-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add command to modify notes in a specific alert (#2) * Sort imports and add zerofox-submit-threat command * Add offending content url to alert responses * Add CTI feed lookup commands Adds commands for lookup into * compromised domains * compromised emails * malicious ips * hashes associated to malware * found exploits * Add commands to sync alerts from zf to xsoar * Add release notes and update integration version * Improve code presentation according to XSOARs guidelines * Improve code by replacing return_output for return_results, as well as adding client class * Add release notes and update integration version * Refactor to follow XSOAR Guidelines It also adds tests to the commands implemented. * Fix types in the integration file * Change data test's folder name * Update testing email data * Update docker tag, python type hints and docstrings - It fixes functions that modified dictionaries instead of creating copies. - It raises an error if command it is not implemented - It changes the fetch-incidents way to manage pages - It updates the release notes - It adds the author image * Add description in main Readme file * Fix zf api call * Fix list alerts call with offset instead of pages * Add integration instructions to get your creds --------- Co-authored-by: Diego Ramirez <dramirez@zerofox.com>
- Loading branch information
Showing
36 changed files
with
6,144 additions
and
823 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,10 @@ | ||
| [file:ZeroFox.yml] | ||
| ignore=IN126 | ||
|
|
||
| [file:TestData/alert.json] | ||
| ignore=BA115 | ||
|
|
||
| [known_words] | ||
| zerofox | ||
| CTI | ||
| hashes |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
172 changes: 172 additions & 0 deletions
172
Packs/ZeroFox/Classifiers/classifier-ZeroFox_Mapping.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,172 @@ | ||
| { | ||
| "description": "", | ||
| "feed": false, | ||
| "id": "ZeroFox Mapping", | ||
| "mapping": { | ||
| "dbot_classification_incident_type_all": { | ||
| "dontMapEventToLabels": true, | ||
| "internalMapping": { | ||
| "Additional Data": { | ||
| "simple": "metadata" | ||
| }, | ||
| "Alert Category": { | ||
| "simple": "alert_type" | ||
| }, | ||
| "Alert ID": { | ||
| "simple": "id" | ||
| }, | ||
| "Alert Source": { | ||
| "simple": "network" | ||
| }, | ||
| "Event Type": { | ||
| "simple": "alert_type" | ||
| }, | ||
| "External Status": { | ||
| "simple": "status" | ||
| }, | ||
| "Rule Name": { | ||
| "complex": { | ||
| "filters": [], | ||
| "root": "rule_name", | ||
| "transformers": [] | ||
| } | ||
| }, | ||
| "Tags": { | ||
| "complex": { | ||
| "filters": [], | ||
| "root": "tags", | ||
| "transformers": [ | ||
| { | ||
| "args": { | ||
| "separator": { | ||
| "value": { | ||
| "simple": "," | ||
| } | ||
| } | ||
| }, | ||
| "operator": "join" | ||
| } | ||
| ] | ||
| } | ||
| }, | ||
| "Threat Name": { | ||
| "simple": "rule_name" | ||
| }, | ||
| "URLs": { | ||
| "simple": "offending_content_url" | ||
| }, | ||
| "dbotMirrorDirection": { | ||
| "simple": "mirror_direction" | ||
| }, | ||
| "dbotMirrorId": { | ||
| "simple": "id" | ||
| }, | ||
| "dbotMirrorInstance": { | ||
| "simple": "mirror_instance" | ||
| }, | ||
| "details": { | ||
| "simple": "notes" | ||
| }, | ||
| "occurred": { | ||
| "complex": { | ||
| "filters": [], | ||
| "root": "timestamp", | ||
| "transformers": [] | ||
| } | ||
| }, | ||
| "severity": { | ||
| "complex": { | ||
| "filters": [], | ||
| "root": "severity", | ||
| "transformers": [ | ||
| { | ||
| "args": { | ||
| "limit": {}, | ||
| "replaceWith": { | ||
| "value": { | ||
| "simple": "informational" | ||
| } | ||
| }, | ||
| "toReplace": { | ||
| "value": { | ||
| "simple": "1" | ||
| } | ||
| } | ||
| }, | ||
| "operator": "replace" | ||
| }, | ||
| { | ||
| "args": { | ||
| "limit": {}, | ||
| "replaceWith": { | ||
| "value": { | ||
| "simple": "low" | ||
| } | ||
| }, | ||
| "toReplace": { | ||
| "value": { | ||
| "simple": "2" | ||
| } | ||
| } | ||
| }, | ||
| "operator": "replace" | ||
| }, | ||
| { | ||
| "args": { | ||
| "limit": {}, | ||
| "replaceWith": { | ||
| "value": { | ||
| "simple": "medium" | ||
| } | ||
| }, | ||
| "toReplace": { | ||
| "value": { | ||
| "simple": "3" | ||
| } | ||
| } | ||
| }, | ||
| "operator": "replace" | ||
| }, | ||
| { | ||
| "args": { | ||
| "limit": {}, | ||
| "replaceWith": { | ||
| "value": { | ||
| "simple": "high" | ||
| } | ||
| }, | ||
| "toReplace": { | ||
| "value": { | ||
| "simple": "4" | ||
| } | ||
| } | ||
| }, | ||
| "operator": "replace" | ||
| }, | ||
| { | ||
| "args": { | ||
| "limit": {}, | ||
| "replaceWith": { | ||
| "value": { | ||
| "simple": "critical" | ||
| } | ||
| }, | ||
| "toReplace": { | ||
| "value": { | ||
| "simple": "5" | ||
| } | ||
| } | ||
| }, | ||
| "operator": "replace" | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "name": "ZeroFox Mapping", | ||
| "type": "mapping-incoming", | ||
| "version": -1, | ||
| "fromVersion": "6.8.0" | ||
| } |
Oops, something went wrong.