-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Update ZeroFox Integration (#27969) * Add command to modify notes in a specific alert (#2) * Sort imports and add zerofox-submit-threat command * Add offending content url to alert responses * Add CTI feed lookup commands Adds commands for lookup into * compromised domains * compromised emails * malicious ips * hashes associated to malware * found exploits * Add commands to sync alerts from zf to xsoar * Add release notes and update integration version * Improve code presentation according to XSOARs guidelines * Improve code by replacing return_output for return_results, as well as adding client class * Add release notes and update integration version * Refactor to follow XSOAR Guidelines It also adds tests to the commands implemented. * Fix types in the integration file * Change data test's folder name * Update testing email data * Update docker tag, python type hints and docstrings - It fixes functions that modified dictionaries instead of creating copies. - It raises an error if command it is not implemented - It changes the fetch-incidents way to manage pages - It updates the release notes - It adds the author image * Add description in main Readme file * Fix zf api call * Fix list alerts call with offset instead of pages * Add integration instructions to get your creds --------- Co-authored-by: Diego Ramirez <dramirez@zerofox.com> * Updated test_data * Updated docker image * Update .pack-ignore * Fixed first_fetch and max_fetch parameters * Added support for old and new fetch incidents params * Changed back to old fetch parameters --------- Co-authored-by: Felipe Garrido <fgarridob.95+github@gmail.com> Co-authored-by: Diego Ramirez <dramirez@zerofox.com> Co-authored-by: Anas Yousef <44998563+anas-yousef@users.noreply.github.com>
- Loading branch information
1 parent
4f3f602
commit 37fa3bc
Showing
36 changed files
with
6,142 additions
and
827 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,4 @@ | ||
[file:ZeroFox.yml] | ||
ignore=IN126 | ||
[known_words] | ||
zerofox | ||
CTI | ||
hashes |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
172 changes: 172 additions & 0 deletions
172
Packs/ZeroFox/Classifiers/classifier-ZeroFox_Mapping.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,172 @@ | ||
{ | ||
"description": "", | ||
"feed": false, | ||
"id": "ZeroFox Mapping", | ||
"mapping": { | ||
"dbot_classification_incident_type_all": { | ||
"dontMapEventToLabels": true, | ||
"internalMapping": { | ||
"Additional Data": { | ||
"simple": "metadata" | ||
}, | ||
"Alert Category": { | ||
"simple": "alert_type" | ||
}, | ||
"Alert ID": { | ||
"simple": "id" | ||
}, | ||
"Alert Source": { | ||
"simple": "network" | ||
}, | ||
"Event Type": { | ||
"simple": "alert_type" | ||
}, | ||
"External Status": { | ||
"simple": "status" | ||
}, | ||
"Rule Name": { | ||
"complex": { | ||
"filters": [], | ||
"root": "rule_name", | ||
"transformers": [] | ||
} | ||
}, | ||
"Tags": { | ||
"complex": { | ||
"filters": [], | ||
"root": "tags", | ||
"transformers": [ | ||
{ | ||
"args": { | ||
"separator": { | ||
"value": { | ||
"simple": "," | ||
} | ||
} | ||
}, | ||
"operator": "join" | ||
} | ||
] | ||
} | ||
}, | ||
"Threat Name": { | ||
"simple": "rule_name" | ||
}, | ||
"URLs": { | ||
"simple": "offending_content_url" | ||
}, | ||
"dbotMirrorDirection": { | ||
"simple": "mirror_direction" | ||
}, | ||
"dbotMirrorId": { | ||
"simple": "id" | ||
}, | ||
"dbotMirrorInstance": { | ||
"simple": "mirror_instance" | ||
}, | ||
"details": { | ||
"simple": "notes" | ||
}, | ||
"occurred": { | ||
"complex": { | ||
"filters": [], | ||
"root": "timestamp", | ||
"transformers": [] | ||
} | ||
}, | ||
"severity": { | ||
"complex": { | ||
"filters": [], | ||
"root": "severity", | ||
"transformers": [ | ||
{ | ||
"args": { | ||
"limit": {}, | ||
"replaceWith": { | ||
"value": { | ||
"simple": "informational" | ||
} | ||
}, | ||
"toReplace": { | ||
"value": { | ||
"simple": "1" | ||
} | ||
} | ||
}, | ||
"operator": "replace" | ||
}, | ||
{ | ||
"args": { | ||
"limit": {}, | ||
"replaceWith": { | ||
"value": { | ||
"simple": "low" | ||
} | ||
}, | ||
"toReplace": { | ||
"value": { | ||
"simple": "2" | ||
} | ||
} | ||
}, | ||
"operator": "replace" | ||
}, | ||
{ | ||
"args": { | ||
"limit": {}, | ||
"replaceWith": { | ||
"value": { | ||
"simple": "medium" | ||
} | ||
}, | ||
"toReplace": { | ||
"value": { | ||
"simple": "3" | ||
} | ||
} | ||
}, | ||
"operator": "replace" | ||
}, | ||
{ | ||
"args": { | ||
"limit": {}, | ||
"replaceWith": { | ||
"value": { | ||
"simple": "high" | ||
} | ||
}, | ||
"toReplace": { | ||
"value": { | ||
"simple": "4" | ||
} | ||
} | ||
}, | ||
"operator": "replace" | ||
}, | ||
{ | ||
"args": { | ||
"limit": {}, | ||
"replaceWith": { | ||
"value": { | ||
"simple": "critical" | ||
} | ||
}, | ||
"toReplace": { | ||
"value": { | ||
"simple": "5" | ||
} | ||
} | ||
}, | ||
"operator": "replace" | ||
} | ||
] | ||
} | ||
} | ||
} | ||
} | ||
}, | ||
"name": "ZeroFox Mapping", | ||
"type": "mapping-incoming", | ||
"version": -1, | ||
"fromVersion": "6.8.0" | ||
} |
Oops, something went wrong.