Skip to main content

ZeroFox

This Integration is part of the ZeroFox Pack.#

Cloud-based SaaS to detect risks found on social media and digital channels. This integration was integrated and tested with versions 1.0 and 2.0 of ZeroFox.

Configure ZeroFox in Cortex#

ParameterRequired
URL (e.g., https://api.zerofox.com/)True
UsernameTrue
PasswordTrue
Fetch only escalated alertsFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)False
Fetch LimitTrue
Fetch incidentsFalse
Incident typeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

zerofox-get-alert#


Fetches an alert by ID.

Base Command#

zerofox-get-alert

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved by running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-alert-user-assignment#


Assigns an alert to a user.

Base Command#

zerofox-alert-user-assignment

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved by running the zerofox-list-alerts command.Required
usernameThe name of the user to which an alert is assigned.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-close-alert#


Closes an alert.

Base Command#

zerofox-close-alert

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved by running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-alert-request-takedown#


Requests a takedown of a specified alert.

Base Command#

zerofox-alert-request-takedown

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved by running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-modify-alert-tags#


Adds tags to and or removes tags from a specified alert.

Base Command#

zerofox-modify-alert-tags

Input#

Argument NameDescriptionRequired
actionAdds or removes tags. Possible values are: add, remove. Default is add.Optional
alert_idThe ID of an alert. Can be retrieved by running the zerofox-list-alerts command.Required
tagsA CSV of tags to be added to or removed from an alert.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-list-alerts#


Returns alerts that match user-defined or default filters and parameters. By default, no filters are applied and the results are sorted by timestamp.

Base Command#

zerofox-list-alerts

Input#

Argument NameDescriptionRequired
accountThe account number of the social network (unique ID).Optional
alert_typeA CSV list of alert types. Possible values are: account_information, entity_discovery_content, entity_discovery_profile, impersonating_account, impersonating_comment, impersonating_post, incoming_comment, incoming_post, incoming_private_message, outgoing_private_message, self_comment, self_post, search_query, location, email.Optional
assigneeThe name of the user assigned to an alert.Optional
entityThe ID of the ZeroFox entity.Optional
entity_termThe term ID of the ZeroFox entity.Optional
last_modifiedThe amount of time (in seconds) since an alert was last modified.Optional
limitThe maximum number of alerts to retrieve (0 - 100). Default is 10.Optional
max_timestampThe ending date-time string (in ISO-8601 format) by which to filter alerts.Optional
min_timestampThe starting date-time string (in ISO-8601 format) by which to filter alerts.Optional
networkFilters results by the specified network names.Optional
offsetUsed for pagination. Starts response with the first filtered alert.Optional
page_idCSV list of the ZeroFox page IDs.Optional
page_urlThe URL to the website or social media content that triggered an alert.Optional
pagesThe encoded JSON array of strings used for filtering alerts.Optional
postThe unique post number of the social network.Optional
rule_idCSV list of the ZeroFox rule IDs.Optional
rule_nameCSV list of the ZeroFox rule names.Optional
entity_searchThe matched substring of the protected entity.Optional
perpetrator_searchThe substring used to filter alerts by the username or display name of a perpetrator.Optional
pro_social_obj_searchThe substring used to filter alerts by the username, display name, or entity term name of protected social objects.Optional
alert_idCSV list of alert IDs.Optional
risk_ratingRisk rating of alert. Possible values are: Critical, High, Medium, Low, Info.Optional
sort_directionSorts results in ascending or descending order. Possible values are: asc, desc.Optional
sort_fieldField used for defining alert filter for sorting. Possible values are: alert_id, alert_status, alert_type, assigned_user, perpetrator, protected_entity, protected_social_object, rule, severity, social_network, timestamp, escalated.Optional
statusThe alert status. Possible values are: closed, open, takedown_accepted, takedown_denied, takedown_requested, whitelisted.Optional
escalatedIf true, returns only escalated alerts. Possible values are: true, false.Optional
tagsAlert tags. Returns alerts containing at least of the tags in the provided CSV list.Optional

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-create-entity#


Creates a new entity associated with the company of the authorized user.

Base Command#

zerofox-create-entity

Input#

Argument NameDescriptionRequired
nameName of the entity (may be non-unique).Required
strict_name_matchingIndicates the type of string matching used for comparing entity names
to impersonator names. It must be true or false.
Optional
tagsComma-separated list of string tags for tagging the entity.
For example:
label1,label2,label3.
Optional
policy_idThe ID of the policy to assign to the new entity. Can be retrieved running the zerofox-get-policy-types command. Possible values are: .Optional
organizationThe name of the organization associated with the entity.Optional

Context Output#

PathTypeDescription
ZeroFox.Entity.NameStringThe name of the entity.
ZeroFox.Entity.IDNumberThe ID of the entity.
ZeroFox.StrictNameMatchingBooleanIndicates the type of string matching used for comparing entity names to impersonator names.
ZeroFox.Entity.TagsStringThe list of string tags that can be used for tagging the entity.
ZeroFox.Entity.PolicyIDStringThe policy ID of the entity.
ZeroFox.Entity.OrganizationStringThe name of the organization associated with the entity.

zerofox-alert-cancel-takedown#


Cancels a takedown of a specified alert.

Base Command#

zerofox-alert-cancel-takedown

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-open-alert#


Opens an alert.

Base Command#

zerofox-open-alert

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-list-entities#


Lists all entities associated with the company of the authorized user.

Base Command#

zerofox-list-entities

Input#

Argument NameDescriptionRequired
email_addressFilters by matching email_address substrings.Optional
groupFilters by entity group ID. Can be filtered by multiple group parameters.Optional
labelFilters by entity label ID. Can be filtered by multiple label parameters.Optional
networkFilters by entities with network accounts using an ID. Can be filtered by multiple network parameters.Optional
networksFilters by entities with network accounts using a CSV of network names.Optional
pageThe index of page to fetch.Optional
policyFilters by entity policy ID. Can be filtered by multiple policy parameters. Can be retrieved running the zerofox-get-policy-types command.Optional
typeFilters by an entity type ID. Can be filtered by multiple type parameters. Can be retrieved running the zerofox-get-entity-types command.Optional

Context Output#

PathTypeDescription
ZeroFox.Entity.IDNumberThe ID of the entity.
ZeroFox.Entity.NameStringThe name of the entity.
ZeroFox.Entity.EmailAddressStringThe email address associated with the entity.
ZeroFox.Entity.OrganizationStringThe organization associated with the entity.
ZeroFox.Entity.TagsStringA list of tags of the entity.
ZeroFox.Entity.StrictNameMatchingBooleanIndicates the type of string matching used for comparing entity names to impersonator names.
ZeroFox.Entity.PolicyIDNumberThe policy ID of the entity.
ZeroFox.Entity.ProfileStringA link to a profile resource, if applicable.
ZeroFox.Entity.EntityGroupIDNumberThe ID of the entity group.
ZeroFox.Entity.EntityGroupNameStringThe name of the entity group.
ZeroFox.Entity.TypeIDNumberThe ID of the type of entity.
ZeroFox.Entity.TypeNameStringThe name of the type of entity.

zerofox-get-entity-types#


Shows a table of all entity type names and IDs in the War Room.

Base Command#

zerofox-get-entity-types

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

zerofox-get-policy-types#


Shows a table of all policy type names and IDs in the War Room.

Base Command#

zerofox-get-policy-types

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

zerofox-modify-alert-notes#


Modify the notes of a specified alert.

Base Command#

zerofox-modify-alert-notes

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved running the zerofox-list-alerts command.Required
notesThe notes to add to an alert.Required

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-submit-threat#


Submits potential threats into the ZF alert registry for disruption.

Base Command#

zerofox-submit-threat

Input#

Argument NameDescriptionRequired
sourceContent to be considered a threat.Required
alert_typeType of content acting as a threat, could be one of email, ip, domain, url, phone, mail_exchange, page_content or account.Required
violationType of infringement the submitted threat represents, could be one of phishing, malware, rogue_app, impersonation, trademark, copyright, private_data, fraud or other.Required
entity_idIdentifier of the entity being threatened by submitted content.Required
notesAdditional notes to include in submission.Optional

Context Output#

PathTypeDescription
ZeroFox.Alert.AlertTypeStringThe type of an alert.
ZeroFox.Alert.OffendingContentURLStringThe URL to the site containing content that triggered an alert.
ZeroFox.Alert.AssigneeStringThe user to which an alert is assigned.
ZeroFox.Alert.Entity.IDNumberThe ID of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.NameStringThe name of the entity corresponding to the triggered alert.
ZeroFox.Alert.Entity.ImageStringThe URL to the profile image of the entity on which an alert was created.
ZeroFox.Alert.EntityTerm.IDNumberThe ID of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.NameStringThe name of the entity term corresponding to the triggered alert.
ZeroFox.Alert.EntityTerm.DeletedBooleanWhether an entity term was deleted.
ZeroFox.Alert.ContentCreatedAtDateThe date-time string indicating when the alerted content was created, in ISO-8601 format.
ZeroFox.Alert.IDNumberThe ID of an alert.
ZeroFox.Alert.RiskRatingNumberThe risk rating of an alert. Can be "Critical", "High", "Medium", "Low", or "Info".
ZeroFox.Alert.Perpetrator.NameStringFor account, post, or page alerts, the perpetrator's social network account display name or the account from which the content was posted.
ZeroFox.Alert.Perpetrator.URLStringThe URL at which you can view the basic details of the perpetrator.
ZeroFox.Alert.Perpetrator.TimestampDateThe timestamp of a post created by a perpetrator.
ZeroFox.Alert.Perpetrator.TypeStringThe type of perpetrator on which an alert was created. Can be an account, page, or post.
ZeroFox.Alert.Perpetrator.IDNumberThe ZeroFox resource ID of the alert perpetrator.
ZeroFox.Alert.Perpetrator.NetworkStringThe network containing the offending content.
ZeroFox.Alert.RuleGroupIDNumberThe ID of the rule group.
ZeroFox.Alert.StatusStringThe status of an alert. Can be "Open", "Closed", "Takedown:Accepted", "Takedown:Denied", "Takedown:Requested" and "Whitelisted".
ZeroFox.Alert.TimestampDateThe date-time string when an alert was created, in ISO-8601 format.
ZeroFox.Alert.RuleNameStringThe name of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.LastModifiedDateThe date and time at which an alert was last modified.
ZeroFox.Alert.DarkwebTermStringDetails about the dark web term on which an alert was created. Outputs "null" if the alert has no details.
ZeroFox.Alert.ReviewedBooleanWhether an alert was reviewed.
ZeroFox.Alert.EscalatedBooleanWhether an alert was escalated.
ZeroFox.Alert.NetworkStringThe network on which an alert was created.
ZeroFox.Alert.ProtectedSocialObjectStringThe protected object corresponding to an alert. If the alert occurred on an entity term, the protected object will be an entity term name. If the alert occurred on a protected account, (account information or an incoming or outgoing content), and it was network defined, the protected object will be an account username. If the alert was not network-defined, the protected object will default to the account's display name. Otherwise, the protected account will be an account display name. For impersonation alerts, the protected object is null.
ZeroFox.Alert.NotesStringNotes made on an alert.
ZeroFox.Alert.RuleIDNumberThe ID of the rule on which an alert was created. Outputs "null" if the rule has been deleted.
ZeroFox.Alert.TagsStringA list of an alert's tags.
ZeroFox.Alert.EntityAccountStringThe account associated with the entity.

zerofox-send-alert-attachment#


Sends an attachment to a specified alert.

Base Command#

zerofox-send-alert-attachment

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved running the zerofox-list-alerts command.Required
attachment_typeThe type of the attachment. Can be evidence "photo_id", "disruption_agreement", "trademark_information", "trademark"or "copyright". Possible values are: evidence, photo_id, disruption_agreement, trademark_information, trademark, copyright.Required
entry_idThe entry ID of the attachment.Required

Context Output#

There is no context output for this command.

zerofox-get-alert-attachments#


Retrieves the attachments of a specified alert.

Base Command#

zerofox-get-alert-attachments

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
ZeroFox.AlertAttachments.IDunknownThe ID of an alert.
ZeroFox.AlertAttachments.NameunknownThe name attachment of an alert.

zerofox-search-compromised-domain#


Looks for a given domain in Zerofox's CTI feeds.

Base Command#

zerofox-search-compromised-domain

Input#

Argument NameDescriptionRequired
domainDomain to search.Required

Context Output#

PathTypeDescription
ZeroFox.CompromisedDomains.DomainstringDomain in which the search domain was found.
ZeroFox.CompromisedDomains.LastModifiedstringLast time that the threat was found.
ZeroFox.CompromisedDomains.IPsstringRelated domains to the threat separated by commas.

zerofox-search-compromised-email#


Looks for a given email in ZeroFox's CTI feeds.

Base Command#

zerofox-search-compromised-email

Input#

Argument NameDescriptionRequired
emailemail to search.Required

Context Output#

PathTypeDescription
ZeroFox.CompromisedEmails.DomainstringDomain in which the search domain was found.
ZeroFox.CompromisedEmails.EmailstringEmail involved in the threat.
ZeroFox.CompromisedEmails.CreatedAtstringDate in which the email was found related to a threat.

zerofox-search-malicious-ip#


Looks for malicious ips in ZeroFox's CTI feeds.

Base Command#

zerofox-search-malicious-ip

Input#

Argument NameDescriptionRequired
ipip to search.Required

Context Output#

PathTypeDescription
ZeroFox.MaliciousIPs.DomainstringDomain in which the search domain was found.
ZeroFox.MaliciousIPs.IPAddressstringIP in which the search domain was found.
ZeroFox.MaliciousIPs.CreatedAtstringDate in which the ip was found related to a threat.

zerofox-search-malicious-hash#


Looks for registered hashes in ZeroFox's CTI feeds.

Base Command#

zerofox-search-malicious-hash

Input#

Argument NameDescriptionRequired
hashhash to search.Required

Context Output#

PathTypeDescription
ZeroFox.MaliciousHashes.CreatedAtstringDate in which the ip was found related to a threat.
ZeroFox.MaliciousHashes.FamilystringFamily related threat.
ZeroFox.MaliciousHashes.MD5stringHash in MD5 format.
ZeroFox.MaliciousHashes.SHA1stringHash in SHA1 format.
ZeroFox.MaliciousHashes.SHA256stringHash in SHA256 format.
ZeroFox.MaliciousHashes.SHA512stringHash in SHA512 format.
ZeroFox.MaliciousHashes.FoundHashstringIndicates in which hash format was found the search.

zerofox-search-exploits#


Looks for registered exploits in ZeroFox's CTI feeds.

Base Command#

zerofox-search-exploits

Input#

Argument NameDescriptionRequired
sinceStaring date for exploit search.Required

Context Output#

PathTypeDescription
ZeroFox.Exploits.CreatedAtstringDate in which the ip was found related to a threat.
ZeroFox.Exploits.CVECodestringCVE Code to identify the exploit.
ZeroFox.Exploits.URLsstringURLs associated to the threat separated by commas.

zerofox-get-compromised-credentials#


Gets compromised credentials data for a given ZeroFox alert and uploads it to the current investigation War Room.

Base Command#

zerofox-get-compromised-credentials

Input#

Argument NameDescriptionRequired
alert_idThe ID of an alert. Can be retrieved running the zerofox-list-alerts command.Required

Context Output#

PathTypeDescription
File.SizeNumberThe size of the file.
File.SHA1StringThe SHA1 hash of the file.
File.SHA256StringThe SHA256 hash of the file.
File.SHA512StringThe SHA512 hash of the file.
File.NameStringThe name of the file.
File.SSDeepStringThe SSDeep hash of the file.
File.EntryIDStringThe entry ID of the file.
File.InfoStringFile information.
File.TypeStringThe file type.
File.MD5StringThe MD5 hash of the file.
File.ExtensionStringThe file extension.

Incident Mirroring#

You can enable incident mirroring between Cortex XSOAR incidents and ZeroFox corresponding events (available from Cortex XSOAR version 6.0.0). To set up the mirroring:

  1. Enable Fetching incidents in your instance configuration.

Newly fetched incidents will be mirrored in the chosen direction. However, this selection does not affect existing incidents. Important Note: To ensure the mirroring works as expected, mappers are required, both for incoming and outgoing, to map the expected fields in Cortex XSOAR and ZeroFox.