Add release notes and update integration version

It fixes the problem with the mirroring feature.
It also adds the mapping file of the integration to map all fields
required for the mirroring feature.

Packs/ZeroFox/.pack-ignore

@@ -1,2 +1,7 @@
 [file:ZeroFox.yml]
 ignore=IN126
+
+[known_words]
+zerofox
+CTI
+hashes

Packs/ZeroFox/Classifiers/classifier-ZeroFox_Mapping.json

@@ -0,0 +1,194 @@
+{
+	"brands": null,
+	"cacheVersn": 0,
+	"defaultIncidentType": "",
+	"definitionId": "",
+	"description": "",
+	"feed": false,
+	"fromServerVersion": "",
+	"id": "ea399f75-4639-468f-8641-75cfc7b30593",
+	"incidentSamples": null,
+	"indicatorSamples": null,
+	"instanceIds": null,
+	"itemVersion": "",
+	"keyTypeMap": {},
+	"locked": false,
+	"logicalVersion": 9,
+	"mapping": {
+		"dbot_classification_incident_type_all": {
+			"dontMapEventToLabels": true,
+			"internalMapping": {
+				"Additional Data": {
+					"simple": "metadata"
+				},
+				"Alert Category": {
+					"simple": "alert_type"
+				},
+				"Alert ID": {
+					"simple": "id"
+				},
+				"Alert Source": {
+					"simple": "network"
+				},
+				"Event Type": {
+					"simple": "alert_type"
+				},
+				"External Status": {
+					"simple": "status"
+				},
+				"Rule Name": {
+					"complex": {
+						"filters": [],
+						"root": "rule_name",
+						"transformers": []
+					}
+				},
+				"Tags": {
+					"complex": {
+						"filters": [],
+						"root": "tags",
+						"transformers": [
+							{
+								"args": {
+									"separator": {
+										"value": {
+											"simple": ","
+										}
+									}
+								},
+								"operator": "join"
+							}
+						]
+					}
+				},
+				"Threat Name": {
+					"simple": "rule_name"
+				},
+				"URLs": {
+					"simple": "offending_content_url"
+				},
+				"dbotMirrorDirection": {
+					"simple": "mirror_direction"
+				},
+				"dbotMirrorId": {
+					"simple": "id"
+				},
+				"dbotMirrorInstance": {
+					"simple": "mirror_instance"
+				},
+				"details": {
+					"simple": "notes"
+				},
+				"occurred": {
+					"complex": {
+						"filters": [],
+						"root": "timestamp",
+						"transformers": []
+					}
+				},
+				"severity": {
+					"complex": {
+						"filters": [],
+						"root": "severity",
+						"transformers": [
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "informational"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "1"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "low"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "2"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "medium"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "3"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "high"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "4"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "critical"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "5"
+										}
+									}
+								},
+								"operator": "replace"
+							}
+						]
+					}
+				}
+			}
+		}
+	},
+	"name": "ZeroFox Mapping",
+	"nameRaw": "ZeroFox Mapping",
+	"packID": "",
+	"packName": "",
+	"propagationLabels": [
+		"all"
+	],
+	"sourceClassifierId": "",
+	"system": false,
+	"toServerVersion": "",
+	"transformer": {},
+	"type": "mapping-incoming",
+	"unclassifiedCases": null,
+	"version": -1
+}

Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py

@@ -1213,8 +1213,6 @@ def search_exploit_command():
 
 def get_modified_remote_data_command():
     raw_args = demisto.args()
-    if not raw_args.get('lastUpdate'):
-        raw_args = {'lastUpdate': datetime.now() - timedelta(days=1)}
     args = GetModifiedRemoteDataArgs(raw_args)
     last_update = args.last_update
 
@@ -1225,22 +1223,31 @@ def get_modified_remote_data_command():
     }
     response_content = list_alerts(list_alert_params)
     modified_alerts = response_content.get("alerts", [])
-    modified_alert_ids = [alert.get("id") for alert in modified_alerts]
+    demisto.debug(f"Fetched {len(modified_alerts)} alerts with the following params: {str(list_alert_params)}")
+    modified_alert_ids = [str(alert.get("id")) for alert in modified_alerts]
 
-    return return_results(GetModifiedRemoteDataResponse(modified_alert_ids))
+    return return_results(GetModifiedRemoteDataResponse(modified_incident_ids=modified_alert_ids))
 
 
 def get_remote_data_command():
-    args = demisto.args()
-    remote_args = GetRemoteDataArgs(args)
-    alert_id = remote_args.remote_incident_id
+    raw_args = demisto.args()
+    args = GetRemoteDataArgs(raw_args)
+    alert_id = args.remote_incident_id
 
     response_content = get_alert(alert_id)
     alert = response_content.get("alert", {})
+    demisto.debug(f"Alert fetched with id {alert.get('id')}")
 
     entries = []
     if alert.get("status") in CLOSED_ALERT_STATUS:
-        entries.append({"Contents": {"dbotIncidentClose": True}})
+        demisto.debug(f"Incident associated with alert_id={alert_id} is being closed")
+        entries.append({
+            "Contents": {
+                "dbotIncidentClose": True,
+                "closeReason": "Other",
+                "closeNotes": "Closed in ZeroFox"
+            },
+        })
 
     return return_results(GetRemoteDataResponse(mirrored_object=alert, entries=entries))
 

Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml

@@ -1027,7 +1027,7 @@ script:
     - contextPath: ZeroFox.Alert
       type: string
     description: Looks for malicious ips in ZeroFox's CTI feeds
-  - name: zerofox-search-malicious_hash
+  - name: zerofox-search-malicious-hash
     arguments:
     - name: hash
       required: true
@@ -1058,6 +1058,7 @@ script:
   script: '-'
   type: python
   subtype: python3
+  defaultmapperin: ZeroFox Mapping
 tests:
 - ZeroFox-Test
 fromversion: 5.0.0

Packs/ZeroFox/ReleaseNotes/1_1_0.md

@@ -0,0 +1,15 @@
+
+#### Integrations
+
+##### ZeroFox
+
+- Updated the docker image to: *demisto/python3:3.10.11.61265*.
+- Added the command to update alert notes in ZeroFox, `zerofox-modify-alert-notes`.
+- Added the command to submit threats in ZeroFox, `zerofox-submit-threat`.
+- Added the alert's offending content to the response of `zerofox-get-alert` and `zerofox-list-alerts`.
+- Added the ability to look up IPs against ZeroFox CTI feeds with the following new command `zerofox-search-malicious-ip`.
+- Added the ability to look up domains against ZeroFox CTI feeds with the following new command `zerofox-search-compromised-domain`.
+- Added the ability to look up emails against ZeroFox CTI feeds with the following new command `zerofox-search-compromised-email`.
+- Added the ability to look up hashes against ZeroFox CTI feeds with the following new command `zerofox-search-malicious-hash`.
+- Added the ability to look up exploits against ZeroFox CTI feeds with the following new command `zerofox-search-exploit`.
+- Added the incoming mirroring feature.

Packs/ZeroFox/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ZeroFox",
     "description": "Cloud-based SaaS to detect risks found on social media and digital channels.",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.1.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",