ZeroFox

the zerofox connector enables automated threat detection and response for digital and social media channels, streamlining the process of managing online risks zerofox delivers protection from digital threats originating from social media, digital channels, and the deep and dark web the zerofox turbine connector enables users to automate the detection, monitoring, and remediation of these threats directly within the swimlane platform by integrating with zerofox, users can retrieve real time alerts, submit suspicious domains for analysis, and take action on threats, enhancing their digital risk protection and response capabilities prerequisites to effectively utilize the zerofox connector within the swimlane turbine platform, ensure you have the following prerequisites api key authentication url the endpoint url for the zerofox api api token your unique authentication token to access the zerofox api capabilities the zerofox connector has the following capabilities get alerts take action on alerts submit phishing domain api documentation link zerofox api documentation link https //api zerofox com/1 0/docs/ configurations zerofox api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api token api token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions get alerts retrieves real time notifications and alerts for potential threats and malicious activities detected across social media and digital channels endpoint url /1 0/alerts/ method get input argument name type required description account string optional social network account number (unique id) alert type string optional csv of alert types assignee string optional name of user assigned to alert entity number optional zerofox entity id entity term number optional zerofox entity term id last modified number optional number of seconds since an alert has changed last modified min date string optional so 8601 date time string that filters out alerts with a last modified time before the given time last modified max date string optional iso 8601 date time string that filters out alerts with a last modified time after the given time limit number optional maximum number of alerts to retrieve (0 100) max timestamp string optional iso 8601 date time string to filter for alerts before min timestamp string optional iso 8601 date time string to filter for alerts after network string optional network name csv offset number optional used for pagination start response with n th alert matching filters page id number optional zerofox page id csv page url string optional url to web/social web content pages string optional encoded json array of strings to filter by alerts post string optional social network post number (unique id) rule id number optional zerofox rule id csv rule name string optional zerofox name csv entity search string optional substring matching for the protected entity perpetrator search string optional substring to filter alerts by perpetrator username or display name pro social obj search string optional substring to filter alerts by protected social object username, display name, or entity term name alert id string optional csv of alert ids severity number optional severity level of alert 1 5 (critical) sort direction string optional sort results in ascending (asc) or descending (desc) order output parameter type description status code number http status code of the response reason string response reason phrase count number count value next object output field next previous object output field previous page size number output field page size num pages number output field num pages alerts array output field alerts file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "date" "mon, 01 jul 2024 10 09 54 gmt", "content type" "application/json", "transfer encoding" "chunked", "connection" "keep alive", "allow" "get, post, head, options", "content language" "en us", "referrer policy" "same origin", "vary" "accept, accept language, origin", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block, 1; mode=block", "cf cache status" "dynamic", "strict transport security" "max age=15552000; includesubdomains", "server" "cloudflare", "cf ray" "89c59a68393bf43d bom" }, "reason" "ok", "json body" { "count" 0, "next" null, "previous" null, "page size" 100, "num pages" 0, "alerts" \[] } } ] submit phishing domain submit a suspected phishing domain to zerofox, including source, alert type, violation, and entity id endpoint url /2 0/threat submit/ method post input argument name type required description source string required the source of the alert, its value depends on the value of the alert type field, so it could be an url, a phone number, a domain, an email, etc alert type string required alert typing violation string required threat posed by user entity id number required entity id for which the url is associated with notes string optional notes made on the alert request takedown boolean optional whether or not the content should be requested for automatic takedown after alerting output parameter type description status code number http status code of the response reason string response reason phrase alert id number unique identifier example \[ { "status code" 201, "response headers" { "date" "fri, 10 may 2024 12 43 09 gmt", "content type" "application/json", "content length" "22", "connection" "keep alive", "allow" "post, options", "content language" "en us", "referrer policy" "same origin", "vary" "accept, accept language, origin", "x content type options" "nosniff", "x frame options" "deny", "x xss protection" "1; mode=block, 1; mode=block", "cf cache status" "dynamic", "strict transport security" "max age=15552000; includesubdomains", "server" "cloudflare", "cf ray" "881a035dbc364ae1 hyd" }, "reason" "created", "json body" { "alert id" 315632201 } } ] take action on alerts automates responses and remediation for threats detected on social media and digital channels by using alert id and action parameters endpoint url /1 0/alerts/{{alert id}}/{{action}}/ method post input argument name type required description alert id number required the zerofox alert id action string required action to take on the alert output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content length" "140", "content type" "application/json", "date" "thu, 2 may 2024 20 37 23 gmt" }, "reason" "ok", "json body" {} } ] response headers header description example allow http response header allow post, options cf cache status http response header cf cache status dynamic cf ray http response header cf ray 881a035dbc364ae1 hyd connection http response header connection keep alive content encoding http response header content encoding gzip content language http response header content language en us content length the length of the response body in bytes 140 content type the media type of the resource application/json date the date and time at which the message was originated mon, 01 jul 2024 10 09 54 gmt referrer policy http response header referrer policy same origin server information about the software used by the origin server cloudflare strict transport security http response header strict transport security max age=15552000; includesubdomains transfer encoding http response header transfer encoding chunked vary http response header vary accept, accept language, origin x content type options http response header x content type options nosniff x frame options http response header x frame options deny x xss protection http response header x xss protection 1; mode=block, 1; mode=block