Publisher: ZeroFox
Connector Version: 1.1.1
Product Vendor: ZeroFox
Product Name: ZeroFox Threat Intelligence
Product Version Supported (regex): ".*"
Minimum Product Version: 6.1.1
ZeroFox Threat Intelligence
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a ZeroFox Threat Intelligence asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| zerofox_username | optional | string | ZeroFox CTI Username |
| zerofox_password | optional | password | ZeroFox CTI Password |
| verify_server_cert | optional | boolean | Verify Sever Certificate |
test connectivity - Validate the asset configuration for connectivity using supplied configuration
lookup domain - Check for the presence of a domain in the ZeroFox Threat Intelligence Feed
lookup ip - Check for the presence of an IP in the ZeroFox Threat Intelligence Feed
lookup exploit - Check for the presence of a exploit in the ZeroFox Threat Intelligence Feed
lookup hash - Check for the presence of a hash in the ZeroFox Threat Intelligence Feed
lookup email - Lookup Email Address
Validate the asset configuration for connectivity using supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Check for the presence of a domain in the ZeroFox Threat Intelligence Feed
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| domain | required | Domain to lookup | string | domain |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.domain | string | domain |
|
| action_result.data.*.ip | string | ||
| action_result.data.*.url | string | ||
| action_result.data.*.details | string | ||
| action_result.data.*.created_at | string | ||
| action_result.status | string | success failed | |
| action_result.summary | string | ||
| action_result.message | string | ||
| summary.total_objects | numeric | ||
| summary.total_objects_successful | numeric |
Check for the presence of an IP in the ZeroFox Threat Intelligence Feed
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| ip | required | IP to lookup | string | ip |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.ip | string | ip |
|
| action_result.data.*.url | string | ||
| action_result.data.*.threat_type | string | ||
| action_result.data.*.created_at | string | ||
| action_result.status | string | success failed | |
| action_result.summary | string | ||
| action_result.message | string | ||
| summary.total_objects | numeric | ||
| summary.total_objects_successful | numeric |
Check for the presence of a exploit in the ZeroFox Threat Intelligence Feed
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| cve | required | CVE to lookup | string | cve |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.cve | string | cve |
|
| action_result.data.*.url | string | ||
| action_result.data.*.created_at | string | ||
| action_result.status | string | success failed | |
| action_result.summary | string | ||
| action_result.message | string | ||
| summary.total_objects | numeric | ||
| summary.total_objects_successful | numeric |
Check for the presence of a hash in the ZeroFox Threat Intelligence Feed
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| hash | required | Hash to lookup | string | sha256 sha1 md5 |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.hash | string | sha256 sha1 md5 |
|
| action_result.data.*.family | string | ||
| action_result.data.*.created_at | string | ||
| action_result.status | string | success failed | |
| action_result.summary | string | ||
| action_result.message | string | ||
| summary.total_objects | numeric | ||
| summary.total_objects_successful | numeric |
Lookup Email Address
Type: investigate
Read only: False
Check for the presence of an email address in the ZeroFox Threat Intelligence Feed.
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| email_address | required | Email Address | string |
| DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES |
|---|---|---|---|
| action_result.parameter.email_address | string | ||
| action_result.data.*.domain | string | ||
| action_result.data.*.breach_name | string | ||
| action_result.data.*.created_at | string | ||
| action_result.status | string | success failed | |
| action_result.summary | string | ||
| action_result.message | string | ||
| summary.total_objects | numeric | ||
| summary.total_objects_successful | numeric |