[Zerofox] Key Incidents Integration (demisto#39834)

* [Zerofox] Key Incidents Integration (demisto#39506)

* Add new base application (#142)

* Format applications (#144)

* add key incident client (#145)

* add key incident attachment method (#146)

* Add simple key mapper (#147)

* add incident type, incident type field and layout to ZeroFox Key Incident Pack (#149)

* Add Fetch Incidents (#148)

* add key incident attachment command (#150)

* fix classifier, layout and incident type formats (#152)

* update release notes

* move key incidents package to zerofox pack (#153)

* Move key incidents integration to zerofox pack

* correct pack readme to include zerofox ki integration

* improve unit tests in ki integration (#154)

* rename integration to ZeroFoxKeyIncidents

* update release notes

* correct incident field names

* format ZeroFox pack files

---------

Co-authored-by: Leonardo de Requeséns <134218114+lderequesensS@users.noreply.github.com>

* post demo fixes

* fix incident name

* ignore

* fix incident name

---------

Co-authored-by: Diego Ramirez R <dramirez@zerofox.com>
Co-authored-by: Leonardo de Requeséns <134218114+lderequesensS@users.noreply.github.com>
Co-authored-by: meichler <meichler@paloaltonetworks.com>

Author: 4 people

Packs/ZeroFox/.secrets-ignore

@@ -80,4 +80,6 @@ https://www.youtube.com
 https://api.zerofox.com
 https://api.securitycenter.windows.com
 kkk@gmail.com
-me@zerofox.com
+me@zerofox.com
+nvISo
+Enbridge

Packs/ZeroFox/Classifiers/classifier-ZeroFox_Key_Incident_Incoming_Mapper.json

@@ -0,0 +1,47 @@
+{
+	"defaultIncidentType": "",
+	"definitionId": "",
+	"description": "Maps ZeroFox Key Incidents Fields to XSOAR",
+	"feed": false,
+	"id": "ZeroFox Key Incidents (incoming)",
+	"fromVersion": "6.0.0",
+	"mapping": {
+		"ZeroFox Key Incident": {
+			"dontMapEventToLabels": false,
+			"internalMapping": {
+				"ZeroFox Key Incident Analysis": {
+					"complex": {
+						"filters": [],
+						"root": "analysis",
+						"transformers": []
+					}
+				},
+				"ZeroFox Key Incident Headline": {
+					"complex": {
+						"filters": [],
+						"root": "headline",
+						"transformers": []
+					}
+				},
+				"Tags": {
+					"complex": {
+						"accessor": "[0]",
+						"filters": [],
+						"root": "tags",
+						"transformers": []
+					}
+				},
+				"occurred": {
+					"simple": "created_at"
+				}
+			}
+		},
+		"dbot_classification_incident_type_all": {
+			"dontMapEventToLabels": true,
+			"internalMapping": {}
+		}
+	},
+	"name": "ZeroFox Key Incidents (incoming)",
+	"type": "mapping-incoming",
+	"version": -1
+}

Packs/ZeroFox/IncidentFields/ZeroFoxKeyIncidents_Analysis.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_zerofoxkeyincidentanalysis",
+    "version": -1,
+    "modified": "2025-04-01T14:37:02.293030483Z",
+    "fromVersion": "6.10.0",
+    "name": "ZeroFox Key Incident Analysis",
+    "ownerOnly": true,
+    "cliName": "zerofoxkeyincidentanalysis",
+    "type": "longText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "content": true,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "ZeroFox Key Incident"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72
+}

Packs/ZeroFox/IncidentFields/ZeroFoxKeyIncidents_Headline.json

@@ -0,0 +1,31 @@
+{
+    "id": "incident_zerofoxkeyincidentheadline",
+    "version": -1,
+    "fromVersion": "6.10.0",
+    "modified": "2025-04-01T14:36:27.595586447Z",
+    "content": true,
+    "name": "ZeroFox Key Incident Headline",
+    "ownerOnly": true,
+    "cliName": "zerofoxkeyincidentheadline",
+    "type": "shortText",
+    "closeForm": false,
+    "editForm": true,
+    "required": false,
+    "neverSetAsRequired": false,
+    "isReadOnly": false,
+    "useAsKpi": false,
+    "locked": false,
+    "system": false,
+    "group": 0,
+    "hidden": false,
+    "openEnded": false,
+    "associatedTypes": [
+        "ZeroFox Key Incident"
+    ],
+    "associatedToAll": false,
+    "unmapped": false,
+    "unsearchable": true,
+    "caseInsensitive": true,
+    "sla": 0,
+    "threshold": 72
+}

Packs/ZeroFox/IncidentTypes/ZeroFox_Key_Incident.json

@@ -0,0 +1,22 @@
+{
+    "id": "ZeroFox Key Incident",
+    "name": "ZeroFox Key Incident",
+    "version": -1,
+    "fromVersion": "6.10.0",
+    "color": "#e7282b",
+    "hours": 0,
+    "days": 0,
+    "weeks": 0,
+    "hoursR": 0,
+    "daysR": 0,
+    "weeksR": 0,
+    "system": false,
+    "readonly": false,
+    "default": false,
+    "autorun": false,
+    "disabled": false,
+    "layout": "ZeroFox Key Incidents Layout",
+    "marketplaces": [
+        "xsoar"
+    ]
+}

Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml

@@ -1532,7 +1532,7 @@ script:
     - contextPath: File.Extension
       description: The file extension.
       type: String
-  dockerimage: demisto/python3:3.12.8.1983910
+  dockerimage: demisto/python3:3.12.8.3296088
   longRunning: false
   longRunningPort: false
   runonce: false

Packs/ZeroFox/Integrations/ZeroFox/ZeroFox_test.py

@@ -1321,7 +1321,7 @@ def test_send_alert_attachment_command(requests_mock, mocker):
     requests_mock.get(f"/1.0/alerts/{alert_id}/", json=alert_response)
     client = build_zf_client()
     spy_send_attachment = mocker.spy(client, "send_alert_attachment")
-    mocker.patch("builtins.open", mocker.mock_open(read_data=b"data"))
+    mocker.patch("builtins.open", mocker.mock_open(read_data="data"))
     mocker.patch.object(
         demisto,
         "getFilePath",
@@ -1337,7 +1337,6 @@ def test_send_alert_attachment_command(requests_mock, mocker):
         "entry_id": entry_id,
         "attachment_type": attachment_type,
     }
-
     results = send_alert_attachment_command(client, args)
 
     spy_send_attachment.assert_called_once()

Packs/ZeroFox/Integrations/ZeroFoxKeyIncidents/README.md

@@ -0,0 +1,59 @@
+Cloud-based SaaS to detect risks found on social media and digital channels.
+This integration was integrated and tested with version 1.4.0 of ZeroFoxKey.
+
+## Configure ZeroFox Key Incidents in Cortex
+
+
+| **Parameter** | **Required** |
+| --- | --- |
+| URL (e.g., https://api.zerofox.com/) | True |
+| Fetch incidents | False |
+| Username | True |
+| Password | True |
+| First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | False |
+| Incident type | False |
+
+## Commands
+
+You can execute these commands from the CLI, as part of an automation, or in a playbook.
+After you successfully execute a command, a DBot message appears in the War Room with the command details.
+
+### zerofox-get-key-incident-attachment
+
+***
+Fetches a Key Incident Attachment by ID and uploads it to the current investigation War Room.
+
+#### Base Command
+
+`zerofox-get-key-incident-attachment`
+
+#### Input
+
+| **Argument Name** | **Description** | **Required** |
+| --- | --- | --- |
+| attachment_id | The ID of the Key Incident Attachment. | Required | 
+
+#### Context Output
+
+| **Path** | **Type** | **Description** |
+| --- | --- | --- |
+| File.Size | Number | The size of the file. | 
+| File.SHA1 | String | The SHA1 hash of the file. | 
+| File.SHA256 | String | The SHA256 hash of the file. | 
+| File.SHA512 | String | The SHA512 hash of the file. | 
+| File.Name | String | The name of the file. | 
+| File.SSDeep | String | The SSDeep hash of the file. | 
+| File.EntryID | String | The entry ID of the file. | 
+| File.Info | String | File information. | 
+| File.Type | String | The file type. | 
+| File.MD5 | String | The MD5 hash of the file. | 
+| File.Extension | String | The file extension. | 
+
+## Incident Mirroring
+
+You can enable incident mirroring between Cortex XSOAR incidents and ZeroFox Key Incidents corresponding events (available from Cortex XSOAR version 6.0.0).
+To set up the mirroring:
+1. Enable *Fetching incidents* in your instance configuration.
+
+Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents.
+**Important Note:** To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and ZeroFox Key Incidents.