Add release notes and update integration version

Packs/ZeroFox/.pack-ignore

@@ -1,2 +1,7 @@
 [file:ZeroFox.yml]
 ignore=IN126
+
+[known_words]
+zerofox
+CTI
+hashes

Packs/ZeroFox/Classifiers/classifier-ZeroFox_Mapping.json

@@ -0,0 +1,194 @@
+{
+	"brands": null,
+	"cacheVersn": 0,
+	"defaultIncidentType": "",
+	"definitionId": "",
+	"description": "",
+	"feed": false,
+	"fromServerVersion": "",
+	"id": "ea399f75-4639-468f-8641-75cfc7b30593",
+	"incidentSamples": null,
+	"indicatorSamples": null,
+	"instanceIds": null,
+	"itemVersion": "",
+	"keyTypeMap": {},
+	"locked": false,
+	"logicalVersion": 9,
+	"mapping": {
+		"dbot_classification_incident_type_all": {
+			"dontMapEventToLabels": true,
+			"internalMapping": {
+				"Additional Data": {
+					"simple": "metadata"
+				},
+				"Alert Category": {
+					"simple": "alert_type"
+				},
+				"Alert ID": {
+					"simple": "id"
+				},
+				"Alert Source": {
+					"simple": "network"
+				},
+				"Event Type": {
+					"simple": "alert_type"
+				},
+				"External Status": {
+					"simple": "status"
+				},
+				"Rule Name": {
+					"complex": {
+						"filters": [],
+						"root": "rule_name",
+						"transformers": []
+					}
+				},
+				"Tags": {
+					"complex": {
+						"filters": [],
+						"root": "tags",
+						"transformers": [
+							{
+								"args": {
+									"separator": {
+										"value": {
+											"simple": ","
+										}
+									}
+								},
+								"operator": "join"
+							}
+						]
+					}
+				},
+				"Threat Name": {
+					"simple": "rule_name"
+				},
+				"URLs": {
+					"simple": "offending_content_url"
+				},
+				"dbotMirrorDirection": {
+					"simple": "mirror_direction"
+				},
+				"dbotMirrorId": {
+					"simple": "id"
+				},
+				"dbotMirrorInstance": {
+					"simple": "mirror_instance"
+				},
+				"details": {
+					"simple": "notes"
+				},
+				"occurred": {
+					"complex": {
+						"filters": [],
+						"root": "timestamp",
+						"transformers": []
+					}
+				},
+				"severity": {
+					"complex": {
+						"filters": [],
+						"root": "severity",
+						"transformers": [
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "informational"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "1"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "low"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "2"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "medium"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "3"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "high"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "4"
+										}
+									}
+								},
+								"operator": "replace"
+							},
+							{
+								"args": {
+									"limit": {},
+									"replaceWith": {
+										"value": {
+											"simple": "critical"
+										}
+									},
+									"toReplace": {
+										"value": {
+											"simple": "5"
+										}
+									}
+								},
+								"operator": "replace"
+							}
+						]
+					}
+				}
+			}
+		}
+	},
+	"name": "ZeroFox Mapping",
+	"nameRaw": "ZeroFox Mapping",
+	"packID": "",
+	"packName": "",
+	"propagationLabels": [
+		"all"
+	],
+	"sourceClassifierId": "",
+	"system": false,
+	"toServerVersion": "",
+	"transformer": {},
+	"type": "mapping-incoming",
+	"unclassifiedCases": null,
+	"version": -1
+}

Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.py

@@ -1213,8 +1213,6 @@ def search_exploit_command():
 
 def get_modified_remote_data_command():
     raw_args = demisto.args()
-    if not raw_args.get('lastUpdate'):
-        raw_args = {'lastUpdate': datetime.now() - timedelta(days=1)}
     args = GetModifiedRemoteDataArgs(raw_args)
     last_update = args.last_update
 
@@ -1225,22 +1223,31 @@ def get_modified_remote_data_command():
     }
     response_content = list_alerts(list_alert_params)
     modified_alerts = response_content.get("alerts", [])
-    modified_alert_ids = [alert.get("id") for alert in modified_alerts]
+    demisto.debug(f"Fetched {len(modified_alerts)} alerts with the following params: {str(list_alert_params)}")
+    modified_alert_ids = [str(alert.get("id")) for alert in modified_alerts]
 
-    return return_results(GetModifiedRemoteDataResponse(modified_alert_ids))
+    return return_results(GetModifiedRemoteDataResponse(modified_incident_ids=modified_alert_ids))
 
 
 def get_remote_data_command():
-    args = demisto.args()
-    remote_args = GetRemoteDataArgs(args)
-    alert_id = remote_args.remote_incident_id
+    raw_args = demisto.args()
+    args = GetRemoteDataArgs(raw_args)
+    alert_id = args.remote_incident_id
 
     response_content = get_alert(alert_id)
     alert = response_content.get("alert", {})
+    demisto.debug(f"Alert fetched with id {alert.get('id')}")
 
     entries = []
     if alert.get("status") in CLOSED_ALERT_STATUS:
-        entries.append({"Contents": {"dbotIncidentClose": True}})
+        demisto.debug(f"Incident associated with alert_id={alert_id} is being closed")
+        entries.append({
+            "Contents": {
+                "dbotIncidentClose": True,
+                "closeReason": "Other",
+                "closeNotes": "Closed in ZeroFox"
+            },
+        })
 
     return return_results(GetRemoteDataResponse(mirrored_object=alert, entries=entries))
 

Packs/ZeroFox/Integrations/ZeroFox/ZeroFox.yml

@@ -1027,7 +1027,7 @@ script:
     - contextPath: ZeroFox.Alert
       type: string
     description: Looks for malicious ips in ZeroFox's CTI feeds
-  - name: zerofox-search-malicious_hash
+  - name: zerofox-search-malicious-hash
     arguments:
     - name: hash
       required: true
@@ -1058,6 +1058,7 @@ script:
   script: '-'
   type: python
   subtype: python3
+  defaultmapperin: ZeroFox Mapping
 tests:
 - ZeroFox-Test
 fromversion: 5.0.0

Packs/ZeroFox/ReleaseNotes/1_1_0.md

@@ -0,0 +1,15 @@
+
+#### Integrations
+
+##### ZeroFox
+
+- Updated the docker image to: *demisto/python3:3.10.11.61265*.
+- Added the command to update alert notes in ZeroFox, `zerofox-modify-alert-notes`.
+- Added the command to submit threats in ZeroFox, `zerofox-submit-threat`.
+- Added the alert's offending content to the response of `zerofox-get-alert` and `zerofox-list-alerts`.
+- Added the ability to look up IPs against ZeroFox CTI feeds with the following new command `zerofox-search-malicious-ip`.
+- Added the ability to look up domains against ZeroFox CTI feeds with the following new command `zerofox-search-compromised-domain`.
+- Added the ability to look up emails against ZeroFox CTI feeds with the following new command `zerofox-search-compromised-email`.
+- Added the ability to look up hashes against ZeroFox CTI feeds with the following new command `zerofox-search-malicious-hash`.
+- Added the ability to look up exploits against ZeroFox CTI feeds with the following new command `zerofox-search-exploit`.
+- Added the incoming mirroring feature.

Packs/ZeroFox/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "ZeroFox",
     "description": "Cloud-based SaaS to detect risks found on social media and digital channels.",
     "support": "xsoar",
-    "currentVersion": "1.0.6",
+    "currentVersion": "1.1.0",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",