Created Before | Enter the date-time to filter the results created on or before the input value. Example: "2022-02-26T12:00:00" | Text | Optional | |
Page Size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 Maximum Value: 9999 |
Choose to filter the results by email address. Example: "john.doe@example.com" | Text | Optional | You can pass up to 100 email addresses per query and the multiple values are separated by commas. | |
Domain Wildcard | Choose to filter the results by matching domain. Example: "*.example.com" | Text | Optional | |
Tag | Choose to filter results by tag. Example: "ransomware" | Text | Optional | You can pass up to 100 tags per query and the multiple values are separated by commas. |
Cursor | Enter the pagination cursor value. Example: "c2E9MTQ3ODg4NTcwMjM 2NiZzYT01Mzcx" | Text | Optional |
Example Request
[
{
"created_after": "2022-02-22T12:00:00",
"created_before": "2022-02-26T12:00:00",
"page_size": 100,
"email": "john.doe@example.com",
"domain_wildcard": "*.example.com",
"tag": "ransomware",
"cursor": "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx"
}
]
Action: Lookup C2 Domain
This action searches for C2 domains (command and control domains).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Created After | Enter the date-time to filter the results created on or after the input value. Example: "2022-02-22T12:00:00" | Text | Optional | |
Created Before | Enter the date-time to filter the results created on or before the input value. Example: "2022-02-26T12:00:00" | Text | Optional | |
Page size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 Maximum Value: 9999 |
Port | Choose to filter the results by port number. Example: "80" | Text | Optional | You can pass up to 100 port numbers per query and the multiple values are separated by commas. |
Domain | Choose to filter the result by domain name. Example: "gmail.com" | Text | Optional | You can pass up to 100 domain names per query and the multiple values are separated by commas. |
Tag | Choose to filter the results by tag. Example: ''ransomware" | Text | Optional | You can pass up to 100 tags per query and the multiple values are separated by commas. |
Cursor | Enter the pagination cursor value. Example: "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx" | Text | Optional |
Example Request
[
{
"created_after": "2022-02-22T12:00:00",
"created_before": "2022-02-26T12:00:00",
"page_size": 100,
"port": "80",
"domain": "gmail.com",
"tag": "ransomware",
"cursor": "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx"
}
]Action: Lookup Malware Hash
This action searches for a malware using their hash value .
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Created After | Enter the date-time to filter the results created on or after the input value. Example: "2022-02-22T12:00:00" | Text | Optional | |
Created Before | Enter the date-time to filter the results created on or before the input value. Example: "2022-02-26T12:00:00" | Text | Optional | |
Page Size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 Maximum Value: 9999 |
Cursor | Enter the pagination cursor value. Example: "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx" | Text | Optional | |
MD5 | Choose to filter the results by MD5 hash value. Example: "098f6bcd4621d373cade4e832627b4f6" | Text | Optional | |
SHA1 | Choose to filter the results by SHA1 hash value. Example: "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3" | Text | Optional | |
SHA256 | Choose to filter the results by SHA256 hash. Example: "9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2 B0B822CD15D6C15B0F00A08" | Text | Optional | |
SHA512 | Choose to filter the results by SHA512 hash. Example: "EE26B0DD4AF7E749AA1A8EE3C10AE9923F618980772 E473F8819A5D4940E0DB27AC185F8A0E1D5F84F88BC8 87FD67B143732C304CC5FA9AD8E6F57F50028A8FF" | Text | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"created_after": "2022-02-22T12:00:00",
"created_before": "2022-02-26T12:00:00",
"page_size": 100,
"cursor": "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx",
"md5": "9f06243abcb89c70e0c331c61d871fa7",
"sha1": "fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4",
"sha256": "E3B98A4DA31A127D4BDE6E43033F66BA274CAB0EB7EB1C70EC41402BF6273DD8",
"sha512": "EE26B0DD4AF7E749AA1A8EE3C10AE9923F618980772E473F8819A5D4940E0DB27
AC185F8A0E1D5F84F88BC887FD67B143732C304CC5FA9AD8E6F57F50028A8FF",
}
]Action: Lookup Phishing Domain
This action searches for phishing domain names.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Scanned After | Enter the date-time to filter the results scanned after the input value. Example: "2022-02-22T12:00:00" | Text | Optional | |
Scanned Before | Enter the date-time to filter the results scanned before the input value. Example: "2022-02-26T12:00:00" | Text | Optional | |
Page Size | Enter the number of results to be displayed per page. Example: 100 | Integer | Optional | Default value: 100 Maximum Value: 9999 |
Cursor | Enter the pagination cursor value. Example: "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx" | Text | Optional | |
Domain Wildcard | Choose to filter the results by matching domain names. Example: "*.example.com" | Text | Optional | |
Host IP | Choose to filter the results by the host IP addresses or CIDR blocks (IPv4 or IPv6). Example: "192.158.1.38." | Text | Optional | |
Cert Fingerprint | Choose to filter the results by certificate fingerprint. Example: "63 2B 11 99 44 40 17 DF 37 FC C3 DF 0F 3D 15 " | Text | Optional | You can pass up to 100 certificate fingerprints per query and the multiple values are separated by commas. |
Example Request
[
{
"scanned_after": "2022-02-22T12:00:00",
"scanned_before": "2022-02-26T12:00:00",
"page_size": 100,
"cursor": "c2E9MTQ3ODg4NTcwMjM2NiZzYT01Mzcx",
"domain_wildcard": "*.example.com",
"host_ip": "192.158.1.38",
"cert_fingerprint": "63 2B 11 99 44 40 17 DF 37 FC C3 DF 0F 3D 15"
}
]