Merging next to main for release 1.0.1 (#2)

* ZeroFox Alerts: New App - Add zerofox data connector for retrieving alerts and performing actions on them (#1)

* Add zerofox alerts app along with delivery files

* Added data connector for retrieving zerofox alerts as incidents
* added actions on alerts such as
  * polling alerts created since a given timestamp (on poll)
  * submitting alerts into zerofox's platform
  * retrieving alerts by Id
  * taking actions on alerts such as requesting take down, escalating them or closing them
  * modifying alert tags

* Fix action descriptions and formatting according to CI

* fix json output orderings

* Add PR CI recommendations

* Remove app id to see if it fixes pipeline

* undo deleted appid

* changes related to dev standards

* review changes

* added fips complaint key

* review change

* pre-commmit changes

---------

Co-authored-by: Diego Ramirez <[email protected]>
Co-authored-by: dhwanis-crest <[email protected]>

* Release notes for version 1.0.1

* Release notes for version 1.0.1

* Update json (#3)

* json changes

* Update README.md

---------

Co-authored-by: splunk-soar-connectors-admin <admin@splunksoar>

---------

Co-authored-by: Diego Ramirez R <[email protected]>
Co-authored-by: Diego Ramirez <[email protected]>
Co-authored-by: dhwanis-crest <[email protected]>
Co-authored-by: root <root@splunksoar>
Co-authored-by: dhwanis-crest <[email protected]>
Co-authored-by: splunk-soar-connectors-admin <admin@splunksoar>

.github/workflows/linting.yml

@@ -1,7 +1,7 @@
 name: Linting
 on: [push, pull_request]
 jobs:
-  lint: 
+  lint:
     # Run per push for internal contributers. This isn't possible for forked pull requests,
     # so we'll need to run on PR events for external contributers.
     # String comparison below is case insensitive.

.pre-commit-config.yaml

@@ -1,11 +1,11 @@
 repos:
 -   repo: https://github.com/phantomcyber/dev-cicd-tools
-    rev: v1.13
+    rev: v1.17
     hooks:
     -   id: org-hook
     -   id: package-app-dependencies
 -   repo: https://github.com/Yelp/detect-secrets
-    rev: v1.2.0
+    rev: v1.4.0
     hooks:
     -   id: detect-secrets
         args: ['--no-verify']

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2023 Splunk Inc.
+   Copyright (c) ZeroFox, 2024
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,9 +1,180 @@
-# Splunk> Phantom
+[comment]: # "Auto-generated SOAR connector documentation"
+# ZeroFox
 
-Welcome to the open-source repository for Splunk> Phantom's zerofoxalerts App.
+Publisher: ZeroFox  
+Connector Version: 1.0.1  
+Product Vendor: ZeroFox  
+Product Name: ZeroFox  
+Product Version Supported (regex): ".\*"  
+Minimum Product Version: 5.5.0  
 
-Please have a look at our [Contributing Guide](https://github.com/Splunk-SOAR-Apps/.github/blob/main/.github/CONTRIBUTING.md) if you are interested in contributing, raising issues, or learning more about open-source Phantom apps.
+ZeroFox Alerts for Splunk SOAR
 
-## Legal and License
+[comment]: # File: manual_readme_content.md
+[comment]: #
+[comment]: # Copyright (c) ZeroFox, 2024
+[comment]: #
+[comment]: # Licensed under the Apache License, Version 2.0 (the "License");
+[comment]: # you may not use this file except in compliance with the License.
+[comment]: # You may obtain a copy of the License at
+[comment]: #
+[comment]: #     http://www.apache.org/licenses/LICENSE-2.0
+[comment]: #
+[comment]: # Unless required by applicable law or agreed to in writing, software distributed under
+[comment]: # the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+[comment]: # either express or implied. See the License for the specific language governing permissions
+[comment]: # and limitations under the License.
 
-This Phantom App is licensed under the Apache 2.0 license. Please see our [Contributing Guide](https://github.com/Splunk-SOAR-Apps/.github/blob/main/.github/CONTRIBUTING.md#legal-notice) for further details.
+### Configuration Variables
+The below configuration variables are required for this Connector to operate.  These variables are specified when configuring a ZeroFox asset in SOAR.
+
+VARIABLE | REQUIRED | TYPE | DESCRIPTION
+-------- | -------- | ---- | -----------
+**zerofox_api_token** |  required  | password | ZeroFox API Token
+**username** |  required  | string | Your ZeroFOX platform username or email address
+**reviewed** |  optional  | boolean | Only poll reviewed alerts
+**history_days_interval** |  required  | string | Initial historical alert poll interval (in days)
+**verify_server_cert** |  optional  | boolean | Verify Sever Certificate
+
+### Supported Actions  
+[test connectivity](#action-test-connectivity) - Validate the asset configuration for connectivity using supplied configuration  
+[on poll](#action-on-poll) - Callback action for the on_poll ingest functionality  
+[take action](#action-take-action) - Take action on a ZeroFox an alert  
+[tag alert](#action-tag-alert) - Add or remove a tag to a ZeroFox alert  
+[threat submission](#action-threat-submission) - Add a manual threat to ZeroFox  
+[lookup alert](#action-lookup-alert) - Retrieve a single alert and it's details, identified by its unique integer identifier  
+
+## action: 'test connectivity'
+Validate the asset configuration for connectivity using supplied configuration
+
+Type: **test**  
+Read only: **True**
+
+#### Action Parameters
+No parameters are required for this action
+
+#### Action Output
+No Output  
+
+## action: 'on poll'
+Callback action for the on_poll ingest functionality
+
+Type: **ingest**  
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**container_id** |  optional  | Container IDs to limit the ingestion to | string | 
+**start_time** |  optional  | Start of time range, in epoch time (milliseconds) | numeric | 
+**end_time** |  optional  | End of time range, in epoch time (milliseconds) | numeric | 
+**container_count** |  optional  | Maximum number of container records to query for | numeric | 
+**artifact_count** |  optional  | Maximum number of artifact records to query for | numeric | 
+
+#### Action Output
+No Output  
+
+## action: 'take action'
+Take action on a ZeroFox an alert
+
+Type: **generic**  
+Read only: **False**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**alert_id** |  required  | ZeroFox Alert ID | numeric | 
+**alert_action** |  required  | The action to take | string | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string |  |   success  failed 
+action_result.parameter.alert_action | string |  |  
+action_result.parameter.alert_id | numeric |  |  
+action_result.data | string |  |  
+action_result.summary | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |    
+
+## action: 'tag alert'
+Add or remove a tag to a ZeroFox alert
+
+Type: **generic**  
+Read only: **False**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**alert_id** |  required  | ZeroFox Alert ID | numeric | 
+**alert_tag** |  required  | Tag | string | 
+**tag_action** |  required  | Tag action: add or remove | string | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string |  |   success  failed 
+action_result.parameter.alert_id | numeric |  |  
+action_result.parameter.alert_tag | string |  |  
+action_result.parameter.tag_action | string |  |  
+action_result.data | string |  |  
+action_result.summary | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |    
+
+## action: 'threat submission'
+Add a manual threat to ZeroFox
+
+Type: **generic**  
+Read only: **False**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**source** |  required  | Source URL | string | 
+**alert_type** |  required  | Alert Type | string | 
+**violation** |  required  | Violation | string | 
+**asset_id** |  required  | The ZeroFox Asset ID to associate the threat | numeric | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string |  |   success  failed 
+action_result.parameter.alert_type | string |  |  
+action_result.parameter.asset_id | numeric |  |  
+action_result.parameter.source | string |  |  
+action_result.parameter.violation | string |  |  
+action_result.data.\*.alert_id | numeric |  |  
+action_result.summary | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |    
+
+## action: 'lookup alert'
+Retrieve a single alert and it's details, identified by its unique integer identifier
+
+Type: **investigate**  
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**alert_id** |  required  | ZeroFox Alert ID | numeric | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.status | string |  |   success  failed 
+action_result.parameter.alert_id | numeric |  |  
+action_result.data.\*.alert.alert_type | string |  |  
+action_result.data.\*.alert.network | string |  |  
+action_result.data.\*.alert.offending_content_url | string |  |  
+action_result.data.\*.alert.rule_name | string |  |  
+action_result.data.\*.alert.status | string |  |  
+action_result.data.\*.alert.timestamp | string |  |  
+action_result.summary | string |  |  
+action_result.message | string |  |  
+summary.total_objects | numeric |  |  
+summary.total_objects_successful | numeric |  |  

__init__.py

@@ -0,0 +1,14 @@
+# File: __init__.py
+#
+# Copyright (c) ZeroFox, 2024
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+# either express or implied. See the License for the specific language governing permissions
+# and limitations under the License.

manual_readme_content.md

@@ -0,0 +1,14 @@
+[comment]: # File: manual_readme_content.md
+[comment]: #
+[comment]: # Copyright (c) ZeroFox, 2024
+[comment]: #
+[comment]: # Licensed under the Apache License, Version 2.0 (the "License");
+[comment]: # you may not use this file except in compliance with the License.
+[comment]: # You may obtain a copy of the License at
+[comment]: #
+[comment]: #     http://www.apache.org/licenses/LICENSE-2.0
+[comment]: #
+[comment]: # Unless required by applicable law or agreed to in writing, software distributed under
+[comment]: # the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+[comment]: # either express or implied. See the License for the specific language governing permissions
+[comment]: # and limitations under the License.

release_notes/1.0.1.md

@@ -0,0 +1 @@
+* Initial Release

tox.ini

@@ -0,0 +1,7 @@
+[flake8]
+max-line-length = 145
+max-complexity = 28
+extend-ignore = F403,E128,E126,E111,E121,E127,E731,E201,E202,F405,E722,D,W292
+
+[isort]
+line_length = 145