Skip to content

Commit 385553d

Browse files
content-botfigarridoDNRRomeroanas-yousef
authored and
xsoar-bot
committed
Update ZeroFox Integration (demisto#28921)
* Update ZeroFox Integration (demisto#27969) * Add command to modify notes in a specific alert (#2) * Sort imports and add zerofox-submit-threat command * Add offending content url to alert responses * Add CTI feed lookup commands Adds commands for lookup into * compromised domains * compromised emails * malicious ips * hashes associated to malware * found exploits * Add commands to sync alerts from zf to xsoar * Add release notes and update integration version * Improve code presentation according to XSOARs guidelines * Improve code by replacing return_output for return_results, as well as adding client class * Add release notes and update integration version * Refactor to follow XSOAR Guidelines It also adds tests to the commands implemented. * Fix types in the integration file * Change data test's folder name * Update testing email data * Update docker tag, python type hints and docstrings - It fixes functions that modified dictionaries instead of creating copies. - It raises an error if command it is not implemented - It changes the fetch-incidents way to manage pages - It updates the release notes - It adds the author image * Add description in main Readme file * Fix zf api call * Fix list alerts call with offset instead of pages * Add integration instructions to get your creds --------- Co-authored-by: Diego Ramirez <[email protected]> * Updated test_data * Updated docker image * Update .pack-ignore * Fixed first_fetch and max_fetch parameters * Added support for old and new fetch incidents params * Changed back to old fetch parameters --------- Co-authored-by: Felipe Garrido <[email protected]> Co-authored-by: Diego Ramirez <[email protected]> Co-authored-by: Anas Yousef <[email protected]>
1 parent 6fc6d77 commit 385553d

36 files changed

+6142
-827
lines changed

Packs/ZeroFox/.pack-ignore

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,2 +1,4 @@
1-
[file:ZeroFox.yml]
2-
ignore=IN126
1+
[known_words]
2+
zerofox
3+
CTI
4+
hashes

Packs/ZeroFox/Author_image.png

3.85 KB
Loading

Packs/ZeroFox/Classifiers/classifier-ZeroFox_Mapping.json

Lines changed: 172 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,172 @@
1+
{
2+
"description": "",
3+
"feed": false,
4+
"id": "ZeroFox Mapping",
5+
"mapping": {
6+
"dbot_classification_incident_type_all": {
7+
"dontMapEventToLabels": true,
8+
"internalMapping": {
9+
"Additional Data": {
10+
"simple": "metadata"
11+
},
12+
"Alert Category": {
13+
"simple": "alert_type"
14+
},
15+
"Alert ID": {
16+
"simple": "id"
17+
},
18+
"Alert Source": {
19+
"simple": "network"
20+
},
21+
"Event Type": {
22+
"simple": "alert_type"
23+
},
24+
"External Status": {
25+
"simple": "status"
26+
},
27+
"Rule Name": {
28+
"complex": {
29+
"filters": [],
30+
"root": "rule_name",
31+
"transformers": []
32+
}
33+
},
34+
"Tags": {
35+
"complex": {
36+
"filters": [],
37+
"root": "tags",
38+
"transformers": [
39+
{
40+
"args": {
41+
"separator": {
42+
"value": {
43+
"simple": ","
44+
}
45+
}
46+
},
47+
"operator": "join"
48+
}
49+
]
50+
}
51+
},
52+
"Threat Name": {
53+
"simple": "rule_name"
54+
},
55+
"URLs": {
56+
"simple": "offending_content_url"
57+
},
58+
"dbotMirrorDirection": {
59+
"simple": "mirror_direction"
60+
},
61+
"dbotMirrorId": {
62+
"simple": "id"
63+
},
64+
"dbotMirrorInstance": {
65+
"simple": "mirror_instance"
66+
},
67+
"details": {
68+
"simple": "notes"
69+
},
70+
"occurred": {
71+
"complex": {
72+
"filters": [],
73+
"root": "timestamp",
74+
"transformers": []
75+
}
76+
},
77+
"severity": {
78+
"complex": {
79+
"filters": [],
80+
"root": "severity",
81+
"transformers": [
82+
{
83+
"args": {
84+
"limit": {},
85+
"replaceWith": {
86+
"value": {
87+
"simple": "informational"
88+
}
89+
},
90+
"toReplace": {
91+
"value": {
92+
"simple": "1"
93+
}
94+
}
95+
},
96+
"operator": "replace"
97+
},
98+
{
99+
"args": {
100+
"limit": {},
101+
"replaceWith": {
102+
"value": {
103+
"simple": "low"
104+
}
105+
},
106+
"toReplace": {
107+
"value": {
108+
"simple": "2"
109+
}
110+
}
111+
},
112+
"operator": "replace"
113+
},
114+
{
115+
"args": {
116+
"limit": {},
117+
"replaceWith": {
118+
"value": {
119+
"simple": "medium"
120+
}
121+
},
122+
"toReplace": {
123+
"value": {
124+
"simple": "3"
125+
}
126+
}
127+
},
128+
"operator": "replace"
129+
},
130+
{
131+
"args": {
132+
"limit": {},
133+
"replaceWith": {
134+
"value": {
135+
"simple": "high"
136+
}
137+
},
138+
"toReplace": {
139+
"value": {
140+
"simple": "4"
141+
}
142+
}
143+
},
144+
"operator": "replace"
145+
},
146+
{
147+
"args": {
148+
"limit": {},
149+
"replaceWith": {
150+
"value": {
151+
"simple": "critical"
152+
}
153+
},
154+
"toReplace": {
155+
"value": {
156+
"simple": "5"
157+
}
158+
}
159+
},
160+
"operator": "replace"
161+
}
162+
]
163+
}
164+
}
165+
}
166+
}
167+
},
168+
"name": "ZeroFox Mapping",
169+
"type": "mapping-incoming",
170+
"version": -1,
171+
"fromVersion": "6.8.0"
172+
}

0 commit comments

Comments
 (0)